April Tutor

Windows 2000 Internet Services q

services in w2K
With Microsoft Windows 2000 now shipping in the Middle and Near East, what can Internet administrators look forward to with the accompanying IIS Server 5.0? In this month’s tutorial we detail the new features and options that will ease Internet or intanet administration by leveraging the tools found in Microsoft Windows 2000 server to maximum effect.
lows IIS run scripts that—for he latest version of instance—page administrators M i c rosoft Inter n e t when individual services fail. Information SerAlso, by default, IIS runs all apvice is now shipping pl i ca tion s i n a co m mon or with Windows 2000 Server. As pooled process that is separate you would expect with a prodfrom core IIS processes. u ct in i ts fi fth ver sio n, t he Logging has also been exc hanges are clearly evolutended: in addition to a new tionary or additive. Still, IIS 5.0 option to create hourly logs— o ffers new features and opimportant for high volume Web tions that ease administrasites—IIS can also be configtion and Web development. u red to log Process AccountSites upgrading from the preing data, including such meavious version should experisurements as User and Kernel ence little or no difficulty. time, page faults and term iIIS 5.0 uses the administranated processes. This lets adtive interface introduced with ministrators determine which the previous version: a Misites are using too many recrosoft Management Console sources or which might be mal(MMC) snap-in showing all the functioning; administrators can s ervic es and sites in a tre e then institute process throttling view. You view and configure FIGURE 1: The new Permissions Wizard simplifies the process of assigning file t o l i mi t t h e pe r c e n t a g e of all options using an enhanced permissions. CPU time allowed to individP r operti es dia log. Contex t ual Web sites for out of process applicamenus for sites expose several new op- (ACLS)—to virtual directories and files. Under the hood, IIS 5.0 takes advantage tions. tions, including a security Perm i s s i o n s HTTP support has also been enhanced. Wizard (Figure 1) and the ability to install, of the new Windows 2000 recovery opremove and verify server extensions. The tions for services. When a service fails, In addition to customisable error mesPermissions Wizard helps you configure you can now set Windows 2000 to 1) sages, IIS 5.0 includes support for HTTP Web site access more easily by assigning restart the service, 2) run a file, or 3) re- Compression, which compresses both staaccess policies—including authentication boot the computer for the first, second tic and dynamic Web pages for faster transmethods, access permissions, IP address and any subsequent failures. To g e t h e r mission to compatible browsers. Dynamrestrictions and special access control lists with the failure counter, this capability al- ic pages must be individually compressed,



April 2000

www.DITnet .co.ae


www.pcmag -mideast.com

Tutor April
q Windows 2000 Internet Services

but compressed static We b pages are retained in a configurable cache to provide extra performance gains for subs e q u e n t r e q u e s ts . I IS 5. 0 also provides the server side support for Microsoft’s new Web Distributed Authoring and Versioning (WebDAV), an extension to HTTP 1.1 that enables remote authors to manage (create, move or delete) files and directories on a server over an HTTP connection.


IIS 5.0 also includes a few new security features. The pro duct has always supported sevCOMPONENTS eral authentication mechaOne of the most intere s t i n g nisms: Anonymous, Basic, NT new features is script encodL A N Manager and Wi n d o w s ing (also known as script obNT challenge/response. The fuscation). IIS 5.0 includes the new Digest authentication latest Microsoft scripting enmethod transmits password g i n e s —V B S C R I P T 5 . 0 a n d hash values rather than the FIGURE 2: The Certificate Wizard helps you easily create certificates to enable J S C R I P T 5.0—both of which passwords themselves. Digest secure SSL communications. support this feature. In script authentication is a substantial improvement over Basic authentication— er 2.0, which provides substantially im- encoding, scripts that were pre v i o u s l y which passes the password unencrypt- proved support for digital certificates over stored as plain text are encoded through ed—because it is generally not feasible the rather rudimentary version introduced a simple transformation (similar to the with the Windows NT Option Pack. Cer- uuencoding) to render them indecipherto decrypt hash values. Windows NT challenge/response is now tificate support is also better integrated able to casual users. Encoded scripts are called integrated Windows authentication with IIS: a new Web Server Certificate Wiz- then decoded at runtime by the script enand has been enhanced to support the a rd (Figure 2) simplifies creating a cer- gine. While not a truly secure solution, Kerberos v5 authentication protocol im- tificate request to enable secure S S Lc o m- this can prevent most casual users from plemented in Windows 2000. Kerbero s munications. A second wizard helps ad- examining scripts. ASP also now supports Windows Script o ffers several advantages, perhaps the ministrators configure certificate trust lists most important of which is the ability to (CTLs). A CTL is a signed list of root cer- Components, which can be used to turn pass authentication credentials to other tification authorities (CAs) for a particu- scripts into re-usable Component Object computers that also support Kerberos— lar site. C T Ls can be configured on a Model (COM) components for use by ASP including those running non-Wi n d o w s per-site basis, which is particularly use- and other COM-compliant programs. ASP comes with more than a dozen preoperating systems. This ability to delegate ful for Internet service providers who must built components for things like logauthentication to another computer makes support multiple Web sites. ging, using counters and accessing data it easier to scale a Web site by using sepand files. All of the components are faster arate machines for Web servers and data- PROGRAMMABILITY base servers. Previous solutions, such as The application programmability of IIS and more scalable, and the Browser Cakeeping all services on one box, execut- 5.0 has also been enhanced. Both Active pabilities tool has been enhanced to suping all client requests in the same securi- Server Pages (ASP), which is the primary port capabilities described in cookies sent ty context or hard coding security cre- mechanism for launching dynamic con- by the browser. This provides additional d ent i a ls i n t o sc ri p t f i le s , t e n d ed t o tent under IIS, and the programmability flexibility in running server code based objects themselves have improved per- on features supported by the target client. weaken the security architecture. IIS 5.0 gets some immediate benefits— IIS 5.0 also supports Server-Gated Cryp- formance as well as new features. A S Pp rovides a new asperror object with such as the new security and administratography (SGC) and Fortezza. SGC (RFC 2069), which requires a special certificate, corresponding error-handling capability tive features—just by being bundled with allows financial institutions with export so developers can trap errors in script files. Windows 2000. But the entire product has versions of IIS to use strong, 128-bit en- A S P also supports new flow control ca- b ee n r e v a m pe d t o i m p ro v e p e r f o r cryption. Fortezza —a re g i s t e red trade- pabilities that allow the server to execute mance and implement new features that mark of the National Security Agency—is other pages without the overhead of keep up with the latest Internet standards a US government messaging security stan- round trips required by traditional serv- and provide a solid platform for We b based applications. For more information, dard written to the Defense Message Sys- er-side re-directs. w ww. m ic rosoft.com/winPerformance has been greatly improved v i s i t t e m s e cu ri t y a r c h i t e c t u re ( ww w . arfor scriptless ASP pages. Many sites use d o w s 2 0 0 0 / g u i d e / s e r v e r / f e a t u re s / madillo.huntsville.al.us). Windows 2000 includes Certificate Serv- the ASP file extension for all pages so they web.asp.
www.DITnet .co.ae s www.pcmag -mideast.com April 2000

don’t have to change links and indexes if they subsequently add script to what was previously an HTML only page. Unfortunately, this shortcut inc u r red a penalty in pre v i o u s versions of ASP, which loaded the default scripting engine even when there was no code. A new check in the parsing stage short circuits this problem. A S P now detects when executing requests are blocked by (waiting on) external components and automatically creates additional threads to allow other requests to continue processing.


Sign up to vote on this title
UsefulNot useful