You are on page 1of 2

April Tutor

Windows 2000 Internet Services ●

services in w2K
With Microsoft Windows 2000 now shipping in the Middle and Near East, what can Internet ad-
ministrators look forward to with the accompanying IIS Server 5.0? In this month’s tutorial we de-
tail the new features and options that will ease Internet or intanet administration by leveraging
the tools found in Microsoft Windows 2000 server to maximum effect.

he latest version of lows IIS run scripts that—for

T M i c rosoft Inter n e t
Information Ser-
vice is now shipping
with Windows 2000 Server. As
instance—page administrators
when individual services fail.
Also, by default, IIS runs all ap-
pl i ca tion s i n a co m mon or
you would expect with a prod- pooled process that is separate
u ct in i ts fi fth ver sio n, t he from core IIS processes.
c hanges are clearly evolu- Logging has also been ex-
tionary or additive. Still, IIS 5.0 tended: in addition to a new
o ffers new features and op- option to create hourly logs—
tions that ease administra- important for high volume Web
tion and Web development. sites—IIS can also be config-
Sites upgrading from the pre- u red to log Process Account-
vious version should experi- ing data, including such mea-
ence little or no difficulty. surements as User and Kernel
IIS 5.0 uses the administra- time, page faults and term i-
tive interface introduced with nated processes. This lets ad-
the previous version: a Mi- ministrators determine which
crosoft Management Console sites are using too many re-
(MMC) snap-in showing all the sources or which might be mal-
s ervic es and sites in a tre e functioning; administrators can
view. You view and configure FIGURE 1: The new Permissions Wizard simplifies the process of assigning file then institute process throttling
all options using an enhanced permissions. t o l i mi t t h e pe r c e n t a g e of
P r operti es dia log. Contex t CPU time allowed to individ-
menus for sites expose several new op- (ACLS)—to virtual directories and files. ual Web sites for out of process applica-
tions, including a security Perm i s s i o n s Under the hood, IIS 5.0 takes advantage tions.
Wizard (Figure 1) and the ability to install, of the new Windows 2000 recovery op- HTTP support has also been enhanced.
remove and verify server extensions. The tions for services. When a service fails, In addition to customisable error mes-
Permissions Wizard helps you configure you can now set Windows 2000 to 1) sages, IIS 5.0 includes support for HTTP
Web site access more easily by assigning restart the service, 2) run a file, or 3) re- Compression, which compresses both sta-
access policies—including authentication boot the computer for the first, second tic and dynamic Web pages for faster trans-
methods, access permissions, IP address and any subsequent failures. To g e t h e r mission to compatible browsers. Dynam-
restrictions and special access control lists with the failure counter, this capability al- ic pages must be individually compressed,

92 April 2000 www.DITnet ■ www.pcmag

Tutor April

● Windows 2000 Internet Services

but compressed static We b don’t have to change links and

pages are retained in a con- indexes if they subsequently
figurable cache to provide ex- add script to what was previ-
tra performance gains for sub- ously an HTML only page. Un-
s e q u e n t r e q u e s ts . I IS 5. 0 fortunately, this shortcut in-
also provides the server side c u r red a penalty in pre v i o u s
support for Microsoft’s new versions of ASP, which loaded
Web Distributed Authoring the default scripting engine
and Versioning (WebDAV), an even when there was no code.
extension to HTTP 1.1 that en- A new check in the parsing
ables remote authors to man- stage short circuits this prob-
age (create, move or delete) lem. A S P now detects when
files and directories on a serv- executing requests are blocked
er over an HTTP connection. by (waiting on) external com-
ponents and automatically cre-
SECURITY ates additional threads to al-
IIS 5.0 also includes a few new low other requests to contin-
security features. The pro d- ue processing.
uct has always supported sev-
eral authentication mecha- COMPONENTS
nisms: Anonymous, Basic, NT One of the most intere s t i n g
L A N Manager and Wi n d o w s new features is script encod-
NT challenge/response. The ing (also known as script ob-
new Digest authentication fuscation). IIS 5.0 includes the
method transmits password latest Microsoft scripting en-
hash values rather than the FIGURE 2: The Certificate Wizard helps you easily create certificates to enable g i n e s —V B S C R I P T 5 . 0 a n d
passwords themselves. Digest secure SSL communications. J S C R I P T 5.0—both of which
authentication is a substantial support this feature. In script
improvement over Basic authentication— er 2.0, which provides substantially im- encoding, scripts that were pre v i o u s l y
which passes the password unencrypt- proved support for digital certificates over stored as plain text are encoded through
ed—because it is generally not feasible the rather rudimentary version introduced a simple transformation (similar to the
to decrypt hash values. with the Windows NT Option Pack. Cer- uuencoding) to render them indecipher-
Windows NT challenge/response is now tificate support is also better integrated able to casual users. Encoded scripts are
called integrated Windows authentication with IIS: a new Web Server Certificate Wiz- then decoded at runtime by the script en-
and has been enhanced to support the a rd (Figure 2) simplifies creating a cer- gine. While not a truly secure solution,
Kerberos v5 authentication protocol im- tificate request to enable secure S S Lc o m- this can prevent most casual users from
plemented in Windows 2000. Kerbero s munications. A second wizard helps ad- examining scripts.
o ffers several advantages, perhaps the ministrators configure certificate trust lists ASP also now supports Windows Script
most important of which is the ability to (CTLs). A CTL is a signed list of root cer- Components, which can be used to turn
pass authentication credentials to other tification authorities (CAs) for a particu- scripts into re-usable Component Object
computers that also support Kerberos— lar site. C T Ls can be configured on a Model (COM) components for use by ASP
including those running non-Wi n d o w s per-site basis, which is particularly use- and other COM-compliant programs.
operating systems. This ability to delegate ful for Internet service providers who must ASP comes with more than a dozen pre-
authentication to another computer makes support multiple Web sites. built components for things like log-
it easier to scale a Web site by using sep- ging, using counters and accessing data
arate machines for Web servers and data- PROGRAMMABILITY and files. All of the components are faster
base servers. Previous solutions, such as The application programmability of IIS and more scalable, and the Browser Ca-
keeping all services on one box, execut- 5.0 has also been enhanced. Both Active pabilities tool has been enhanced to sup-
ing all client requests in the same securi- Server Pages (ASP), which is the primary port capabilities described in cookies sent
ty context or hard coding security cre- mechanism for launching dynamic con- by the browser. This provides additional
d ent i a ls i n t o sc ri p t f i le s , t e n d ed t o tent under IIS, and the programmability flexibility in running server code based
weaken the security architecture. objects themselves have improved per- on features supported by the target client.
IIS 5.0 also supports Server-Gated Cryp- formance as well as new features. IIS 5.0 gets some immediate benefits—
tography (SGC) and Fortezza. SGC (RFC A S Pp rovides a new asperror object with such as the new security and administra-
2069), which requires a special certificate, corresponding error-handling capability tive features—just by being bundled with
allows financial institutions with export so developers can trap errors in script files. Windows 2000. But the entire product has
versions of IIS to use strong, 128-bit en- A S P also supports new flow control ca- b ee n r e v a m pe d t o i m p ro v e p e r f o r -
cryption. Fortezza —a re g i s t e red trade- pabilities that allow the server to execute mance and implement new features that
mark of the National Security Agency—is other pages without the overhead of keep up with the latest Internet standards
a US government messaging security stan- round trips required by traditional serv- and provide a solid platform for We b -
dard written to the Defense Message Sys- er-side re-directs. based applications. For more information,
t e m s e cu ri t y a r c h i t e c t u re ( ww w . ar- Performance has been greatly improved v i s i t w ww. m ic for scriptless ASP pages. Many sites use d o w s 2 0 0 0 / g u i d e / s e r v e r / f e a t u re s /
Windows 2000 includes Certificate Serv- the ASP file extension for all pages so they web.asp.

www.DITnet ■ www.pcmag April 2000 93