لطفا منتظر باشید ...
Configuring IIS 6.0 Properties
Up to this point in the upgrade process, you have upgraded the operating system and all of the operating system components, including IIS 6.0, on the Web server. However, you might need to further configure the IIS 6.0 properties on the Web server so that the Web sites run as they did before the server was upgraded. In addition, you can configure your Web server to take advantage of the enhanced security and availability capabilities of IIS 6.0.Figure 5.5 illustrates the process for configuring the IIS 6.0 properties on your Web server.
Figure 5.5: Configuring IIS 6.0 Properties
Enabling the WWW Service
When you upgrade a Web server running Windows 2000 Server and IIS 5.0, the World Wide Web Publishing Service (WWW service) is disabled unless, before upgrading, you elected to run the IIS Lockdown Tool or make the appropriate changes to the registry. However, if you did not choose either of those methods, you must now enable the WWW service.
| Note | If you are upgrading a Web server that is currently running Windows NT Server 4.0 and IIS 4.0, the WWW service is not disabled. Therefore, you can continue to the next step in the deployment process. |
For more information about how to enable the WWW service after upgrade see "Enable the WWW Service After Upgrade" in "IIS Deployment Procedures" in this book.
Configuring Web Service Extensions
Many Web sites and applications hosted on IIS include dynamic content and other enhanced capabilities. Providing dynamic content and other enhanced capabilities requires executable code, such as ASP, ASP.NET, and ISAPI extensions. The handlers that extend IIS functionality beyond serving static pages are known as Web service extensions.
Because of the enhanced security features in IIS 6.0, you can enable or disable individual Web service extensions. After upgrade, all of the Web service extensions are enabled except for the extensions that are mapped to 404.dll by the IIS Lockdown Tool. If you did not run the IIS Lockdown Tool prior to upgrade, all of the Web service extensions are enabled.The Windows Server 2003 upgrade creates a permission entry for Web service extensions, which enables all of the Web service extensions that are not explicitly prohibited. Enabling all of the Web service extensions ensures the highest possible compatibility with your Web sites. However, doing this creates a security risk by enabling functionality that might not be necessary for your server, which increases the attack surface of the server.
| Note | Web service extensions allow you to enable and disable the serving of dynamic content. MIME types allow you to enable and disable the serving of static content. For more information about enabling and disabling the serving of static content, see "Configuring MIME Types" later in this chapter. |
Configure the Web service extensions after upgrade by completing the following steps:
Configure the Web service extensions list so that the following entries, which enable all Web service extensions, are set to Prohibited:
All Unknown CGI Extensions
All Unknown ISAPI Extensions
For information about how to prohibit a Web service extension, see "Configure Web Service Extensions" in "IIS Deployment Procedures" in this book.
Enable the essential predefined Web service extensions based on the information in Table 5.7.
Web Service Extension | Enable When |
|---|---|
Active Server Pages | One or more of the Web sites or applications contains ASP content. |
ASP.NET version 1.1.4322 | One or more of the Web sites or applications contains ASP.NET content. |
FrontPage Server Extensions 2002 | One or more of the Web sites are FrontPage extended. |
Internet Data Connector | One or more of the Web sites or applications uses the IDC to display database information (content includes .idc and .idx files). |
Server-Side Includes | One or more of the Web sites uses server-side include (SSI) directives to instruct the Web server to insert various types of content into a Web page. |
WebDAV | You want to support WebDAV on the Web server. Not recommended for dedicated Web servers. |
For each Web service extension that is used by your applications and is not a one of the default Web service extensions, add a new entry to the Web service extensions list and configure the status of the new entry to Allowed.
For example, one of your applications might use an ISAPI extension to provide access to a proprietary database. Add the ISAPI extension to the Web service extensions list, and then configure the status of the ISAPI extension to Allowed.
For information about how to add a Web service extension and enable the extension, see "Configure Web Service Extensions" in "IIS Deployment Procedures" in this book.
Use a Web browser on a client computer to verify that the Web sites and applications run on the server.
Configuring MIME Types
IIS serves only the static files with extensions that are registered in the Multipurpose Internet Mail Extensions (MIME) types list. IIS is preconfigured to recognize a default set of global MIME types, which are recognized by all configured Web sites. MIME types can also be defined at the Web site and directory levels, independent of one another or the types defined globally. IIS also allows you to change, remove, or configure additional MIME types. For any static content file extensions used by the Web sites and applications hosted by IIS that are not defined in the MIME types list, you must create a corresponding MIME type entry.Configure the MIME types after upgrade by completing the following steps:
Remove the entry .* application/octet-stream, which enables all MIME types. Removing this entry allows you to restrict the static content served by IIS.For information about how to remove a MIME type from the list, see "Configure MIME Types" in "IIS Deployment Procedures" in this book.
For each static file type that is used by your applications, ensure that an entry exists in the MIME types list.When your application uses the standard MIME types included in IIS, no new MIME type entry is required. For information about how to add a MIME type, see "Configure MIME Types" in "IIS Deployment Procedures" in this book.
Use a Web browser on a client computer to verify that the Web sites and applications run on the server.
Modifying References to IIS 6.0 Metabase Properties
There are metabase properties that were used to configure features in earlier versions of IIS that are no longer supported in IIS 6.0. Because some features are eliminated, or implemented differently in IIS 6.0, the corresponding unused metabase properties are not referenced by any code in IIS 6.0. In cases where the feature is implemented differently in IIS 6.0, new metabase properties have been created to replace the obsolete, or unused, property.In addition, there is one IIS 5.0 metabase property — CPUResetInterval — whose behavior has changed because of architectural changes made to IIS 6.0.
To determine whether any of your Web sites, applications, or setup programs reference these changed or unsupported IIS metabase properties, see "Changes to Metabase Properties in IIS 6.0" in this book. You can follow the recommendations associated with each changed metabase property to accommodate functionality changes.
| Tip | The metabase properties that are no longer supported in IIS 6.0 are not available in IIS 6.0, even when IIS 6.0 is configured to run in IIS 5.0 isolation mode. |
Upgrading FrontPage Extended Web Sites
When you upgrade a Web server that has FrontPage 2000 Server Extensions, the upgrade process automatically installs FrontPage 2002 Server Extensions. After upgrade, both FrontPage 2000 Server Extensions and FrontPage 2002 Server Extensions are installed. After upgrade, you must upgrade each of the FrontPage extended Web sites and configure IIS 6.0 so that FrontPage 2000 Server Extensions is prohibited.Upgrade your FrontPage extended Web sites by completing the following steps:
Set the status of the FrontPage Server Extensions 2000 entry in the Web service extensions list to Prohibited.
For more information about configuring Web service extensions, see "Configure Web Service Extensions" in "IIS Deployment Procedures" in this book.
For each FrontPage extended Web site, upgrade the Web site to FrontPage 2002 Server Extensions.You can upgrade individual Web sites by using the FrontPage 2002 Server Extensions Server Administration Web page. You can also upgrade individual sites, or multiple sites in a batch, by using Owsadm.exe.For more information about how to upgrade FrontPage extended Web sites to FrontPage 2002 Server Extensions, see "Upgrade FrontPage Extended Web Sites" in "IIS Deployment Procedures" in this book.
Determining Whether to Run the IIS Lockdown Tool and UrlScan
UrlScan and the IIS Lockdown Tool are IIS security related programs designed for IIS 5.1 and earlier. Each tool provides different types of protection for earlier versions of IIS.
IIS Lockdown Tool
The IIS Lockdown Tool is provided to assist administrators in configuring optimal security settings for existing IIS servers. You cannot install the IIS Lockdown Tool after migration because all of the default configuration settings in IIS 6.0 meet or exceed the security configuration settings made by the IIS Lockdown Tool.
UrlScan
UrlScan is a tool that is provided to reduce the attack surface of Web servers running earlier versions of IIS. By default, IIS 6.0 has features that significantly improve security by reducing the attack surface of the Web server. UrlScan provides flexible configuration for advanced administrators, while maintaining the improved security in IIS 6.0. When you need this flexibility in configuring your Web server, you can run UrlScan on IIS 6.0.For more information about determining whether to run UrlScan after migrating your server to IIS 6.0, see the Using UrlScan link on the Web Resources page at [http://www.microsoft.com/windows/reskits/].
Making Security-Related Configuration Changes
After upgrading your server to IIS 6.0, you can make additional security-related configuration changes on the Web server. If you ran the IIS Lockdown Tool before upgrading the Web server, most of these changes are already in place. The IIS Lockdown Tool removes unnecessary IIS components, including virtual directories, to reduce the attack surface available to malicious users. Otherwise, make these security-related configuration changes to help reduce the attack surface and increase the security of the Web server.Make the security-related configuration changes by completing the following steps:
Enable essential IIS components and services.
Remove unnecessary IIS virtual directories.
Configure the anonymous user identity.
Enabling Essential IIS Components and Services
IIS 6.0 includes other components and services in addition to the WWW service, such as the FTP service and SMTP service. IIS components and services are installed and enabled by means of the Application Server subcomponent in Add or Remove Windows Components. After installing IIS, you must enable the IIS 6.0 components and services required by the Web sites and applications running on the Web server.Enable only the essential IIS 6.0 components and services required by your Web sites and applications. For more information about enabling the essential IIS protocols and services see "Enabling Only Essential IIS Components and Services" in "Securing Web Sites and Applications" in this book.
Removing Unnecessary IIS Virtual Directories
Table 5.8 lists the virtual directories that can be removed from IIS 6.0. Compare the virtual directories in IIS Manager to the virtual directories in Table 5.8, and then remove any of the virtual directories listed in Table 5.8.
Virtual Directory | Description |
|---|---|
IISAdmin | Provides an HTML-based administration tool. It is designed primarily for administrators who administer the Web server through a Web interface, but IIS Manger is the recommended method for Web server administration. The virtual directory is not installed as part of IIS 6.0, but it is not removed when a Web server running an earlier version of IIS is upgraded to IIS 6.0. |
IISADMPWD | This virtual directory allows you to reset passwords from Windows NT Server 4.0 and Windows 2000 Server. It is designed primarily for intranet scenarios and is not installed as part of IIS 6.0, but it is not removed when a Web server running IIS 4.0 is upgraded to IIS 6.0. For more information about this functionality, see the Microsoft Knowledge Base link on the Web Resources page at [http://www.microsoft.com/windows/reskits/webresources], and search for article Q184619. |
IISHelp | Provides an HTML version of the IIS documentation. It is designed primarily for application developers and is not installed as part of IIS 6.0, but it is not removed when a Web server running an earlier version of IIS is upgraded to IIS 6.0. |
MDAC | Contains sample applications that illustrate the use of Microsoft Data Access Components that are not required on production Web servers. It is designed primarily for application developers and is not installed as part of IIS 6.0, but it is not removed when a Web server running an earlier version of IIS is upgraded to IIS 6.0. |
IISSamples | Contains sample applications that are not required on production Web servers. It is designed primarily for application developers and is not installed as part of IIS 6.0, but it is not removed when a Web server running an earlier version of IIS is upgraded to IIS 6.0. |
Printers | Provides an HTML-based printer administration tool. It is designed primarily for administrators who administer printers through a Web interface, but using the Windows Server 2003 printer administration interface is the recommended method for printer administration. The virtual directory is not installed as part of IIS 6.0, but it is not removed when a Web server running an earlier version of IIS is upgraded to IIS 6.0. |
Scripts | Contains scripts that are used for the sample applications in other virtual directories and is required on production Web servers. It is designed primarily for application developers and is not installed as part of IIS 6.0, but it is not removed when a Web server running an earlier version of IIS is upgraded to IIS 6.0. |
For more information about how to remove unnecessary virtual directories after upgrade, see "Remove Virtual Directories" in "IIS Deployment Procedures" in this book.
Configuring the Anonymous User Identity
When the Web sites and applications running on the Web server require anonymous access, IIS is configured with a user account specifically for anonymous access. When a user connects to the Web server anonymously, IIS creates a process token for the user based on the user account that you configured in the anonymous user identity. The user account can be stored in the local account database on the Web server, or in a domain.If, before upgrade, the anonymous user identity is configured to use a domain-based user account, after upgrade you need to configure the anonymous user account to the same domain-based user account. This is because the upgrade process automatically configures IIS to user the default anonymous account IUSR_computername, where computername is the name of the computer on which IIS is running. You can configure the anonymous user identity to the domain-based user account in IIS Manager.For more information about how to configure the anonymous user identity, see "Configure Anonymous User Identity" in "IIS Deployment Procedures" in this book.
