Welcome to the second installment of Internet Information Services 6.0 on Windows Server 2003. I have decided to write this series of articles aimed at Internet Information Services 6 on Windows Server 2003 as both a refresher for the IT professional that is familiar with designing, deploying and administering IIS 4 and 5 as well as allowing some of the newcomers to IIS services regardless of version to get their feet wet so to speak.
In this installment I will continue with my introduction to Internet Information Services 6.0 on Windows Server 2003 by providing an overview of installing IIS 6.0 by using the Manage Your Server Wizard to install the Application Server role on the system which configures the system with a base installation and deployment of IIS 6.0.
Internet Information Services 6.0 on Windows Server 2003 is not installed by default when the operating system is installed (a departure from the Windows 2000 Server era when IIS 5.0 WAS installed by default) and even when an administrator opts to install the application, the default installation of IIS 6.0 enables it to be a static content web server only. ASP and ASP.NET would need to be explicitly installed by the administrator in order for dynamic content to be made available for use on the particular system.
In situations where you have a Windows 2000 Server with IIS 5.0 installed and it is upgraded to Windows Server 2003, IIS 6.0 will be installed as a simple static content web server unless an administrator installed and ran the IIS Lockdown Tool or configured the RetainW3SVCStatus registry key to secure the Windows 2000 Server operating system and the IIS 5.0 installation.
NOTES FROM THE FIELD – IIS Lockdown Tool version 2.1 turns off unnecessary features and services of IIS 4.0, 5.0 and 5.1 in an effort to reduce the available attack surface for would be attackers.
The tool can be run to secure IIS 4.0 on Windows NT 4.0 Server systems when IIS 4.0 is installed from the NT4 Option Pack. The tool can also lock down IIS 5.0 which is installed by default on Windows 2000 Server installations. IIS 5.1 which is found under the Windows XP family of operating system (but not installed by default) can also be locked down via the tool.
Version 2.1 of the tool can utilize supplied templates for Microsoft Exchange 5.5 and 2000, Commerce Server, BizTalk, Small Business Server 4.5 and 2000, SharePoint Portal Server, FrontPage Server Extensions and SharePoint Team Server in an effort to lock down these IIS dependent applications when they are installed and utilizing IIS.
URLscan 2.5 has been integrated with the IIS Lockdown tool as well.
UrlScan blocks specific HTTP requests in an effort to restrict the types of calls that can be made to the IIS server and can be run on IIS 4.0, 5.0, 5.1 and 6.0.
I will be covering both of these tools in more depth in future articles.
There are a couple of different ways to install Internet Information Services 6.0 on your Windows Server 2003 system.
The simplest way (which does not really allow you to do much additional configuration as far as configuration options and secondary services such as FTP or SMTP) is to configure the Application Server specific role for your system by using the Configure Your Server Wizard.
You will need to be logged on to the local system with an administrator account (or any other account that has been delegated the required permissions and rights on the local system) in order to successfully run the Configure Your Server Wizard.
Your other option is to use Add or Remove Programs from the Control Panel. I will go over that type of installation of IIS 6.0 in my next article
The recommended approach as far as security is concerned is to NOT log on to any systems with an Administrator account but rather to log on with a domain user (or local user) account and use the Secondary Logon service known as RUNAS to launch an application or an installation program ONLY with the appropriate administrative rights to perform the needed function on the system. Once the program is closed or the installation is complete the Administrative context is released and everything else running under that user account on the system is running at the lower “user” level.
NOTES FROM THE FIELD – The Microsoft Knowledge Base Article – 225035 Secondary Logon (Run As): Starting Programs and Tools in Local Administrative Context details the procedure and while the article itself pertains to Windows 2000 the functionality is more or less the same from Windows XP and Server 2003.
In summary, in order to start an application such as CMD.exe by using Secondary Logon you could go to Start, click Run, type runas /user:machine_nameadministrator cmd, where machine_name is the name of your computer, and then click OK.
A console window will appear, prompting for a password for the machine_nameadministrator account. Type the password for the administrator account and press ENTER.
A new console will appear running in the administrative context as shown in the title of the console itself.
Any command-based programs can now be started from this console window and will be running in an administrative context.
You can also run an application from its shortcut as well by selecting the particular application’s shortcut from the desktop, the Control Panel or from the start menu and holding down the SHIFT key once the icon is highlighted by left clicking it once. Once it is highlighted and while you are holding down the SHIFT key you would right click the icon in order to bring up the Run as… option in the right click pop up list. (If you right
A dialog box titled, “Run program as other user” will appear which will allow you to enter the local or domain credentials required to start the tool or application in an administrative context.
One thing you will find different under Windows Server 2003 than what is outlined above for Windows 2000 and XP is that you will only need to perform the “hold the shift key down and right click” action to bring up the RUNAS option on the right click menu for your Control Panel tools on your Windows Server 2003 system where this needs to be done for everything under Windows 2000 and XP. Regular EXEs at their path location, Start Menu shortcuts and shortcuts on the desktop will automatically show RUNAS on the right click menu WITHOUT holding down the SHIFT key on Windows Server 2003 systems.
Server Roles in Windows Server 2003 allow you as the Administrator to configure specific roles for your system by using the Configure Your Server Wizard.
Depending on your settings, the Manage Your Server window may be automatically available upon login. If it is not, it can be found on the Start Menu under All Programs – Administrative Tools.
From this screen you can add a role to your existing server, which will allow you to configure it for a specific task. You can also manage the current role from this page as well.
From this point you can pick one of the listed roles, all of which are pretty self explanatory for the most part by their titles.
– File server
– Print server
– Application server
– Mail server
– Terminal server
– Remote access/VPN server
– Domain controller
– DNS server
– DHCP server
– Streaming media server
– WINS server
The steps for configuring the server in any role are pretty straightforward. You would select Add or Remove a Role from the main Manage Your Server window to launch the Configure Your Server Wizard. Once you have read the information on the screen and verified that all of the network connections are verified and you have the needed installation path information (or the cd) to the Windows Server 2003 setup files you can click NEXT to continue.
The setup wizard will test your available and enabled network connections and bring you to the Server Role screen.
Here you will be able to setup the server for one or more roles. In order to set up a second or third role for a server you would need to run the Configure Your Server Wizard again, only one role can be established at a time.
In the example below we have selected the Application Server role in order to configure the system as an IIS 6.0 server. This is the only way to perform the installation of IIS 6.0 by using the Configure Your Server Wizard; there is no “IIS 6.0” role, just the Application Server role.
The next screen that shows varies from role to role as it relates to the function of the role we have chosen. Different roles will provide different subsequent screens that are dependent for the installation of the role that was picked. For out Application Server role then next screen we’ll come to is the Application Server Options page which will allow us to select (or to not select) additional tools such as FrontPage Server Extensions or to enable ASP.NET by selecting the appropriate check boxes before continuing.
The next screen is the Summary of Selections which will show us the options we have elected to install. As you can see, you were never provided any options by using the Configure Your Server Wizard for installing additional services such as FTP, NNTP and SMTP and they are not added by default when you establish the server role in this way.
NOTES FROM THE FIELD – In order to specify additional services or other customizable settings you would need to run the entire installation from Add or Remove Programs from the Control Panel.
From here IIS 6.0 is installed and configured automatically by the Configure Your Server Wizard without any further intervention by the administrator. During the install you will see the Windows Components Wizard appear as software is installed from the software distribution point or the original CD-ROM.
Once the process is complete the final page of the Configure Your Server Wizard appears stating that “This Server is Now an Application Server” (or whichever type you chose).
You have the options of reviewing your Configure your Server.log file, which shows this exciting information:
(3/4/2003 1:03:51 PM)
Configurations for an Application Server
IIS installed successfully.
You can also view the next steps for this role by selecting that hyperlink from the Configure Your Server Wizard completion page.
This will open the Help File for Configure Your Server and it will bring you right to the Next steps: Completing additional tasks page which highlights additional tasks that you might want to perform on the application server.
You can go to Start – All Programs – Administrative Tools – and find that the Internet Information Services Manager MMC is now installed.
A quick look will show that only the World Wide Web service is installed. FTP, NNTP and SMTP are not added by default when you establish the server role in this way.
Also, if you should run the Configure Your Server Wizard again you will see that the role of Application Server will show up on the main screen of the Manage Your Server wizard in the section that reads “Your server has been configured with the following roles:”.
It will also show any other roles that might configured on the server.
In the event that you need to remove IIS 6.0 (or any other established role) from your system after it is no longer in use, (this is a good security practice, removing unneeded services from a system) and you wanted to perform this action by using the Configure Your Server Wizard all you would need to do is choose the Add or Remove a Role green arrow at the upper right hand side of the Manage Your Server intro page.
The next screen that would appear would be the Preliminary Steps screen where you can read the information and verify that all of the network connections are available. You can also check to see if you have the needed installation path information (or the CD) to the Windows Server 2003 setup files.
From here the setup wizard will test your available and enabled network connections and bring you to the Server Role screen. If you wanted to add another role to this Application Server at this time all you would need to do is to choose one of the other available roles (File Server for example) and click next to continue. This would allow the wizard to continue with installing the new role. Since we wish to remove a role, we will select a role that is already configured on the server (our Application Server IIS, ASP.NET) and click NEXT to remove it.
On the Role Removal Confirmation screen you will see the summary of what will be done to the system in order to remove the current role. In some cases components will be removed and in others services will be disabled.
The next step of the process is to remove the role, so this screen has a check box that you must select before you can choose NEXT to continue. (You may note that in the screen shot the box is not checked and the NEXT button is not available.)
After you choose NEXT the wizard immediately begins to remove the role. The “Are You Sure” prompt is the previous screen’s checkbox and the NEXT box being grayed out.
The removal process will call for the installation files (either from the original distribution point or from the CD-ROM drive if the disk is available) and a pop up box (shown below) will identify what is occurring. If the disk or the distribution point is not available a pop-up box will appear asking for the location of the files.
The final screen of the Configure Your Server Wizard shows (in this case) that the Application Server role has been successfully removed from the system.
You have the option of reviewing your Configure your Server log file, which shows information from the original server role installation as an Application Server and the current action of removing that role, by selecting the link on the Configure Your Server Wizard completion page.
(3/4/2003 1:03:51 PM)
Configurations for an Application Server
IIS installed successfully.
(3/7/2003 8:50:16 PM)
Removal of Application Server Role
IIS successfully removed.
ASP.NET successfully disabled.
A quick look back on the Manage Your Server Wizard welcome page shows that it no longer has any roles assigned to it.
The removal of the Application Server Role has uninstalled IIS 6.0 from our server and it has also removed the Internet Information Services MMC from the Administrator Tools menu and the World Wide Web service is no longer present on the services menu.
Well, that wraps this installment of Internet Information Services 6 on Windows Server 2003article. I hope you found it informative.
If you have any questions, comments or even constructive criticism, please feel free to drop me a note.
I want to write solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.
Until the next time, remember,
“Windows 2000 is approaching 4 years in service and on July 29th of 2003 Windows NT4 Server will be 7 years old.”
* Origninally published at 2000Trainers
Click here if you would like to sign up for FREE B2B / Tech. newsletters from Murdok!
Jason Zandri has worked as a consultant, systems engineer and technical trainer for a variety of corporate clients in Connecticut over the past five years and currently holds the position of Technical Account Manager for Microsoft Corporation.
He has also written a number of COMPTIA and MICROSOFT prep tests for Boson Software and holds a number of certifications from both companies. Currently, he writes part time for a number of freelance projects, including numerous “HOW TO” and best practices articles for 2000Trainers.com and MCMCSE.com.
