Партнерка на США и Канаду по недвижимости, выплаты в крипто
- 30% recurring commission
- Выплаты в USDT
- Вывод каждую неделю
- Комиссия до 5 лет за каждого referral
· Fortezza is a U. S. government cryptographic standard used for authentication, nonrepudiation, access control, and systems security.
· Secure Sockets Layer (SSL 3.0) uses certification authorities and is one of the most widely used methods on the Web to ensure authentication and message integrity.
· Server-Gated Cryptography (SGC) is used primarily by banking and financial institutions over the Internet.
· Transport Layer Security (TLS) extends SSL by providing cryptographic authentication. Its API framework permits the writing of TLS-enabled applications.
Applying these standards in an IIS environment is covered in other sections. IIS also supports three security-related wizards:
· Certificate leads the administrator through the creation and establishment of life cycles for a certificate.
· Certificate Trust Lists (CTL) constructs a list of trusted certificate authorities for a directory.
· Permissions consolidates authentication and NTFS permissions for Web site and FTP access.
IIS Data and Process Reliability
To meet changing requirements of the Internet and the new demands framework, IIS 6.0 relies on a fundamentally altered architecture. IIS 6.0 introduces a concept known as work process isolation mode, which separates active process management into an application isolation environment. This actively managed runtime relies on kernel-level request queuing.
The work process isolation mode runs all applications in an isolated environment. Unlike previous versions, which request process hops to an out-of-process DLL host, user mode work processes are pulled directly from the kernel.
From an administrative perspective, the work process isolation scheme supports different Web applications and Web sites to exist in separate pools, known now as application pools. Application pools should be viewed as a set of Web applications that share one or more work processes. Each application pool is discrete. This means that if one application pool malfunctions, other application pools are not affected. Another way to look at an application pool is as a namespace group.
An application pool by default consists of a single work process. However, this default can be overridden so that multiple work processes can exist in the same application pool. Such multiple work process application pools are known as Web gardens. Conceptually, a Web garden is a single server–based equivalent to a Web farm. One of the best aspects of the Web garden technology is that in the event of a work process failure, new work processes are available to accept queue requests.
Figure 16.1 illustrates the new architecture of IIS 6.0 that separates kernel-mode and user-mode activities.
Figure 16.1. IIS 6.0 Architecture
PROCESS ARCHITECTURE
When shared resources are used, unstable elements can affect the environment. In IIS 5.0, Web services were run in the inetinfo. exe process space and pooled application requests to DLLHost. exe processes. The disadvantage of pooled processes is that if one application fails, all the others die. The advantage is that even in the event of failure, the IIS server will continue to run contrast, IIS 6.0 is redesigned to support two components using kernel-mode drivers. The larger boxed portion of Figure 16.1 shows the relations of the new components of the Http. sys, Web Administration Service, and Work Processes.
· Http. sys component. The Http. sys resides in the kernel mode. It is the point of contact for all incoming HTTP requests. It listens for requests and queues them until they are all processed, no more queues are available, or the Web server is shut down. Each request queue is treated as an application pool that is defined as one request queue and one or more work processes. Because this component accepts and processes request queues in the kernel mode, outstanding requests will be restarted even if the user mode Web services crash. Third-party code is never loaded in this isolated component.
· Web Administration Service (WAS). Residing in the user mode, WAS is responsible for configuration and process management. The process manager portion reads metabase information and initializes the Http. sys namespace routing table. One entry is entered for each application and includes which application pool requests match the route. A preregistration of applications thereby is established so that the Http. sys can respond to the requests. With every new application or application pool, WAS configures Http. sys to accept the requests for new URLs and other data. WAS is also responsible for controlling work processes that process requests. Therefore, WAS determines when to start a work process or when to restart a process. WAS monitors the health of work processes through a pinging activity. If the ping comes back to indicate that the process is blocked or otherwise nonresponsive, WAS terminates the processes while simultaneously creating a new work process to accept the queued requests.
Several other benefits are associated with this new architecture, including the following:
· On-demand start. When the first request is made to the application pool's namespace, the work processes are launched. This eliminates the overhead of supporting nonrequested application pools.
· Idle timeout. Application pools can be configured to shut down when a predefined time-out idle time has been reached.
· Rapid fail protection. It is possible to configure IIS 6.0 to disable an application pool when WAS detects a predefined number of failures.
· Orphaning work default, WAS terminates an ill work process and starts another. There are times, however, when analysis of the ill work process is required to identify a problem. So, rather than terminate the ill work process, the administrator can have it set aside as an orphan while its work is handed off to a new worker. This course is generally not recommended, however, because orphans can be heavy resource consumers.
· Recycling work processes. Rather than having to reboot an entire Web server to account for problems such as memory leaks, IIS 6.0 permits the restarting of individual work processes. Service interruptions are prevented because a new work process takes on the namespace of the current work process before it completes its last request prior to termination.
· Persisted ASP template cache. With IIS 6.0, ASP cache templates are persisted on disk rather than process memory.
· Large memory support for x86. IIS 6.0 can support cache of up to 64 GB on an x86 system. Further, the Web garden feature allows scaling of individual application memory requests larger than 2 GB.
· Win64 support. IIS 6.0 supports both Win32 and Win64 models.
PROCESS FEATURES COMMON TO IIS 5.0 AND IIS 6.0
With regard to process architecture, IIS 5.0 and IIS 6.0 share a number of underlying features including:
· Socket pooling. A socket consists of a default node (computer) address and a port number, such as the server's IP address Internet Web TCP number 80. IIS 5.0 permits the pooling of sockets so that more sites can be bound to the same IP address and use the same port number.
· Process and bandwidth throttling. When running multiple sites on the same server, it may be appropriate to limit processes, CPU usage, and bandwidth. This is equally true when multiple applications are running on the IIS server. Process and Bandwidth Throttling allows the system administrator to set these limits, and over time it can be used to obtain maximum system performance. Process accounting should also be employed to measure CPU usage or to determine if an application or script is using a disproportionate amount of resources.
· Site hosting scalability. Scalability is achieved by permitting multiple Web sites to share an IP address. Multiple sites can be hosted in IIS by appending port numbers to one IP address or by adding IP addresses to one server. In the first case, the port number is appended to the end of the IP address, such as 111.111.111.111:80 or 111.111.111.111:140. Individuals share the IP address but are connected through different ports. An alternative to ports is to use headers to distinguish sites on an IP address and computer and resolve domain names to that address. Multiple IP addresses are bound to a single network interface card or multiple cards on the same system. Once it arrives at the server, the header determines which site is to be contacted. The simplicity of this alternative can be very attractive because it makes multiple IP addresses or port tables unnecessary. However, it cannot be used in conjunction with SSL and other encryption environments because the header information will not be readable.
· Clustering for IIS. For mission-critical Web and FTP environments, clustering (discussed in Chapter 17) should certainly be considered. With clustering, when one node (server) has services or hardware problems, a second system assumes the activities in the failover process. This type of redundancy, although more costly, can provide significantly greater reliability. Also to be considered is the use of a mirrored or RAID-5 disk system, as discussed in Chapter 14.
· Dfs for Web file systems. The physical distribution of files across a network has always been a major problem. The distributed file system (Dfs) is easily adaptable to a Web-based environment, allowing the client browser to be used for resource access throughout the network.
IIS 5.0 ISOLATION MODE
With the introduction of work process isolation in IIS 6.0, Microsoft recognized that some earlier applications will simply not operate in that environment. Therefore, Windows Server 2003 provides an IIS 5.0 isolation mode to address applications that demand session-state persistent processes, applications written as read raw file filters, and multiple-instance applications. In this arrangement (Figure 16.2), inetinfo. exe is the master process manager. However, the environment has the added benefit of the Http. sys kernel-mode request queuing and caching.
Figure 16.2. IIS 5.0 Isolation Mode Architecture
NOTE
The isolation modes offered in IIS 6.0 reflect only Web servers. Other services managed by inetinfo including FTP and SMTP work just like they did under IIS 5.0. Only Web services use the Http. sys.
The Web Application Environment
A centerpiece of IIS support for application sharing and development is Web Distributed Authoring and Versioning (WebDAV). This is an extension to the HTTP 1.1 specification that addresses publishing and manipulating Web setting WebDAV properties and permissions, different Windows Server 2003 clients can have different levels of access such as Read/Write or Read-Only.
Application development for IIS uses Active Server Pages as the preferred Web medium. Although development issues are outside our scope, we note that ASP helps integrate HTML, scripts (including Java and VScript), and COM components.
IIS Management Components
Later in this chapter we will explore how to apply administrative tools to the management of IIS. Here we provide a brief overview of IIS management tools and techniques that are common to IIS 5.0 and 6.0.
· Command-line script administration. Much traditional Web administration is UNIX-based and by definition heavily reliant on command-line utilities and scripts. Acknowledging this, Microsoft has made at least a partial effort to permit UNIX-type administrative interaction. For example, the Cscript. exe command can invoke Visual Basic scripts. Other commands allow the use of CGI, Perl, and other scripts.
· Internet Information Services snap-in centralized administration. A replacement for the older Internet Services Manager, the Internet Information Services snap-in is an integrated tool for creating, modifying, and managing IIS components and properties, which is explored later in the chapter. Its Remote administration is made possible through Terminal Services.
· Delegation to Web site operators. One strength of Windows Server 2003 is the ability to delegate certain administrative responsibilities. Web Site Operators is an administrative group with authority over IIS functions. Its responsibility can be extensive or site specific, which can be valuable in environments with multiple sites on one server. A Web site operator for a specific site can be granted full control over it but have no authority over other sites.
· Custom error messaging. The system administrator's burden can be reduced greatly through the use of instructive error messages. IIS employs the HTTP 1.1 error-messaging scheme to handle standardized problems. Use of this facility and the errors it handles are dealt with later.
UNDERSTANDING THE IIS WEB SERVER
IIS includes a robust Web server designed to host both internal intranets and public Internet sites. It works closely with many development tools such as Microsoft's FrontPage. Specific IIS components such as FTP and SMPT are not automatically installed and must be selected through the Windows Components Wizard.
Administering IIS Web Services
In this section we explore the major administrative aspects associated with host Web services under IIS. One of the best methods of illustrating the ease of IIS operation is to create and configure a Web site.
CREATING A WEB SITE USING IIS
Here we assume that Web pages have been created with a product such as FrontPage and are ready to be loaded on the Web server for intranet or Internet exposure. Follow these steps to create the site itself:
1. Open the Internet Information Services snap-in.
2. Right-click Default Web Server, select New, and then Site. The initial Web Site Creation Wizard screen is displayed (Figure 16.3).
Figure 16.3. The Web Site Creation Wizard
3. In the Web Site Description Dialog box, type a description of the site.
4. In the IP Address and Port Settings dialog box (Figure 16.4), enter the IP address to use, the TCP port, the Host Header for this site, and the SSL port. The header is a Web site description. An ISP that is hosting a number of Web sites on one server, for example, might make the header the name of each organization.
Figure 16.4. The IP Address and Port Settings Dialog Box
5. In the Web Site Directory Location dialog box, enter the path or click Browse to locate the directory that contains the Web pages.
6. In the Web Site Access Permissions dialog box (Figure 16.5), check the types of access to be allowed, including Read, Run Scripts, Execute, Write, and Browse.
Figure 16.5. Web Site Access Permissions
7. Click Finish to complete the creation process.
BASIC WEB SITE ADMINISTRATION
Basic Web site administration can be illustrated by a walk-through of some activities available from the Internet Information Services snap-in.
Opening or Exploring Components and Browse
To view the component parts of a Web site, use either of the methods described in these steps:
1. Open the Internet Information Services snap-in.
2. Right-click the desired Web site and select Open or Explore.
3. Either the My Computer view or the Explorer view of the contents will be displayed. To browse a Web site from the Internet Information Services snap-in, follow steps 1 and 2. Then, in My Computer or Explorer, select Browse.
Using the Web Site Permissions Wizard
Permissions for a site are set with the Permissions Wizard as follows:
1. Open the Internet Information Services snap-in.
2. Right-click the desired Web site, select All Tasks, and select Permissions Wizard.
3. In the first dialog box, select either that the permissions should be inherited from a parent Web site or virtual directory or that new permissions be established. If you select the default inherited permissions, a confirmation box (Figure 16.6) lists the settings. If this is satisfactory, select Next, and then Finish to complete the task. If you need to set other permissions that are not represented by that parent Web site or virtual directory, select Cancel and repeat the process.
Figure 16.6. The Default Inherited Permissions Information Box
4. If new or different permissions are required, select New permission from a template. Two standard templates are available. The Public Web Site option allows all users to browse static and dynamic content. The Secure Web Site option allows only users with a Windows Server 2003 account to do so. If this is satisfactory, select Next and then Finish (see Figure 16.7).
Figure 16.7. Secure Site Default Permissions
CONFIGURING WEB SITE PROPERTIES
Web site properties can be set on the site and individual page/directory level. Most are configured through the Properties tabs, which are explored in this section. Open the Internet Information Services snap-in, right-click the desired Web site, and select Properties.
Setting Web Site Properties
The Web Site tab (Figure 16.8) provides text boxes for inputting the site Description, desired IP Address, and designated TCP Port. Connections can also be set to unlimited or to a specific limit on this tab. Selecting the Advanced button allows an extensive set of logging configurations to be established.
Figure 16.8. General Web Site Properties
Setting IIS Operators
The Operators tab (Figure 16.9) allows you to delegate authority over a Web site to specific users and user groups. The Add button adds users and groups; the Remove button deletes them.
Figure 16.9. Web Site Operator Privileges
Setting IIS Performance Properties
The Properties Performance tab (Figure 16.10) is used to set process and bandwidth throttling. In the appropriate box, set the throttling level to establish appropriate limits. Process throttling is based on kilobytes per second. CPU throttling is based on the maximum allowable percentage of CPU resources. The number of anticipated hits measures overall performance based on expected activities.
Figure 16.10. Performance Settings Including Throttling
Setting Execution Filters
Internet Services API ISAPI filters can be applied to expand or limit functions and resources (Figure 16.11). Use the Add, Remove, and Disable buttons as appropriate on filters.
Figure 16.11. An ISAPI Filters List
Managing the IIS Home Directory
The IIS home directory can be on a local computer, at a shared location on a remote computer, or on a redirected URL system. This is determined by the Home Directory tab (Figure 16.12), which also establishes series of permissions and other properties.
Figure 16.12. Home Directory Properties
Enabling Default Documents
Access to a Web site's home page is based on the establishment of a default page. The Documents tab (Figure 16.13) defines the acceptable name of default pages as well as footer information for the entire Web site.
Figure 16.13. A Default Documents List
Setting the Directory or File Security
Directory Security (Figure 16.14) is perhaps the most important tab because it permits the editing of anonymous account access and authentication and defines the IP address and domain restrictions. Through the Edit button, access is granted or denied. Secure communication configuration can be set through the Certificate Wizard, which is launched by clicking Server Certificate.
Figure 16.14. Web Directory Security Properties
Permission for anonymous access and authenticated access deserves special examination; anytime access to a server is permitted without a password, a system administrator should take heed. When the Edit button is selected, the Authentication Methods dialog box is displayed. This is where anonymous account security can be defined and edited, as shown in Figure 16.15.
Figure 16.15. Authentication Subtab Options
Setting Content Expiration, HTTP Headers, Ratings, and MIME
The HTTP Headers tab (Figure 16.16) permits configuration of a number of important Web site features. The first part enables content expiration. If it is checked, information posted to the site can be marked for automatic removal, which obviously ensures a more timely Web site. The second part permits HTTP headers to be added, edited, and removed.
Figure 16.16. Web Headers, Rating, and the MIME Map
Headers are used on multisite Web servers that share one IP address to distinguish one site from another. They can be used with the self-regulating rating system of the Recreational Software Advisor Council (RSAC) to rate sites that contain, for example, adult material, and to warn underage visitors prior to entering the sites.
The third part of this tab establishes MIME file types supported by the Web server.
Customizing Error Messages
The Custom Errors tab (Figure 16.17) lists the default set of error messages established by HTTP 1.1 specifications. The Edit Properties button permits these messages to be redefined. Each message is directed to a specific HTML file. If further clarification is required, these files should be modified.
Figure 16.17. The Error Message Catalog
Configuring Server Extensions
The Server Extensions tab (Figure 16.18) permits the viewing of installed add-ons such as FrontPage Server Extensions. The FrontPage snap-in is used to edit and manipulate those specific extensions. FrontPage Extensions is not automatically installed with the core IIS. It must be added through Control Panel 
Add Software Windows Components Internet Information Services Details FrontPage Extensions. The tab is displayed only when FrontPage Extensions is installed.
Figure 16.18. The Web Server Extensions Tab
Setting Individual Web Page and Directory Properties
Properties for individual Web pages can be set by right-clicking the targeted document and selecting Properties. This will display four tabs, as shown in Figure 16.19. The File Security, HTTP Headers, and Custom Errors tabs are largely the same as previously described. The File tab designates the file or the source for redirection, the local path, and basic permissions.
Figure 16.19. Directory Properties
WORKING WITH THE SMTP SERVER
The Simple Mail Transfer Protocol (SMTP) has become the standard Internet protocol for electronic mail. The specifications are established in RFCs 821 and monly used on UNIX and Linux environments, SMTP is now integrally connected to mail products like Microsoft Exchange. SMTP Services in IIS provides administrative options for setting routing and message delivery and for governing mail security. It can support hundreds of client mail connections. The SMTP Server is not automatically installed as a default component of IIS. It must be selected from the Configure Your Server Wizard from the list provided with the Add and Remove Programs option. Select Web Server Applications from the list click Details select Internet Information Services click Detail select SMTP Services, and then follow the wizard's instruction through the completion of the installation. It is possible to select FTP and NNTP for installation at the same time as SMTP Services are installed by also selecting these features.
NOTE
New to Windows Server 2003 is a POP3 service that must also be installed as a separate function using the Configure Your Server Wizard. To do so, select it from the list provided with the Add and Remove Programs option. POP3 is available under E-Mail Services.
Start SMTP Services by right-clicking the SMTP Virtual Service from the Internet Information Services snap-in and selecting Start. Temporarily suspend and terminate it by selecting Pause or Stop. Multiple SMTP virtual servers can be established using IIS.
SMTP Properties
SMTP is primarily configured through a series of properties settings. To gain access to the six configuration tabs, right-click the targeted SMTP virtual server and select Properties.
In environments that use Microsoft Exchange Server, the documentation on specific procedures for that environment explains how to connect SMTP services. Once connected, products like sendmail, which is widely used in UNIX and other operating system environments, can flow transparently.
GENERAL SMTP SETTINGS
The General tab (Figure 16.20) permits the setting of the SMTP virtual server name, IP address (through the Connection button), and logging administration.
Figure 16.20. The SMTP Virtual Server Properties General Tab
SETTING SMTP AUTHENTICATION, SECURITY, AND PERMISSIONS
The Access tab (Figure 16.21), which deserves a system administrator's special consideration, has four important settings. First, the level of anonymous access (incoming and outgoing message size) is set through the Authentication button. Second, under the Secure communication section, the Certificate button launches the Certification Wizard and the Communication button defines how the certificate is to be used. The Connection control section grants or denies access depending on IP addresses or domain names. Finally, the Relay button establishes permission to relay e-mail through the SMTP virtual service.
Figure 16.21. The SMTP Access Tab
REGULATING SMTP DELIVERY
Delivery options are established with the Delivery tab for both outbound and local messages (Figure 16.22). For outbound messages, the system administrator can set the number of retries and intervals for them. For local messages, notification and expiration time periods can be established. The Outbound Security button defines the type of authentication to be required. The Advanced button permits configuration of such communication-specific settings as the maximum number of hops allowable to deliver the mail.
Figure 16.22. The SMTP Delivery Tab
CONFIGURING SMTP LDAP ROUTING
The LDAP Routing tab (Figure 16.23) specifies the identity and properties of the directory services server. This is where mail client data and mailboxes are stored. Just like the Windows Server 2003 Active Directory, the SMTP virtual server uses the LDAP to communicate with directory services. SMTP "consults" an LDAP server to resolve senders and recipients. Once the Enable LDAP routing option is checked, specific LDAP-related configuration can be set for the server, schema, domain, network bindings, user name, and password.
Figure 16.23. The SMTP LDAP Tab
SETTING SMTP OPERATOR SECURITY
The Security tab (Figure 16.24) works like any other Windows Server 2003 security operations property setting. Use the Add button to increase the users or groups that have permission to administer the SMTP virtual server and the Remove button to delete them.
Figure 16.24. The SMTP Security Tab
SETTING SMTP MESSAGE LIMITS
The Messages tab (Figure 16.25) is used to set limits on file size, length of the mail session, number of messages per connection, number of recipients, and path to where undeliverable mail should be delivered.
Figure 16.25. The SMTP Messages Tab
UNDERSTANDING THE NNTP SERVER
The ability to post and receive messages on a bulletin board is becoming increasingly important in communications. IIS facilitates this through its Network News Transfer Protocol (NNTP). The NNTP Server is not automatically installed as a default component of IIS. It must be selected from the Configure Your Server Wizard from the list provided with the Add and Remove Programs option. Select Web Server Applications from the list click Details select Internet Information Services click Detail select NNTP Services, and then follow the wizard's instruction through the completion of the installation. It is possible to select FTP and SMTP for installation at the same time as NNTP Services are installed by also selecting these features.
Newsgroup communication can be established and administered through the Internet Information Services snap-in. The system administrator can Start, Stop, or Pause it by right-clicking the targeted NNTP server and selecting the desired option. Additional NNTP virtual servers are created by right-clicking NNTP, selecting New, selecting Virtual Server, and entering the appropriate data in the associated dialog boxes (see Figure 16.26).
Figure 16.26. The IIS Snap-in Tool with Default Administration Tree Options
Under the NNTP console tree, policies can be set for newsgroups, expiration, virtual directories, and current sessions. NNTP virtual server configuration is carried out by right-clicking the desired NNTP server, selecting Properties, and then sequentially configuring from the four available tabs.
The NNTP General tab (Figure 16.27) is used to establish the virtual server's name, IP-assigned addresses, connection options, and enabled logging. The other three tabs are essentially the same as those for SMTP, which were discussed in the previous sections. They are illustrated in Figures 16.28 through 16.30.
Figure 16.27. The NNTP General Tab
Figure 16.28. The NNTP Access Tab
Figure 16.29. The NNTP Settings Tab
Figure 16.30. The NNTP Security Tab
UNDERSTANDING THE FTP SERVER
The file transfer protocol (FTP), one of the mainstays of the TCP/IP application suite, is a way to move files in UNIX environments. The FTP server is not automatically installed as a default component of IIS. It must be selected from the Configure Your Server Wizard from the list provided with the Add and Remove Programs option. Select Web Server Applications from the list click Details select Internet Information Services click Detail select FTP Services, and then follow the wizard's instruction through the completion of the installation. It is possible to select SMTP and NNTP for installation at the same time as FTP Services are installed by also selecting these features.
|
Из за большого объема этот материал размещен на нескольких страницах:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
