This document provides an overview of IIS 6.0 including that it is configured as a static content server by default, dynamic content requires web service extensions. It discusses application pools for isolating web applications, common file locations, and security best practices like unique user accounts per application pool.

1. IIS 6.0 General System Admin Overview

2. Configured as a static content (html) web server by default. To provide dynamic content (asp, asp.net, php, etc.) it should be configured using Web Services Extensions (in the form of dll’s, exe’s, cgi’s, etc). Web applications are isolated from each other using Application Pools by default. Create application pool Host web application in a virtual directory. IIS 6.0 Characteristics

3. Websites files are located in C:netpubwwroot Server files and configuration (metabase –xml file) is located in C:indowsystem32netsrv Logs files are located in Web server error log C:indowsystem32ogfilesTTPErr Web sites logs in C:indowsystem32ogfileslt;web site folder> IIS 6.0 Characteristics

4. Contains worker process w3wp.exe for application Could have more than a single worker process (called web garden) Memory configured using Recycling tab CPU configured using Performance tab Status check configured using Health tab Security account configured using Identity tab Network Service account ( network access only) Local Service account (local access only) Local System (network and local access) Application Pools (for dynamic content)

5. Web sites can have multiple applications hosted. ASP pages,ASP.Net pages Scripts CGI These applications can be assigned to different application pools (preferred method) By default all dynamic content is assigned to the default application pool in the web site properties Home Directory/Application settings tab Application Pools (for dynamic content)

6. Shared web hosting using: IP addresses (used for sites that use ssl) Tcp port numbers Host headers (preferred method) To use ssl (for encrypted communications), server certificate needs to be requested and installed (as well as the private key). Contains dns name for web site Valid date Issuance information Public encryption key Web sites

7. The only way to constrain File System Object in a shared environment is with NTFS File System ACLs. The most secure way to do this is to: Create one Application Pool per website Create unique Windows user for each Application Pool. Assign this Windows user as both Custom Application Pool Identity and Anonymous user identity for the website. ACL files on file system to the Windows user for all files the website should have access to. Basically, you force each Website to run as a unique Windows user (both process and anonymous authenticated identities), which forces all FSO usage to also run as that Windows user. You then apply NTFS ACLs for the Windows user as appropriate. Web Site Security

8. To disable FSO: regsvr32 scrrun.dll /u To disable WSH: regsvr32 wshom.ocx /u Web Site Security

9. To archive an IIS 6.0 Web site, run the following command on (or "against") the IIS 6.0 site. msdeploy -verb:sync -source:metakey=lm/w3svc/SITEID -dest:archivedir=c:rchive,encryptPasword=PASSWORD > msdeployarchive.log To restore the IIS 6.0 Web site from an archive, run the following command on (or "against") the IIS 6.0 site: msdeploy -verb:sync -source:archivedir=c:rchive,encryptPasword=PASSWORD -dest:metakey=lm/w3svc/SITEID >msdeployarchive.log Web Site – Disaster Recovery

10. Configured as a Web Service Extension, examples: Tomcat connector Policy based authentication and single sign on – CA SiteMinder Proxy services