I have a Web site on IIS 4.0 that requires very high security. I want to require 128-bit encryption, but some browsers support only 40-bit encryption. How can I determine the capability of my clients' browsers and direct those clients to an upgrade location?
Try this: Create a virtual directory, and set it to receive only 128-bit connections. Associate a customized error for error number 403.5 (128-bit Secure Sockets Layer—SSL—required) with this directory. The error page can direct users to update locations for 128-bit capability.
One of the most flexible features of IIS is its ability to customize error messages. Because IIS can create a custom page for any given file, Web site, or virtual directory, you have an advantage when error conditions occur. In your case, you can create a virtual directory and set it to receive only 128-bit connections. Then, use the Microsoft Management Console (MMC) Custom Errors tab for the virtual directory to associate a customized error for error number 403.5 (128-bit SSL required). The new page can direct users either to update locations for 128-bit capability or to a page that doesn't require 128 bits.
For a high-traffic Web server hosting more than 350 Web sites, should I set the server service to Maximize Throughput for File Sharing or Maximize Throughput for Network Applications? Most people seem to think that I should set the IIS server to Maximize Throughput for Network Applications, but a Web server serves files, and the file server setting seems to make more sense.
The effect of this setting on IIS is widely underappreciated. When I teach Microsoft's IIS class, the very first page of instruction has the statement, "Microsoft Internet Information Server 4.0 (IIS) is a network file and application server...." (Creating and Managing a Web Server Using Microsoft's Internet Information Server, page 20). So IIS isn't a file server or an application server, but a network file and application server. Look at the settings at Control Panel, Network, Services, Server, which you see in Screen 1: Which of these settings has the best throughput for IIS? Generally speaking, Maximize Throughput for Network Applications, although the reasoning is not entirely intuitive.
IIS benefits substantially from file caching. However, if you set up the server service to the Maximize Throughput for File Sharing setting, you are, in effect, telling Windows NT 4.0 that memory for caching files is more important than memory for applications. As a result, NT swaps out programs to disk, including IIS, when NT needs memory for files. As you can imagine, IIS doesn't perform well when it's not loaded into RAM. Furthermore, this setting is the default. As a result, many IIS servers can enjoy a quick and easy boost in performance by switching this setting to Maximize Throughput for Network Applications.
Here are a few more suggestions to improve performance:
- Add more paging files, and increase their size. By distributing the paging files across drives, you can increase performance. It's also a good idea to move the paging file off the boot partition. By creating fixed paging file sizes, you can prevent the paging files from becoming fragmented, which causes less-efficient disk accesses to this often-used area.
- Use RAID 0 (disk striping without parity) to increase performance in your disk drive subsystem. Be sure to use a hardware controller that supports RAID, not the NT software implementation that uses Disk Administrator. Although software RAID works, it places the burden on the OS—a disk controller can do the job many times faster (this doesn't provide redundancy, but improves performance).
- Keep related files on the same logical partition of a disk, which helps to improve the performance of the file-system cache.
- Keep your disks defragmented.
- Convert Common Gateway Interface (CGI) applications to Active Server Pages (ASP) or Internet Server API (ISAPI) applications.
- Disable the use of 8.3 filenames. Because the Web server is servicing only the Web sites, removing this Registry entry is better than leaving it enabled. No 16-bit applications are running, and the OS doesn't have the overhead of managing two filenames. Use regedt32, and locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\FileSystem\NTfsDisable8dot3NameCreation. Change the default value to 1 to disable creating 8.3 filenames.
I installed Service Pack 6 (SP6) on my IIS 4.0 server, and immediately SMTP stopped working. I reverted to SP5, and SMTP started working again. Did SP6 cause this problem to occur?
Any IIS installation could have problems with several SP6 services because Microsoft Winsock might refuse to work with these directory applications unless the user has full administrative rights. In general, the problem arises when you attempt to connect to a new server. Unless you want to make your IUSR account an administrator, you need to update your system with one of several post-SP6 patches. For more information about this problem, see the Microsoft article "Winsock Call Fails When User Does Not Have Local Administrator Rights" at http://support.microsoft.com/support/kb/articles/q245/6/78.asp.
Initially, Microsoft released a hotfix for SP6 that addressed this problem. You can download the hotfix at ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/iis40. Check this location regularly, because it's the first place to find fixes for problems as soon as Microsoft resolves them. Shortly after the hotfix, Microsoft released SP6a, which is SP6 with the Winsock and a couple of other problems fixed. You can find complete information about SP6a at http://www.microsoft.com/ntserver/support/faqs/sp6faq.asp. As always, be sure to test service packs on a nonproduction system before implementing them.
I'm using SSL with a certificate I purchased from VeriSign. When I connect to the server, Microsoft Internet Explorer (IE) displays the message The certificate does not match the URL. I ordered the certificate for our domain (e.g., www.myserver.com) and named the server Pluto. When I enter https://pluto everything works fine. But when I enter www.myserver.com, I get the message The URL does not match the certificate. I can click Continue, and IE establishes an SSL session; but how can I eliminate the message?
Installing certificates so that IE 4.0 users don't see messages such as the one in Screen 2 is one of the key goals of any systems administrator. The process isn't entirely intuitive, and a senior Microsoft consultant called the problem you describe the most common mistake people make with certificates. The message appears when a user using an SSL connection attempts to connect to a site and begins the URL with https://. The browser checks the URL entered against the certificate to see whether they match. If they don't, the security alert in Screen 2 appears. You get a similar security alert with other browsers.
So, where is the name on the certificate? When you use IIS Key Manager to create a certificate request, you must complete a form, such as the one in Screen 3, that includes an entry for the Common Name. If you read that screen carefully, you'll find a very important instruction:
Enter the Common Name. This is the fully qualified domain name used for DNS lookups of your server (such as www.yourcorp.com). This information is used by browsers to identify your site. If you change this name, you will need to obtain a new certificate.
Frequently (and this seems to be what you've done), people put the server name (e.g., Pluto) in the Common Name box instead of the name people will use to access your site. The Common Name must be the name people enter in a DNS to access your site.
For example, I have a simple site set up at www.techmesa.com. I've installed a certificate for that exact URL, and if you use SSL to access the site and type https://www.techmesa.com, you won't see the security alert about the URL not matching the certificate. You'll receive a security alert, but that message will be about the certificate coming from an untrusted authority. This security alert means that your browser doesn't recognize the presented certificate as having been issued from a trusted Certificate Authority (CA). Most browsers have preloaded certificates from Thawte, VeriSign, and a few other widely recognized CAs. Despite the scary warning about the issuer being untrusted, you can proceed and create a perfectly good SSL connection just as if the issuer were a trusted authority.
You can create a secure connection to www.techmesa.com without the security alert using HTTP over Secure Sockets Layer (HTTPS). However, if you access the site again using https://techmesa.com, you'll see a message warning you that the certificate doesn't match the name. The Common Name box for this certificate is for www.techmesa.com, not techmesa.com, so the message appears. If I tried to access the IIS server internally by computer name, I would get the same message. To answer your questions, therefore, you'll have to obtain a new certificate with the Common Name www.myserver.com instead of your computer name to solve the problem.
Can you shed some light on IIS resources (e.g., an instructor-led course, a good reference book)? I have about 4 weeks to migrate my organization's current Web site from a provider to our three newly purchased Web servers.
As an avid reader of all things pertaining to IIS, I'm sorry to say that I've found only a few good IIS resources. By far, the best book about IIS is Leonid Braginski and Matt Powell, Running Microsoft Internet Information Server (Microsoft Press, 1998). The next most-used reference on my list is the Microsoft Internet Information Server Resource Kit (Microsoft Press, 1998). Of course, IIS Administrator is required reading, as is Windows 2000 Magazine, which often has relevant information about IIS. My next reads will be Mark Joseph Edwards, Internet Security with Windows NT (Duke Press, 1997) and Ken Spencer, Windows NT Magazine Instant Solutions: Troubleshooting IIS 4.0 and Visual InterDev 6.0 (Duke Press, 1998). Both are available at http://www.29thstreetpress.com. Aside from these resources, you should visit the Microsoft TechNet Web site for IIS and the Microsoft Security Advisor Web site weekly.
In addition, you can't just pick up the phone and call one of the IIS programmers at Microsoft to ask about some oddball technical glitch that no one seems to comprehend, but you can attend a free chat with members of the IIS team that Microsoft hosts once a month. For the schedule and archive of past conversations, see the above TechNet URL.
You can also post messages about IIS on a few public bulletin boards. You can find the Microsoft TechNet board for IIS and other Microsoft products at http://technetnews.microsoft.com/technet/default.asp. Windows 2000 Magazine hosts a board at http://www.win2000mag.com/support/forums/application/main.cfm?cfapp=68. In addition, I host an IIS board at http://networking.brainbuzz.com/boards/viewboardcategories.asp (after you're there, click Web Technologies, Microsoft IIS).
Microsoft also hosts a few newsgroups on IIS, but I've found them long on questions and short on answers. You can, however, glean some useful information if you're willing to wade through the repetitious problems. The main newsgroup for IIS is microsoft.public.inetserver.iis, but you'll likely find other newsgroups of interest as well (e.g., a Microsoft FrontPage Server Extensions newsgroup).
Does an easy way exist to duplicate IIS on a new system?
I've answered this question before, but I thought it worth visiting again because it's one of the most frequently asked IIS questions, and some new answers exist. As reported previously, Microsoft's Site Server content replication replicates IIS, but a lot of IIS administrators don't want to go out and get a full-blown version of Site Server just for this purpose.
Another possibility is a utility called iissync.exe, which Microsoft provides with IIS. This utility duplicates an IIS setup to another server, but you must use it with a cluster of servers. The utility requires NT Server, Enterprise Edition (NTS/E), and you need to set up clustered servers for load balancing and failover. I've talked to some administrators who have used iissync.exe to duplicate IIS servers without installing clustered servers or NTS/E, but I haven't tested it. Documentation for it is thin, but you can find information about iissync.exe in the following Microsoft articles:
- "Deciphering IISSYNC Status Codes" (http://support.microsoft.com/support/kb/articles/q224/8/01.asp)
- "How to Install the Windows NT Option Pack on Microsoft Cluster Server" (http://support.microsoft.com/support/kb/articles/q191/1/38.asp)
- "Contents of Internet Information Server 4.0 Release Notes" (http://support.microsoft.com/support/kb/articles/q230/2/87.asp)
If you decide to play around with iissync.exe, be sure to make a copy of your metabase first. Check out the requirement to specify the target server in the Microsoft Transaction Server (MTS) as stated in "Contents of Internet Information Server 4.0 Release Notes."
Until recently, no one had designed a utility specifically to achieve duplication of an IIS setup from one server to another, with no clusters or enterprise required. So I was delighted when I ran across a company offering a utility that does exactly that, complete with virtual directories and other settings. To make the utility even sweeter, it's freeware. The utility even has a feature that lets you save the settings to a database and restore them later to another system. Check it out at http://www.adsonline.co.uk/iisexport.
