skyBuilders HomePage  

How To Install a Windows 2000 Web Site

by Jesse Burkhardt


I. Creating the Web Site with the Windows 2000 Web Site Wizard
II. Modifying the Web Site Properites
III. Setting Web Site File and Folder Permissions
IV. Setting System File and Folder Permissions
V. Site Migration and File Ownership Consideration
VI. Final Notes


 Screen shot illustrations in this document are preceded by descriptions of these illustrations. These descriptions should not be interpreted as captions to the screen shots preceding them, but as descriptions of the screen shots following.

 For information on general hardware and connectivity requirements please refer the skyBuilders Windows NT 4.x Web Site Installation documentation.

I. Creating the Web Site with the Windows 2000 Web Site Wizard

To begin click on the start bar button: Start > Programs > Administrative Tools > Internet Information Services.

This opens the Internet Information Services panel.



Right click on the name of the web hosting computer, which, in the pictured example above, is "skytower1" marked by the asterisk.

Then click on New > Web Site, causing the Web Site Creation Wizard to appear. And click the Next button.



Give a meaningful name to the web site you are creating.



Enter the IP address, TCP port number (80), and the domain name of the web site as follows:



Also under the Home Directory tab, under Application Settings, make sure Script Permission (but not Execute) is enabled at the web root. (You will get an HTTP 500 error if there are no write privileges.)

Now enter the actual physical location on the host system where the web site will serve. This step presupposes that you have already created a base level folder - F:\Webhood in this example - that will serve as the web site root.



Set the site permissions to Read, Run scripts, and Write.



Simply click the Finish button to end the Web Site Creation Wizard.



Back to top of page.


II. Modifying the Web Site Properites

Now that the web site has been created it must tweaked. Back in the Internet Information Services panel (if not already open click Start > Programs > Administrative Tools > Internet Services Manager), right click on the new web site ("webhood.org" in this example). Set the IP address and TCP/IP port address accordingly.



From this same panel now click the Advanced button, bringing up the Advanced Multiple Web Site Configuration panel. Add two records for each network interface card (NIC) in the server's system: each record should have the IP address corresponding to the NIC card in the server and the appropriate TCP/IP port number (80). The first record should have a host header value which is the actual domain name and the second record should have its host header set to "www." + "domain.com" (where "domain.com" is same domain name as used with the first record). This ensures that your web site will be found both with and without the www prefix.



Now go back to the Internet Information Services panel, Home Directory tab, and ensure that the Read and Write checkboxes are checked off. (It also may be useful to have the Log visits and Index this resource checkboxes checked.)



From the same panel click the Confiuration button, opening the Application Extension Mapping panel. Under the App Mappings tab, you must Add the extensions .html and .xml, and map them to the asp.dll. In our case, we supply the path C:\WINNT\System32\inetsrv\asp.dll. Study the settings for the .asp extension, and make the new settings for the .html and .xml extensions identical. Make sure that only the verbs "GET, HEAD, POST, TRACE" are used.



From the same panel first click the Edit button. Opening the Add/Edit Application Extension Mapping panel, get .asp extension settings.



Then from the same panel click the Add button. Opening the Add/Edit Application Extension Mapping panel, now create .html and .xml extension settings.



Go back to the Application Confiuration panel - you will be there after finishing your adding new Application Extension Settings and click open the Application Debugging tab and check off the settings as shown below. Under the App Debugging tab, turn on Client-side script debugging. You chould have the Microsoft Script Debugger installed on your principal testing machine (browser).



Now go back to your web site properties panel - you will end up there as you close the spawned panels from completing the above steps - and click on the Home tab. Delete the Default.htm and Default.asp entries.



And Add an entry for index.html.



After doing that, now open the Directory Security tab and click the Edit button in the Anonymous Access area (at the top of the panel).



Under Anonymous Access and Authentication Control, click Edit. Check Anonymous Access checkbox, uncheck Basic Authentication and Windows NT Challenge/Response, as follows:



This concludes all modifications needed to be performed throught the Internet Information Services interface. The following describes the second step of this process, where various user permissions are applied to the web site directory tree.

Time Saving Note: If you are going to install and configure many web sites onto one web server you may perform the previous configuration steps to the web server itself. Configuring the web server machine properties will cause all subsequent web site installation to inherit the web server machine settings as a template. The only web site settings configuration changes you will need to be concerned with are those concerning the hosts header names (refer to the Advanced Multiple Web Site Configuration illustration above) and the directory security authentication (refer to Authentication methods illustration above).

Begin by right clicking on the highlighted web server machine name in IIS display and select the Properties menu entry, as shown below.



Make sure that the WWW Service is highlighted in the Properties panel and click the edit button.



You will now see the WWW Service Master Properties display which closely resembles the the individual web site display shown at the top of this section (II.). You may edit the default, template settings for all web sites to created thereafter.

* Setting the WWW Service Master Properties will not change web sites that have already been configured.



Back to top of page.


III. Setting Web Site File and Folder Permissions

The permissions properties of the physical folder where you will serve the site from must be adjusted. Using the Windows Explorer right click on your physical site folder. (For instance, in our example we would right click and bring up the properties panel of \\skyTower1\F\webhood.)



In the security tab of the properties panel Remove the Everyone user, if present, and add the Administrator user with all privilidges and also add the Internet Guest user with only Read and Write priviliges. If the "Allow inheritable permissions" checkbox is check (circled below), uncheck it.



Unchecking the "Allow inheritable permissions" checkbox will bring up the following warning box. Don't be alarmed. Go ahead and click the Remove button, which delete the listed users.



Simply click the Add button.



Then reselect users who will have priviliges associated with the base web site folder and all its subfolders and files. The users you select are the Administrator and what is called the IUSR (Internet Guest User).

Important new information: The following steps for applying priviliges to the IUSR must also be performed for the IWAM user, whose entry in the following illustration is pictured under the IUSR as IWAM_SKYTOWER1!



After selcting the Administrator and IUSR users. CLick the OK button bringing you back to the previous Security tab of the Properties panel. Observe the circled circled checkboxes.



Make sure that for the IUSR that only the Read and Write checkboxes are checked. Then click the Apply button to save your choices.



For the Administrator user check the box for Full Control, also circled. Checking this will automatically check all the boxes.



Again hit the Apply button to save your changes.



While in this same the Security tab of the Properties panel, click the Advanced button, bringing up the Access Control Settings panel, which brings up the following subpanel. Highlight the IUSR and and click the View/Edit button.



This brings up yet another subpanel for the IUSR permissions. Now enable the Delete Subfolders and the Delete permissions checkboxes (circled below).



Also make sure that you have unchecked the "Apply these permissions ..." checkbox (circled below).



Clicking the OK button from the previous illustration will bring back to the following panel. Make sure to check the "Reset permissions on ..." checkbox and click the Apply button to save your changes.



Don't worry about the warning box. Simply click Yes and proceed.



You should now see the following animated status graphic alerting you as to the file re-permissioning in progress.



After you have returned from the subpanel click the checkbox to "Reset permissions on all child objects" and then click the Apply button. (If the Apply button is greyed out it means that your changes were previously applied so simply hit the OK button.) Click the OK button in the base level properties panel. If you are creating a new web site this is the final step: please skip to the last paragraph of this document.



Back to top of page.


IV. Setting System File and Folder Permissions

In order for the internet user (IUSR) to be able execute web server scripts scripts and modify databases though web interfaces the IUSR, and another user called IWAM, will have to be granted certain file and folder permissions in the operating system directory tree. Setting these permissions for the IUSR and IWAM users need only be done once, rather than, as with web sites, on a per site basis. Please refer to the first paragraphs on the Cautionary Notes title at the end of this section.

We are still experimenting with trying to pare back priviliges for security reasons. For this reason many of these recommendations may be more promiscuous than is necessary. In fact, Microsoft ships their servers in the most promiscuous configuration possible to ensure things interoperate regardless of security considerations.

Invariably, the operating system is contained on the c: drive and, in the case of MS Windows 2000, more specifically at c:\WINNT. Most of the web related program activity, and most other OS activity, launches from c:\WINNT\system32. We recommend that you highlight the c:\WINNT directory, as shown below, and right click on it, selecting Properties.



Clicking on the Security tab will yield something like the following illustration. We recommend that you not give the Everyone user, or any user except the SYSTEM user and users in the Administrators group, Full Control privileges. In fact, we recommend giving privileges only to those users critical to the operation of you web server. Therefore we would remove, for security purposes, the Everyone user privileges entirely, as well as those for Power Users and Guests. Highlight the non-SYSTEM and non-Administrator users and click Remove and then Apply.



In the same diplay now click the Add button. Find the IUSR and the IWAM users (IUSR_SYSPEC3 and IWAM_SYSPEC3 here) and click the Add button in the Select Users or Groups display.



Click OK to return to the WINNT Properties display. Observe the default privileges: Read & Execute, List Folder Contents, and Read. These are corrrect for the IUSR and IWAM users. Click Apply and OK to save your changes. You should examine file privilege settings in the WINNT directory and its child directoies, especially the properties of c:\WINNT\system32, to ensure that your privileges properly cascaded down the c:\WINNT operating system tree.



Now you will need to expand the privileges for the IUSR and IWAM users in the c:\WINNT\temp directory. This is crucial for the IUSR to be able to use MS Access databases that may be backing a web application, such as is done with skyBuilders install distributions. Right click the highlighted directory and select Properties.



Observe how the IUSR and IWAM users have all privileges except Full Control.



This concludes the file and folder privileges and permissions settings requirements for configuring web sites.



Back to top of page.


V. Site Migration and File Ownership Consideration

If you are migrating a pre-existing web site you may encounter file an ownership problem with your web site file and folder security. You must ensure that the Aministrator is the owner of the all your web site files and folders. You may see the following warning/error panel while setting the priviliges for your web site files and folders.

Important Consideration: Over the course of time many site files may be created or deposited, and, therefore, owned, by the IUSR, whose full name is IUSR_HOSTNAME. If the web server's hostname changes and administrator may change the IUSR name accordingly to something like IUSR_NEWHOSTNAME. This will wreak havoc with web service access. When migrating a machine host name the new IUSR, IUSR_NEWHOSTNAME, may have to take ownership of these files away from the old IUSR.



If this happens go back to openning up the properties panel on the web site base level folder and click the Advanced button.



In the resulting subpanel highlight the Administrator user and click the View/Edit button.



In this Owner tab of the Access Control Settings panel make sure that the "Replace owner" checkbox is checked and click the Apply button to save your changes.



Your server should now be running. If it is not try right clicking the web site server entry in the Internet Information Services panel and then clicking Start.

You may now begin accessing a skyBuilders timeLines session across the web.

Back to top of page.


VI. Final Notes

SMTP Note: If you are doing any web site installations requiring SMTP services for sending email from ASP web applications, as skyBuilders timeLines based web site require, please refer to the howToSMTP document, which is intended to serve as an appendix to this document

Trouble Shooting: If you are having a particularly difficult time fine tuning your web service you may refer to a document cached from Google discussing the nuances of various Windows 2000 file and directory permissions. A more comprehensive document, which includes information from the previous doc link, skyBuilders Security Policy", has much coverage of all aspects of configuring MS Windows 2000 machine security.

Back to top of page.


Edit  |  workFlow  |  Subscribe
Language: fr  | it  | de  | es  | pt  | ar  | he  | da  | nl  | zh  | ja  | ko  | none 
Author: jesse
skyCalendar

This Version:
Archived at: http://www.skybuilders.com/Users/Jesse/Docs/howToWebSite2000.20040206145343.html

Requests
 Version: 18346 | Series: 23051 

Search: Site | Web | Groups