This guide is written to explain the installation and configuration process of IIS 5.0 on a Windows 2000 Professional or Server System. It also includes information for configuring Microsoft Exchange Server 2000 for E-mail Hosting. This guide assumes you have at least a basic understanding of Windows 2000, IIS, Site Hosting, and System Security. If you have specific questions about any part of this process, contact me and I will provide further instructions. If you are totally clueless, following this guide step-by-step will get you up and running, but may not answer too many questions about what you’re doing or why. I would strongly encourage you to investigate these options more thoroughly and perhaps get a book on Windows 2000 to supplement this guide.

This guide is written strictly for Windows 2000 systems because Windows 9x/ME do not have IIS support, and both Windows XP Pro and Windows Server 2003s process is a bit different because of IIS 6.0. Although you can mostly follow this guide and still configure your XP or 2003 system properly, please be aware that much of the information may need to be altered slightly to get to the same places and features. The information for IIS focuses strictly on configuring the FTP and WWW servers. The Exchange guide will discuss setting up Mail and News services.

System Requirements for IIS:

Same as Windows 2000 OS, plus:

– Broadband Connection, 256MB of RAM or higher for best results.

– Will work regardless of Windows 2000 Professional or Server Edition

– Windows 2000 Server systems which will also function as Active Directory Domain Controllers should already have Active Directory installed and configured.

Installation Process for IIS

1. Open Add-Remove Programs from Control Panel, and select Windows Components button.

2. In the list you will see Internet Information Services… double-click on it.

3. Select the following Required Components, and it will automatically select ALL other required components:

FTP Server

WWW Server

Documentation

4. Evaluate the list of components… select the other features you wish to use. I do NOT recommend installing the Rapid Application Development/Deployment tools nor do I recommend the FrontPage Extensions for security reasons. If you plan to install Exchange later, select NNTP (News) and SMTP (Mail) services now.

5. Have your Windows CD-ROM ready, click OK to return to the main Install Wizard, and then click Next. IIS will be installed now and may take several minutes.

6. Click Finish, and for good measure, reboot the system — Even if it doesnt ask to do so.

Configuration of IIS

1. Launch Start > Programs > Administrative Tools > Internet Services Manager

FTP Server

1. Select the Default FTP Site from the left, and select Properties.

2. On General tab, you can change the following options:

Description of your site to something more appropriate (such as ftp.yoursite.com)

IP Address that your server listens to… All Unassigned is default, but this is useful if the system works on your LAN and the Internet and you want it to only work on one or the other.

Port Number that your server listens to… Default is 21, but many people scan that port. For Security reasons, its better to move it to another port so people cant find it as easily. Disadvantage is that you must specify that port to connect… i.e. ftp.yoursite.com:800

Connection Limits… 2K Pro systems are limited to 10 simultaneous connections. 2K Server can select Unlimited by default or else limit it to any number they choose.

Connection Timeout… I always change this to 120 seconds so that dead connections time out faster.

Logging… I usually use W3C Extended Log format with ALL of the options. I also enable the Use Local Time of Server for times, because I don’t like the conversion from GMT time.

3. On Accounts tab, you can change the following options:

Allow Anonymous Connections… for FTP server, consider if this server will be public use, or secure use. If secure, you MUST disable this login.

FTP Site Operators… I have no idea why anyone would allow someone other than Admins to control the status of their server, but you can if you need to.

4. On the Messages tab, you can set the messages users see when connected to your site.

5. On Home Directory, you can customize where IIS looks on your system for its “Home Directory” … that is, where the files you are serving are stored on your system. For performance reasons, I recommend people change from the default location on C: drive to a separate drive such as D:. Also, you can allow Read, Write, and Logging on this page. I recommend NOT enabling Write access for security reasons. Otherwise, people can add/change/delete anything on your server, and possibly plant virii on your system.

6. For Directory Security, you can customize what IP networks have access to your server. Windows 2000 Pro systems cannot change from “All Allowed” . Windows 2000 Pro systems can limit access to specific systems or subnets. If you customize this, make sure you allow your own network systems access, or you will lose access to the site.

7. Next, we must configure an option in the Security Policy if you disabled Anonymous logins. The change that is required is that ALL user accounts on your system that will be allowed to logon to FTP must be added to the Allow Logon on Locally policy. To do that on Win2K Pro, open Local Security Policy from Administrative Tools, and navigate to — Local Policies\User Rights Assignment. Look for the value marked as “Log on Locally”and add your FTP users to that list. For Win2K Server systems, the same change must also be made to Domain Controller and Domain Security Policies.

Below is a screen shot to explain it better, because this step is very difficult to make. The IUSR accounts must be enabled for anonymous access, and user-access should have those accounts added and enabled as well.

8. Congratulations, your FTP server is now configured.

9. For added security, I recommend limiting the number of users you allow access to your FTP site… also, make the passwords difficult to guess. Also, go to your FTP “Home Directory” and make sure that you change your NTFS permissions to reflect whom you want to give access to. For example, the “Everyone” should not have “Full” access to the directory. On my system, I allow “Administrators” and “System” to have Full access, FTP Users and Everyone only have Read and List access.

Web Server

1. Select the Default Web Site from the left, and select Properties.

2. On General tab, you can change the following options:

Description of your site to something more appropriate (such as www.yoursite.com)

IP Address that your server listens to… All Unassigned is default, but this is useful if the system works on your LAN and the Internet and you want it to only work on one or the other.

Port Number that your server listens to… Default is 80, but many people scan that port. For Security reasons, its better to move it to another port so people cant find it as easily (if this is a secure site or if your ISP blocks Port 80). Disadvantage is that you must specify that port to connect… i.e. www.yoursite.com:800

Connection Limits… 2K Pro systems are limited to 10 simultaneous connections. 2K Server can select Unlimited by default or else limit it to any number they choose.

Connection Timeout… I always change this to 120 seconds so that dead connections time out faster.

HTTP Keep-Alives Enabled… keeps a connection to client open, rather than closing and re-opening the connection with each client-server request.

Logging… I usually use W3C Extended Log format with ALL of the options. I also enable the Use Local Time of Server for times, because I don’t like the conversion from GMT time.

3. On the Performance tab, you can change the following options:

For all types of systems, the Performance Tuning slide should be adjusted to the appropriate setting. Most likely this will be the “Fewer than 10,000″ setting.

For Win2K Server systems, the bandwidth and Process throttling allows you to control how much of your bandwidth and system CPU can be used for your web server.

4. I have found no practical use for the ISAPI filters. Exchange Server installs a few, but I typically leave them alone.

5. On the Home Directory tab, you can change the following options:

Where are the default files for your web site stored. Like with FTP Server, its best to store them on D:

For access, I strongly recommend you select ONLY Read and Log visits, and disable all others.

Unless you have a need to run advanced Java or ActiveX scripts, etc… Remove the Default Application, and select Scripts Only from Execute Permissions.

6. On the Documents tab, you can customize what your “home” page name is. For IIS systems, the default page is default.asp or default.htm. However, I always change this to be index.html. Choose the settings that best suit your needs. I have never used the Default Footer option, but it allows you to automatically append a footer page info on all pages on your site. I guess if you were going to host an Ad-based site that would be a good way to do it.

7. HTTP Headers are similar to the Footers options above. On this tab, you can also set pages to expire (stop working) after a certain period of time… good if you are expecting frequent updates. Also, you can set Content Ratings for your pages to allow “Net Nanny” type products to identify what type of content is on your site. I have never modified the MIME Map… there is no normal reason to do so.

8. There is no reason to modify the Custom Errors or Server Extensions tab either.

9. On the Directory Security tab, you can control several access options:

You can disable Anonymous Logon… useful for private web sites.

You can also require logon options.

You can also restrict your site to specific IPs or IP Subnets.

You can also configure SSL settings using Server Certificates… this is something I have yet to do.

9. Congratulations, your Web server is now configured.

10. For added security, I recommend limiting the number of users you allow access to your Web site… also, make the passwords difficult to guess. Also, go to your Web “Home Directory” and make sure that you change your NTFS permissions to reflect whom you want to give access to. For example, the “Everyone” should not have “Full” access to the directory. On my system, I allow “Administrators” and “System” to have Full access, Web Users and Everyone only have Read and List access.

Advanced Options

1. For both FTP and Web sites, you can add “Virtual Subdirectories… i.e. www.mysite.com/mythings/ … that point to a directory on your system that is NOT located in the default Home Directory. To create this virtual directories, simply right click on the site, and select New > Virtual Directory and follow the wizard. There is no further need to configure these folders, unless you want to add browse access (ability to see and download files from) to the directory or otherwise enhance or loosen security.

2. By default, IIS creates several “Virtual Directories” for itself that are VERY prone to security risks. Among these are the Scripts, all IIS*, and MSADC directories. It is HIGHLY recommended that you delete these directories.

3. I also recommend that you download and run Microsofts IIS Lockdown utility from their site– http://www.microsoft.com/technet/itsolutions/security/tools/locktool.asp — this will allow you to further secure your site.

DNS Configuration

Assuming you have a registered domain name (ie aaronhall.net) with a registrar like Register.com, you will need to add DNS entries as appropriate for your setup. Since these configurations vary too much from registrar to registrar, I can not provide exact details for this task. However, here is a general guideline.

You will need 1 “Class A IP/Host Record” for each “system” on your network that serves the Internet. For example, if you have 3 servers – Server1 , 2 , and 3 – then you should have Class A Records that reference the Machine name Server1.domain.com = IP address.

You will need 1 “Class C Domain Alias” for each service you want to reference. For example, if you want to have www. mail. ftp. and news. domain.com… you will need 4 Class C Aliases… They appear in this format… ftp = server1.domain.com ; www = server2.domain.com ; etc etc.

You will need 1 “MX Record” for each mail server you run. For example for domain.com, an mx record for mail.domain.com should exist.

If you do not have a domain name, you must use your system’s IP address to access your web site. If you don’t know yours, go to a Windows Command Prompt (DOS Prompt) and type ipconfig /all. This will tell you what your IP is.