Access and manage IIS via an HTTP connection

Internet Information Server (IIS) 4.0 includes an HTML-based version of Internet Service Manager (ISM). As long as you have an HTTP connection to the server running IIS, you can use HTML-based ISM to manage IIS. You can even use HTML-based ISM via an HTTP connection that doesn't support NetBEUI over TCP/IP.

When you need to manage IIS from a remote location and you don't have a RAS or WAN connection to the IIS server, you can't use the Microsoft Management Console (MMC) version of ISM. In this type of situation, HTML-based ISM is handy. Suppose someone from your office pages you while you are out of town at Microsoft TechEd, and you need to change the configuration of your company's Web site. Assuming that you previously installed HTML-based ISM and configured IIS to let you remotely access the Administrative Web Site (AWS) IIS properties page, you can perform the update from any system with authorization to remotely access the server using an HTTP connection.

The AWS automatically installs with IIS. You can find the .htm and .asp files and subfolders that make up AWS in the C:\winnt\system32\inetsrv\ iisadmin folder. When you use HTML-based ISM to access a site, the default.asp file checks your browser type and displays a message if your browser doesn't meet ISM's browser requirements. Table 1, page 132, lists the minimum browser requirements for full HTML-based ISM support. These browsers support the proper version of JavaScript and meet other ISM requirements. You need to enable browser cookies to use HTML-based ISM. When you disable cookie support, ISM displays a page requesting that you enable cookies.

Configuring HTML-based ISM
IIS installs the AWS with security settings that restrict remote access to the local computer. Screen 1 shows the AWS settings to restrict all systems except the local system from remote access. If you try to access the AWS without properly configuring the access authorization settings, you'll receive the error message HTTP Error 403—Access to Internet Service Manager (HTML) is restricted to Localhost.

To change the access restrictions, start the MMC version of ISM. Select the AWS, then right-click and select Properties from the pop-up menu. Click the Directory Security tab, and click Edit in the IP Address and Domain Name Restrictions section of the page. The IP Address and Domain Name Restrictions dialog box, which Screen 2 shows, will open. Click add to specify access permissions for a particular system that you want to use to remotely manage IIS via HTML-based ISM. In the Grant Access On dialog box that opens, enter the IP address, domain name, or subnet mask from which you want to let computers access the site. Click OK to close the Grant Access On dialog box, and click OK to close the IP Address and Domain Name Restrictions dialog box. Click OK or Apply in the AWS Properties page to apply the changes to the AWS.

Screen 2 shows the IP Address and Domain Name Restrictions dialog box for my IIS server after I added the IP address 221.103.231.13. For many sites, setting permissions for HTML-based ISM to an IP address or subnet mask makes sense. Restricting ISM access to an explicit IP address or a subnet mask provides a granular level of control over access that better prevents intruders from entering a site than restricting access to a domain name does.

Alternatively, you can set the restrictions to specify the systems you want to prevent from accessing your AWS and let users at all other IP addresses or domains access the site. You probably won't choose this approach because every system you leave off the list has access, and you can't know every IP address or domain from which intruders might attempt to hack your severs.

Probably the best solution is to use either Windows NT Challenge/Response authentication or Basic Authentication for the AWS, which lets you remove the explicit IP address restrictions to let authorized users access the AWS from any system. When you disable Anonymous Access to the site, both NT Challenge/Response authentication and Basic Authentication will force user validation. To disable Anonymous Access to AWS, click the Directory Security tab and click Edit in the Anonymous Access and Authentication Control section of the page. In the Anonymous Access and Authentication Control dialog box that opens, clear the Allow Anonymous Access checkbox and click OK. Click OK again to close the Anonymous Access and Authentication Control dialog box. Click OK or Apply in the AWS Properties page to apply the changes to the AWS. (For more information about user authentication, see Ethan Wilansky and Geoff Moes, "Remote Administration, Part 2," http://www.winntmag.com, instaNT document number 3942.) Before a user gains access to the AWS, the user needs to log on to the IIS server. Users with NT Challenge/Response-capable systems and browsers and a valid NT account in the IIS server's domain can gain access to the site without supplying a username or password. ISM prompts users who lack a valid account, correct permissions, or a system that supports NT Challenge/Response for a username and password.

Using HTML-based ISM
You can use HTML-based ISM as you would use the MMC version. HTML-based ISM supports most operations that the standard ISM supports but has a couple of distinct differences. Because the HTML version runs on various browsers and OSs, the interface looks different from the MMC version's interface. HTML-based ISM uses Active Server Pages (ASP) and all the Windows features of the MMC version (e.g., dragging items to copy them and right-clicking) aren't available in browsers. In addition, HTML-based ISM doesn't support operations that require NT utilities, such as certificate management, because NT utilities aren't yet accessible from the ISM's ASP interface.

The documentation about managing IIS assumes that you are using the MMC version of ISM. The MMC version runs under NT Workstation or NT Server, so it uses NT services and the drag-and-drop and right-click functions. The lack of MMC features in HTML-based ISM can lead to some confusion when you try to follow the steps in the IIS documentation. Despite differences from the MMC version, the HTML version of ISM is a capable tool for many IIS operations.

Let's use HTML-based ISM to perform some standard IIS administration tasks so you can see how easy this tool is to use and how you can use it in different situations. To start HTML-based ISM, you need to point your Web browser at the AWS on the IIS server you want to administer. My IIS server has the name abaco, so I can point my browser to the URL http://abaco/iisadmin. Substitute your IIS server's name for abaco, and ISM will start. ISM will prompt you to enter the correct credentials. When HTML-based ISM starts for the first time, the application prompts you to select either a large or a small display format. Your system stores your display preference in a cookie, so you won't get this format prompt again.

HTML-based ISM has two levels of security privileges: operator and administrator. When you connect to the site using the URL http://servername/iisadmin, you log on as an operator. Using the AWS properties, ISM assigns operators to the Default Web Site level and Administration Web Site level that restrict operators from certain activities, such as creating an ASP application, and limit operators' abilities to manage a site. You can use the MMC version of ISM for activities such as creating or removing ASP applications, then log on to the HTML version as an operator to make changes that operators have permission to make. Or you can connect to the AWS as an administrator, which gives you permissions to perform functions that operators can't perform, including creating or removing ASP applications.

To connect to the AWS as an administrator, you need the port number that IIS randomly generates and assigns to the AWS during installation. Because IIS installation generates the port number, each site has a different number between 2000 and 9999. To find your server's AWS port number, you need to open the MMC ISM, right-click the AWS, select Properties, and click the Web Site tab. Screen 1 shows the port number 3223. To change an IIS server's port number, enter the new port number, and click OK or Apply.

The syntax http://servername:port number/iisadmin lets a user who has administrative permissions on the server connect to HTML-based ISM as an administrator. I used the URL http://abaco:3223/ iisadmin to connect to my IIS server as an administrator. HTML-based ISM's administrator interface is a bit different from the operator interface. The interface includes links to administrative tasks and exposes options, such as the option to create Web sites.

Screen 3 shows the main HTML-based ISM interface for administrators. This interface is noticeably different from the MMC version. HTML-based ISM doesn't have a toolbar, as the MMC version does, but rather lists the most-used commands—with some of the MMC ISM's commands missing—as links along the page's left side. The tree that displays the Default Web Site directories looks similar to the MMC-based ISM but lacks NT Explorer's ability to drill down and expand or collapse folders. You will need to create a new directory to add a folder or Web site using HTML-based ISM. To create a new directory, click Default Web Site in the right pane and click New in the left pane. ISM will prompt you to enter the directory name. Enter the name, and click OK to create the directory. ISM will store the new directory in the Default Web Site directory. If you click another directory's name before clicking New, your new directory will be in the directory that you selected. You can use this method to create directories at any tree level.

After you move to a new page in HTML-based ISM, a special Back option will appear below the menu choices in the left pane. You can use this ISM Back option to return to the main interface from wherever you are in the application. Using this option is much faster than repeatedly clicking the Back option on the browser's toolbar.

You need to pay close attention to the HTML-based ISM options because they might be different from the MMC ISM options. For instance, on the Performance property page, you use a slider to tune server performance. In the MMC version of ISM, you can click anywhere on the slider to change the setting, but the HTML version requires you to click the link directly under a slider position to move the slider across the bar.

When you make changes on an ISM page, you need to click the Save option in the bottom right corner to post your changes to the server. ISM will prompt you to save changes when you try to move to another page without saving, but to be safe you need to explicitly save the changes before you move on.

Results and Analysis
I experienced an irritating HTML-based ISM problem. Whenever I tried to access certain ISM features, such as application configuration, a pop-up window with a new browser instance asked me to refresh the page. I clicked OK, refreshed the browser, and tried the operation again, but the pop-up window returned. My systems run NT 4.0 with Service Pack 4 (SP4), so the problem isn't that my applications are old. I believe this pop-up window is a bug in the HTML-based ISM application.

The anomalies between the HTML and MMC ISM versions exist primarily because of HTML-based ISM's dependence on browsers. Although browsers are powerful tools, the HTML version's limitations illustrate that NT provides more power for running applications. Nevertheless, HTML-based ISM is a useful tool that administrators can use to drastically enhance remote server management of their IIS servers.