The Windows 2000 Resource Kit

The Microsoft Windows 2000 Resource Kit's W3who tool is an Internet Server API (ISAPI) filter for testing a Web site from a browser. You can call w3who.dll from an .html or Active Server Pages (ASP) file, and the tool returns an HTML stream to the browser with information about the server configuration and the browser's connection.

When you configure a server or set up security on a Web site, you need to understand how those parameters affect users who connect to the Web site. Often, making sure that you have configured the server correctly is difficult. For instance, if your site uses Basic or Integrated Windows authentication, how can you determine the security context of your users? How can you determine what privileges users have? This tool comes in handy in such situations.

You can use w3who.dll with different user logons to see the security context of each user. The tool's output displays information about the server and site as well as related information about the reference to the page. W3who.dll pulls this information from the HTTP variables that IIS sends with the HTML stream.

Setting Up the Tool
To use w3who.dll, you must set up the file in the Web site in which you want to use it, then create an .htm or .asp page to access the DLL. To set up the file in a Web site, copy w3who.dll from the Resource Kit directory (the default is C:\program files\resource kit) to the Web site or virtual directory folder you're going to test. You must place the DLL in the Web site or virtual directory you're testing because the tool reports results for the directory in which it resides.

Next, you need to configure the Web site or virtual directory. Here's an easy way to install the filter:

  1. Open the Microsoft Management Console (MMC) Internet Information Services snap-in.
  2. Right-click the Web site or virtual directory that you're testing, then select Properties.
  3. Click the Home Directory tab for a Web site or the Directory tab for a virtual directory.
  4. For the DLL to function, you must select Scripts and Executables from the Execute Permissions drop-down list, as Figure 1 shows. Click OK.

Using the Tool
To use w3who.dll, you must create a Web page to access it. The documentation shows two HTML versions to call the DLL. To set up this Web page, open Notepad or Microsoft FrontPage, and create a new file in the Web site or virtual directory you're testing. Name the file w3whotester.htm. Add the text

<a href="w3who.dll">Who are you</a>

to the file, and save it. Now, you can use the DLL.

To see the results of the test, view the test page in a browser, and click the Who are you URL. For instance, to run the test on my test system, I used the URL http://myserver/my%20stuff/w3whotester.htm. The first test I ran was on the My Stuff virtual directory with authentication set to Anonymous and Integrated Windows. This test displayed in the browser the results that Figure 2 shows.

The Access Token section at the beginning of the data shows the logon name (i.e., IUSR_MYSERVER) and the groups the user is a member of. The second section shows the environment variables that IIS sent. The Environment variables section shows information about the server (e.g., port, protocol), the user's browser, and so forth.

Next, I changed the authentication settings for the test virtual directory by removing Anonymous access. To change this setting, from the Internet Information Services snap-in, I opened the properties for the virtual directory; on the Directory Security tab, I clicked Edit to access the Authentication Methods dialog box. On this tab, I cleared the Anonymous check box and clicked OK to apply the change.

To test again, I clicked Back on the browser, then clicked the Who are you URL again. The browser displayed a new set of results, which Figure 3 shows. The Access Token section looks entirely different now. The user has changed from the Anonymous account to my username (i.e., ken). The SID following the name also changed, and the user groups that I belong to are different from those of the Anonymous account. For instance, you can see that in addition to the groups of which the Anonymous account is a member, I'm a member of the Debugger Users, NorthWindReaders, and Administrators groups.

The information following the groups is even more useful. This information shows the security privileges the account has. For instance, now the user can back up and restore files, as callout A in Figure 3 shows, and shut down the system, as callout B in Figure 3 shows. The only change in the Environment variables section is the AUTH_TYPE variable, which now shows a value of Negotiate. This value indicates that I've used Integrated Windows authentication instead of Anonymous access. (For Anonymous access, this setting is blank, as Figure 2 shows.) Using this tool with different accounts can show you a wealth of information about what your Web users can do.

Security and Groups
As these simple examples illustrate, w3who.dll can provide you with a lot of information about a site. For instance, let's say that you set up a new site. You're going to let users access that site through their Active Directory (AD) accounts, but you're going to restrict access to users of a certain AD group. You can easily test this setup by creating a couple of new accounts, placing them in this group, then using w3who.dll while you're logged on as one of these accounts. The security token will reveal what the users can do.

Note that users who are members of many groups have varying permissions. For instance, although I might be part of the new group, I also have Administrator privileges because I'm part of the Administrators group on that server. In addition, if you changed your execute permissions during the test, remember to reset them when your testing is finished.