Remotely administer your servers

When you're away from your servers and workstations, Web Administrator 2.0 for Microsoft Windows NT Server 4.0 lets you perform limited administrative tasks. Web Administrator is a tool that lets you use HTML Internet browsers running on Windows, Macintosh, or UNIX to remotely administer NT servers. You can download Web Administrator from the Microsoft Web site at ntserver/nts/downloads/management/ ntswebadmin/default.asp. I find Web Administrator very easy to use.

To install Web Administrator on your NT server, the server needs to be running NT Server 4.0 with Service Pack 3 (SP3) or later and Microsoft Internet Information Server (IIS) 4.0. You can install Web Administrator on PDCs and BDCs. When you install the Web Administrator software on the server, the server publishes Web pages that include the necessary forms for administering that particular server. The program installs the Web Administrator files into the server's %inetsrv_root%\wwwroot\ntadmin directory. The installation is simple, uses intuitive wizards, and takes less than a minute to perform. Before you begin to use Web Administrator, you need to decide how you want to set its security, which you configure through the IIS Microsoft Management Console (MMC) snap-in.

Setting Up Security
To configure security for Web Administrator, launch Internet Service Manager (ISM). Select Start, Programs, Windows NT 4.0 Option Pack, Microsoft Internet Information Server, Internet Service Manager. Expand the Internet Information Server container from the scope pane. Next, select the name of the server that you want to configure Web Administrator security for and expand the container. Now you can begin to secure Web Administrator.

To grant or deny Web Administrator access to specific computers, you specify an entire domain, individual IP addresses, or network IDs and subnet masks for groups of computers. You specify these attributes by expanding the Default Web Site container, right-clicking NTADMIN, and selecting Properties from the pop-up menu. From the Properties dialog box, select the Directory Security tab. Then, from the IP Address and Domain Name Restrictions section, select Edit, as you see in Screen 1.

If you want to use Web Administrator from any computer in your organization, select the Granted Access option, which grants access to all computers. If you need to restrict access to the tool from certain computers, select Add, then select the Single Computer button in the Deny Access On dialog box to specify which computers to deny access from. You can use this option to deny access to IP addresses that might let intruders access your Web server. You can also select the Group of Computers button and type the appropriate information in the text box to deny access to a group of computers based on network ID or subnet mask. Selecting the Domain button lets you deny access based on domain name. If you plan to use Web Administrator on only a few computers, you need to choose the Denied Access option to deny access to all users. Then specify which computers to allow access from.

You gain access to Web Administrator through any HTML Web browser that supports either NT Challenge/Response authentication or Basic authentication. The Web browser you use determines in part the method of authentication you use. Microsoft Internet Explorer (IE) supports both NT Challenge/Response and Basic authentication. To use the NT Challenge/Response method, you need to install IE's virtual machine option.

NT Challenge/Response authentication is the most secure authentication method because the server uses cryptography instead of transmitting passwords over the wire. Your Web browser proves its knowledge of your password through a cryptographic exchange with your Web server. You don't receive a prompt for account information unless the authentication exchange fails to authenticate you. If the exchange fails, the browser will continuously prompt you with a dialog box until you enter valid account information. The browser uses the NT Challenge/Response method of transmission to process account information.

Basic authentication, which is the method that Web browsers most commonly support, encodes username and password data transmissions. With Basic authentication, you receive a dialog box prompting you to enter a username and password. Then authentication checks the account information against the NT security database to ensure that you have entered a valid NT account. If the account information you supply is valid, you receive a connection to Web Administrator. The downside of Basic authentication is that anyone with a protocol analyzer can decode the encoded data because this method transmits the information in an unencrypted format.

If you need to use Basic authentication because the Web browser you're using doesn't support NT Challenge/Response authentication, you can use an alternative approach that lets you employ Basic authentication without compromising account security. You can use the Web server's Secure Sockets Layer (SSL) client certificate authentication feature to encrypt password information and session data. Microsoft recommends that you use SSL even if you use NT Challenge/Response authentication because SSL will encrypt all session data. The SSL client certificate authentication method uses digital certificates to authenticate users without requiring them to provide account information each time they access the Web service. You can purchase certificates from a Certificate Authority (CA). For more information about digital certificates and how to configure them, see "Related Articles in Previous Issues."

Select the server's authentication method by expanding the Default Web Site container, right-clicking NTADMIN, and selecting Properties from the pop-up menu. On the Properties dialog box, select Edit from the Anonymous Access and Authentication Control section. The Authentication Methods dialog box gives you three options: Allow Anonymous Access, Basic Authentication, and Windows NT Challenge/Response. To keep Web Administrator secure, don't select Allow Anonymous Access.

Take into consideration the Web browser your organization uses, the authentication method that this Web browser provides, and the type of security your organization needs, then select the authentication method that is best for your organization. If you're using a Web browser other than IE, you might want to consider switching to IE if your organization requires a high level of security on your Web server. At press time, IE is the only Web browser that supports NT Challenge/Response authentication. For more information about authentication security, see "Related Articles in Previous Issues."

Available Features
After you've configured security for Web Administrator on your server, you can use an HTML Web browser and the address http://servername/ntadmin/ default.asp or http://ipaddress/ntadmin/default.asp to remotely perform a variety of tasks. You must log on as a member of the Administrators group for the server you need to administer. (Remember to log off before you walk away from the computer during a session.) You can select from 10 administrative options in the main Web Administrator window, which Screen 2 shows. Selecting an item to administer from the left pane displays related submenus in the right pane.

Introduction. The Introduction option explains how to use the list of items in the left pane for administration and offers one management option. From the right pane, you can select General Windows NT Server status information to view a brief summary of the server's status information, which Screen 3 shows.

Accounts. The Accounts management option lets you create and delete groups in the domain; add a workstation or BDC to the domain; add and remove user accounts from groups; and add, change, disable, and delete user accounts within the domain. To administer accounts from Web Administrator, select Accounts and the applicable submenu item.

By default, the Web Administrator user-accounts list box displays only the first 1024 user accounts. If your organization has more than 1024 user accounts, you'll receive a message saying that the system is unable to list all the user accounts. Microsoft set the default maximum at 1024 because of the time necessary to transmit user accounts across the network to the client browser. You can adjust a Registry value to override this default and list more user accounts. To find the MaxUsersToDisplay value, go to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Inetsrv_NTAdmin Registry key. You can add new accounts whether or not the list contains the maximum 1024 accounts.

Devices. The Devices management option lets you change the device driver configuration on your server. When you select Devices in the left pane, the right pane lists each device, its status, and its startup configuration, as Screen 4, page 69, shows. To start or stop device drivers, select a device, then select Start or Stop. Selecting Start presents you with five startup configuration options for each device driver: boot, system, automatic, manual, and disable. To change a device's configuration and make the change permanent on your server, select the device, select the driver configuration option, then select the Update button.

Event Logs. The Event Logs option lists the 100 most common records in your server's System, Application, and Security event logs. To view the event-log entry details, select the event log you want to view and the Details button.

File System. The File System management option lets you create, view, and change permissions on directory shares for all installed file services, including Microsoft, Macintosh, and Novell NetWare. The submenu presents you with two options: Shared Directories and File and Folder Access. You use the Shared Directories option to modify properties of shares, add and remove user and group permissions for shares, delete existing shares, and create new shares. You use the File and Folder Access option to change permissions for existing shares. After you select the file or folder you want to set permissions for, remember to click the Select Folder or Select File option to proceed with modifying the share's permissions.

Maintenance. The Maintenance submenu contains four options: Broadcast Message, Web Admin Preferences, Reboot Server, and Remote Console. Broadcast Message broadcasts messages to all users logged on to the server. The Web Admin Preferences option lets you set the general static limits for the server, such as the maximum number of events to display on a page. Reboot Server lets you broadcast a message to users warning of a server shutdown and gives you the option to either shut down or reboot the server after the amount of time you specify passes. Bear in mind that if you shut down the server, you can't remotely access the computer to bring it back online.

Remote Console is an application you use to run a remote command-line session, which is similar to a UNIX Telnet session, on your server. The Remote Console Server service, which comes with the Microsoft Windows NT Server 4.0 Resource Kit (in the \ntreskit\rconsole directory), starts a cmd.exe process (the command-line interpreter) on the server for each client connection. Then, Remote Console takes control of the server console in which cmd.exe is running. Because Remote Console also takes control of video memory, you can use this tool to remotely launch command-line applications that use video memory, such as the Net command. The client sends all keyboard events directly to Remote Console, which simulates the events in the server's cmd.exe console.

To use the Remote Console option on the server, first install the Remote Console Server service. From the Control Panel Network applet, select the Services tab, then select Add. Next, select Have Disk and type in the path to the service's executable file (e.g., C:\winnt\system32\rconsvc.exe) on the target computer—not on the computer you're using for the installation.

To use Remote Console, you also need to install the Remote Console utility (rclient.exe) on the NT 4.0 client machine. The Remote Console window includes a hyperlink that copies the rclient.exe file to the server's \winnt\system32 directory. The \ntreskit\rconsole directory stores the rclient.exe file, and you can also manually copy this file to your \winnt\system32 directory. To run rclient.exe, execute it from a command prompt on your Windows 2000 (Win2K) or NT 4.0 client computer.

Printers. The Printers management option lists the printers that are available to users. This option lets you select a specific printer, view its queued jobs, flush print jobs, and pause or resume printing.

Services. The Services management option lets you select a service from the displayed list, then either start, stop, pause, or continue the service. After the server starts, you can select Start from the Services submenu to configure the service as automatic, manual, or disabled.

Sessions. The Sessions option lists the clients that are accessing the Server service. You can select a session from the list, then choose to get more information about the session, disconnect the session, disconnect all connected sessions, or refresh the view of the connected sessions.

Related Articles in Previous Issues
You can obtain the following articles from Windows 2000 Magazine's Web site at

"Configuring IIS 4.0 Certificate Authentication," February 1999, InstantDoc ID 4759
"IIS 5.0's New Security Features," November 1999, InstantDoc ID 7284
"Digital Signature Technology," February 1999, InstantDoc ID 4772
"You Can Be a Web Certification Authority," October 1997, InstantDoc ID 597
Status. The Status submenu contains three options: Server Configuration, Performance Statistics, and Server Statistics. Server Configuration lets you view server configuration details such as hardware, local and remote drives, and environment and network information. You can use Performance Statistics to select a server, then view its performance statistics and associated counters. You don't have an option to select specific counters. Server Statistics lists a summary of statistics for the server, such as Number of Sessions and Available Physical Memory.

Web Administrator's many features make it a very helpful tool that lets you perform limited administrative functions when you're away from your servers and workstations. Because you can perform those functions remotely, Web Administrator can also save you time.