IIS 101


One of IIS’s best features is its ability to create and configure virtual directories. A virtual directory is a useful, easy-to-learn feature. A virtual directory isn’t an actual folder on the hard disk such as you would create with Windows Explorer; instead, a virtual directory is a name mapped to a local folder or network share. Thus, you can use the virtual directory name rather than the actual directory name to access the contents of the virtual directory.

For example, let’s say you have a Web server called Mywebserver that serves documents at D:\wwwroot\websitea. For development purposes, you’d like to have a location for posting beta versions of documents in another directory at C:\securedocuments\limitedaccess\betadocs\webdocuments. You’ve mapped the Web server to read files only from D:\wwwroot\websitea (you map servers on the Home Directory tab of the Web site’s Properties dialog box). So, how can you provide access to the beta documents from the Web server when the files you want to access are on the C drive? Virtual directories are tailor-made to solve this problem. Create a virtual directory called BetaDocs (or any other name you want), and map it to C:\securedocuments\limitedaccess\betadocs\webdocuments. Now, when you want to access the beta documents, you use the URL http://mywebserver/betadocs. The request will then deliver the default document at C:\securedocuments\limitedaccess\betadocs\webdocuments.

Thus, the URL is much less complex because you don’t need the full pathname to the files. Furthermore, you can place under one Web server information that is distributed throughout the network.

Creating Virtual Directories


Creating a virtual directory is simple. In the Internet Service Manager (ISM) Microsoft Management Console (MMC) snap-in, select the Web site that will host the virtual directory. Right-click the site, and select New, Virtual Directory to launch the Virtual Directory Creation Wizard. The wizard asks for the following information:

  • Name of the virtual directory—This name appears in the URL for accessing the virtual directory, so choose it carefully. Don’t add spaces or punctuation if you can avoid it.
  • Path—Designate the folder or share that contains the content you want to access through the virtual directory. This path can be local or on a network drive.
  • Permissions—Specify the default permissions that IIS will enforce. These permissions aren’t NTFS permissions but restrictions that IIS manages. If you use a local drive, users need NTFS permissions sufficient for reading the files.

If you specify a network share as your virtual directory source, this scenario is more complex. IIS prompts you for a username and password for accessing the share, as Figure 1 shows. When a user asks for a file from the virtual directory, IIS uses the credentials you supply here, not the account of the logged or anonymous user, to access the remote share.

IMPORTANT: Don’t use an Administrator or privileged account to access a virtual directory. If you do, you would give all users elevated privileges to the content of the virtual directory and perhaps to the server on which the content physically resides.

In addition, make sure the account you use for virtual directory authentication is valid on the server hosting the share. A common error is to use a local account on the IIS server to try to authenticate to the virtual directory. I often create a local account on both servers (i.e., the IIS server and the share host) specifically for this purpose. In this way, I don’t have a domainwide account that has access permissions, and I avoid using any other account for double duty (e.g., user authentication and virtual directory authentication). The key to this technique is giving the local account the same username and password as the account you specified when you created the virtual directory.

When you’ve created your virtual directory, you see a virtual directory icon in the IIS snap-in that looks different from your typical folder icon. The virtual directory icon that Figure 2 shows has a little globe on the folder, while a regular folder appears just like a folder in Windows Explorer.

You can control access to a virtual directory and activities that go on there. For example, a common practice is to set up an entire Web site so that it doesn’t permit any script file or executable to run except in a virtual directory that you’ve set up specifically for that purpose. In this way, you can limit security concerns to a controlled location instead of having scripts executing sitewide.

A virtual directory is a useful feature that you can use without much technical training. You can find more information in the IIS Online documentation.