If you’re based in a small office or home office, and you have access to high-speed cable or DSL Internet connections, you can take advantage of broadband Internet connections and Windows 2000 Professional to host your own Web site. You can do so by installing the IIS (Internet Information Services) 5.0 that comes with the operating system. IIS makes it possible for you to run a low-to-medium demand Web server (up to 100,000 hits per day). And even if you already have a hosted Web site, you can use IIS on your Windows 2000 Professional workstation as a staging server for revising and testing your business Web site.

IIS can run on Windows 2000 Professional?
The Windows 2000 Professional version of IIS 5.0 Web server is less powerful than the version that comes with Windows 2000 Server. For instance, it lets you host only one Web site at a time. But this is more than adequate for most small business needs. In addition to a Web server, IIS includes a mail server (SMTP), Telnet, and FTP server as well as support for a site search engine, Active Server Pages (.asp), Front Page extensions, management interfaces, logging, and documentation.

Comprehensive as IIS is, in addition to running it, you’ll have a few other needs before you can host your own business Web site. You’ll need:

  • A computer to run Windows 2000 Professional and IIS, operating on and connected to the Internet as close to 24/7 as it can be. When your computer is down, i.e., for rebooting or maintenance, your Web site will be down. You can purchase a used computer just for running IIS or use your personal computer. But be aware that this increases the risk of losing data to hacking.
  • A static IP address. This permanent Internet address provided by your ISP, in a four-part format such as 69.3.216.95, permits the vast network of Internet servers to find your Web site. Most ISPs use dynamic Web addressing as a security measure, meaning that each time you connect to the Internet, or after a certain number of days when your IP address “lease” expires, the address is rotated from an available address in the ISP’s address pool. Most ISPs will provide a static IP address for a small monthly fee or include it as part of a business account.
  • A domain name of your own, e.g., www.yourbusiness.com, to attach to your IP address. Purchase this domain name from one of the domain name registrars, such as Network Solutions. When you do so, you’ll point the domain name to your static IP address. For example, my freelance writer’s Web site points to 65.199.34.52. Your Web site will be inaccessible by name until you attach your domain name to your new IP address and for up to three days while Internet domain name servers (DNS) around the world update.
  • A firewall to prevent Internet mischief, because a static IP address is an easier target for hackers in the same way a stationary target is easier to hit than a moving target. A properly configured firewall blocks all Internet activity except the activity you authorize, protecting you from attacks. There are hardware firewalls, such as the Linksys Broadband EtherFast Cable/DSL Firewall Router, that you place between your cable or DSL modem and your network and software firewalls. Consider using ZoneAlarm, one of the top-rated software firewalls. It costs $40 per license for the Plus version, and $50 per license for the Pro version.
  • A router to enable you to share the cable or DSL broadband connection among your small office or home network computers. Often, routers include basic firewalls.

Installing IIS
When you first installed Windows 2000 Professional, you most likely did not install IIS, since it’s not part of the default setup. To install IIS on your workstation, place your Windows 2000 Professional CD in the CD drive. Click Start | Settings | Control Panel | Add/Remove Programs. Click Add/Remove Windows Components from the icons on the left. In the Windows Components Wizard, click the check box for Internet Information Services (IIS), as shown in Figure A, and then click Next. Installation takes a few minutes.

Figure A
Check Internet Information Services (IIS) to add this component to Windows 2000 Professional.

After installation, several new services will be present on your system: FTP Publishing Service, IIS Admin Service, Simple Mail Transport Protocol (SMTP), Telnet Service, and the World Wide Web Publishing Service. You can view them by clicking the Services console in Control Panel | Administrative Tools.

Also in Administrative Tools, you’ll find four new management consoles:

  • Internet Services Manager, a detailed management tool for IIS
  • Personal Web Manager, a simple interface for rapidly configuring and controlling your Web site
  • Server Extensions, a console for controlling additional Web capabilities
  • Telnet Server Administration, a command line application for configuring Telnet

Updating, patching, and securing
Like most Web servers, IIS 5.0—when installed fresh off the CD—is vulnerable to various Internet exploits and suffers from a few program bugs. As a first step to patching and securing your new Web server, apply or reapply Windows 2000 Service Pack 3, which was released in August 2002 and contains quite a few fixes. Next, apply the Cumulative Patch for Internet Information Service, released on Oct. 30, 2002.

Now download and apply the March 17, 2003, patch for Windows 2000 to close a security hole that can allow hackers to take over your computer. Finally, run Windows Update often to check for Microsoft’s latest IIS and OS patches, and apply them as released.

Problems, problems
If IIS hangs upon starting after you apply an update, it’s not because you did anything wrong. This difficulty occurs especially if you have firewall or other Internet security software installed that may not recognize modified IIS components and therefore prevents services from starting.

Your Event Viewer’s System log may show an error such as, “The World Wide Web Publishing Service hung on starting.” To check the log, go to Start | Settings | Control Panel | Administrative Tools | Component Services, and click Event Viewer, then System.

The solution is easy. First, change the startup option of the IIS Admin Service to Disabled. To do so, click Start | Settings | Control Panel | Administrative Tools. Click Services and then find and double-click the IIS Admin Service. In the Service Startup Option, choose Disabled from the drop-down list. Finally, reboot your workstation.

After security applications have loaded, change the Service Startup Option back to Automatic and start the IIS Admin Service. Apply any requested actions (such as ZoneAlarm requesting “Allow Internet Information Services to Access the Internet?”). The next time you reboot, IIS should start normally.

Create desktop shortcuts

To ease IIS administration, create a shortcut to the Administrative Tools folder on your desktop. This shortcut will put the management consoles for the following close at hand: Services, Task Manager, Component Services (including the Event Viewer), IIS Internet Services Manager, Personal Web Manager, and Server Extensions.

Configuring IIS
Since your goal is simply to serve up Web pages and not to invite trouble, as a final step in the security process, disable unneeded services, remote administration, sample scripts, and other files and settings installed by default that can be compromised by hackers. You can certainly peruse the samples while the Web server is off, but delete them before going live with your Web site.

Try Microsoft’s IIS Lockdown Wizard

Microsoft has released an IIS Lockdown Wizard that helps secure IIS by prompting you to choose the type of Web server from a list of options (such as Static Web Server and Dynamic Web Server With ASP Enabled). It then disables unneeded features by applying a template for each scenario. You can undo any changes you made. Download version 2.1 from Microsoft’s Web site.

To begin securing IIS, delete the following directories:

  • c:\inetpub\isssamples
  • c:\program files\common files\system\msadc
  • c:\winnt\help\isshelp
  • c:\winnt\system32\inetsrv\iisadmpwd

These directories of samples, DLLs, and documentation present a security risk, as a hacker could use them to tunnel through IIS to the computer. Another thing you can do to increase security is to disable unneeded file extensions. Most likely, your Web site will only use files with the extensions .htm or .html (Web pages); .stm, .shtm, or .shtml (for server side includes); and .asp (for Microsoft Active Server Pages). Remove any other extensions that could expose .dll calls, such as .printer (Internet printing capability); .htw, .ida, and .idq (Index Server); .htr (Web-based password reset); and .idc (Internet database connector).

To disable unneeded extensions, start the Internet Services Manager in your Control Panel’s Administrative Tools app. In the left pane, you’ll see a tree depiction of your as-yet unpublished Web site. Right-click on the Web site’s root (here, Freelancer, the name of my computer), and select Properties from the menu, as shown in Figure B.

Figure B
Access Default Web Site’s properties sheet to remove unneeded file extensions.

Click Edit for the Master Properties of the WWW service. This will configure all the properties of any Web site created from now on. Click on the Home Directory tab, then click the Configuration button. Highlight each file extension and click Remove, as shown in Figure C. Then click OK.

Figure C
Remove extensions that can invite problems.

In the next window, highlight Default Web Site and click OK so it will inherit the new settings. Now return to the Home Directory tab and again click Configuration. Choose the APP Options tab and deselect Enable Parent Paths, which is another potential threat if exploited. Again, set the Default Web Site to inherit the new setting.

Since you’re running a small business, it’s likely that you’ll have limited experience in network security administration and limited time to spend on it. In such a setting, it’s unwise to risk making FTP downloads available for visitors to your site, or to enable Telnet, SMTP, or the Indexing Service. Go to Administrative Tools | Services, double-click each of these services in turn, and set their Startup Type to Disabled from the drop-down list, as shown in Figure D.

Figure D
Disable the FTP, Indexing, SMTP, and Telnet services.

Publishing your Web site
Now that you’ve made IIS relatively secure, you’re ready to publish your Web site. Begin by authoring Web pages using your favorite authoring tool. You can create images with a drawing program. After you’ve created the pages and images, place them and any special files, such as sound files, in the directories and subdirectories you create.

After you’ve set up the pages, test your Web page and edit it until it’s ready. If everything looks good, turn on the IIS Web server and leave it on 24/7. You should periodically check Web access logs and firewall logs for visitor statistics, errors, and security problems.

Setting a default page
When visitors browse a Web site, the first page they see is the default home page. On UNIX-based Web servers, such as Apache, this file is named index.htm or index.html. In IIS, the home page is named default.htm (or default.asp, if you use Active Server Pages coding).

If you want, you can change the default page to index.htm (or any name you prefer). In the Internet Services Manager, right-click Default Web Site and choose Properties. Click the Documents tab and then click Add. Type index.htm in the box, then move it to the top of the list, as shown in Figure E.

Figure E
Add index.htm to the list of default home pages.

Where to place your Web pages
Save your home page in the Web site’s root directory; by default, this home directory is c:\inetpub\wwwroot. Save additional Web pages that are part of this site there as well, or in subdirectories you create. Keeping track of content is easier if you place images in the images subdirectory (already created), and organize related content in subdirectories. Figure F demonstrates the organization of my freelance writing Web site in IIS. (Note that my Web page is located in the D partition.)

Figure F
Place your Web site’s content in c:\inetpub\wwwroot and subdirectories.

You’re on the air
When you’re ready to publish “live,” right-click Default Web Site in the Internet Services Manager tree and choose Start, as shown in Figure G.

Figure G
Start your Web site, and you’re on the air.

Or, open the simpler Personal Web Manager and click the Start button, as shown in Figure H.

Figure H
Using the Personal Web Manager is a simple way to start and stop your Web site.

Testing and troubleshooting
You’ve bought your domain, installed IIS, built your Web site, and turned it on…and it doesn’t work. Here’s a list of basic testing and troubleshooting steps:

  • Is IIS on, are your network cables connected, is your broadband modem connected, and is your service up and running? These first troubleshooting steps are the obvious but vital basics to complete before continuing. Don’t forget to run your modem’s diagnostics. If you have a router, check that as well.
  • Have you been hacked or are your Web files accessible? Check to see if you’ve put your Web files in the correct folder and named them correctly—especially the default home page. If the Web site was working before, but pages are different or no longer there, immediately turn off your Web site, unplug from the network, and check your logs and files to see if a hacker has broken in. Run a virus scan.
  • Is the problem outside your network? If you’ve had reports that your Web site cannot be reached, have someone else try. It may be that one leg of the Internet is experiencing temporary problems. You could help by reporting problems to that visitor’s ISP.
  • Did your “static” IP address change? Go to Start | Run, type cmd, and press [Enter]. In the command line interface, type ipconfig/all and press [Enter]. Compare the IP address given in ipconfig with the address provided by your ISP. If they are different, perhaps your ISP didn’t give you a static IP address after all. But before complaining, type ipconfig/release and ipconfig/renew and see if that fixes the disparity.
  • Does your domain name or IP address work? If typing www.mydomainname.com doesn’t work from your browser, try typing your IP address directly. Type ipconfig/all as instructed above, then enter the IP address given for your network connection. If the address brings up your Web site, but the domain name doesn’t, this suggests a DNS error. A call to your ISP is in order.
  • Did you point your domain name to the correct IP address? Recheck your account with your domain name provider to see if your domain name is correct and is matched correctly with your IP address.
  • Have you given Internet DNS servers enough time to update? If you just purchased a domain name or just changed an IP address, you should wait a few days for the Internet DNS servers to include your new information before calling for help.
  • If you use a router, it is configured correctly?
  • Is your cable or DSL modem configured correctly? For example, some DSL modems can function as network bridges or limited routers. You may need to switch to bridged mode for your Web site to work or further configure your modem.
  • Is IIS getting through your firewall? Check your firewall configuration to see if it is allowing your Web site to pass through on port 80.