SolutionBase: Creating your SOHO Web site on Windows XP and IIS 5.1

Deploy a Web server using Windows XP.

If your small office or home office (SOHO) has access to high-speed cable or DSL Internet connections, you can take advantage of broadband and Windows XP Professional to host your own Web site. You can do so by installing the Internet Information Services (IIS) 5.1 that comes with the OS. IIS 5.1 is a client-side Web server. As such, it is not for hosting high-demand sites. In fact, 5.1 is limited to 10 simultaneous connections, though I have heard of an undocumented hack that will allow up to 40 simultaneous connections. Even if your business already contracts with a Web site host, you can still use IIS 5.1 to run a staging server or development platform.

Which version, which OS, again?
Windows XP Professional includes IIS 5.1 on the installation disk. The Web server is not available in XP Home Edition. Rumor has it that if you try to install IIS 5.1 from a Windows XP Professional disk onto an XP Home computer, it won’t work reliably.

If you previously ran Microsoft’s Web server under Windows 2000 Professional, you ran version 5.0. Though the flavors are similar, 5.1 is more secure and has some interface changes and more advanced features.

As with Win2K, XP’s Web solution includes an SMTP mail server, FTP server, support for a site search engine, Active Server Pages (.asp), Front Page extensions, management interfaces, logging, and (less than ideal) documentation. In place of Telnet, however, remote management is accomplished via a remote desktop utility.

IIS 5.1, like 5.0, enables Web site authors to collaborate via Web folders using a scheme called Web Distributed Authoring and Versioning (WebDAV). While WebDAV can be valuable for collaborating on Web site design, it also adds some vulnerability to your system. 5.1’s implementation is somewhat different here, as well, and won’t be covered here.

Although you may prefer version 5.0, the catch is that Microsoft Web servers are platform-specific. Running 5.1 requires Windows XP, and running 5.0 requires Windows 2000. If you want version 6.0, you’ll have to invest in Windows Server 2003.

Naturally, client-side Web hosts are less powerful than their server counterparts. For instance, the server editions of IIS can host many Web sites, while the clients can only run one site at a time. But for most do-it-yourself businesses one site is plenty.

Other SOHO Web site requirements
In addition to the minimum requirements of Windows XP and IIS 5.1, to run a full-time, secure SOHO Web site you will want to invest in:
  • A computer that stays connected to the Internet 24/7 (therefore, your traveling laptop won’t do).
  • A static IP address. Most ISPs will provide one for an extra fee if it’s not already included as part of your business account.
  • Your own domain name, such as Purchase this name from a domain name registrar such as Network Solutions.
  • A firewall to reduce your Web site and SOHO network’s vulnerability to Internet mischief. A properly configured hardware or software firewall blocks all Internet activity except that which you authorize. For a quick software solution, consider using ZoneAlarm Pro ($50 per license).
  • A router to enable you to share the cable or DSL broadband connection among your small office or home network computers. Often, routers include basic firewalls. You may want to configure it to isolate your Web site from the rest of your network.

Installing IIS
IIS does not install by default when you first set up Windows XP Pro. To add the client Web server later on, place your Windows XP Professional CD in the CD-ROM. Click Start | Control Panel | Add or Remove Programs. Click the Add/Remove Windows Components icon on the left of the following dialog. Within the Windows Components Wizard, click the check box for Internet Information Services (IIS), as shown in Figure A.

Figure A
Check Internet Information Services (IIS) to add this component to Windows XP Professional.

Each IIS option adds a security risk to your network. Therefore, when configuring installation options, weigh necessity against vulnerability, and only install what you absolutely need. If you change your mind later, you can always add components then.

Note that the IIS checkbox is grey. This means there are further components that have not been selected. To view them, click the Details button.

FTP Server is unchecked by default. If you want to install this, check the File Transfer Protocol (FTP) Service box.

Consider unchecking the SMTP Service, which is checked by default. SMTP, or Simple Mail Transport Protocol, allows your Web site to include its own mail server. But the advantage of sending and receiving e-mail with your domain name in the address ( may not be worth the risk.

Some domain name registrars like Network Solutions offer the ability to forward mail with your domain name to your regular ISP account. If yours does so, use its mail forwarding service and let the registrar worry about SMTP security.

Note that within the Details window the World Wide Web Service option is also grayed out, which means you need to drill down another layer. Again, click Details. By default, both the Printers Virtual Directory and the World Wide Web Service are checked. You can also add Remote Desktop Web Connection if you need remote management (this is in place of Telnet), and a Scripts Virtual Directory, if you will be running scripts. I suggest leaving only the World Wide Web service checked.

After customizing your installation, click OK to accept and dismiss both Details windows, then click Next to start the setup program. Installation will take a few minutes.

Configuring IIS 5.1
When installation is complete, you won’t need to reboot. However, you will need to stop your new Web server, as Microsoft repeated the mistake it made with 5.0: when freshly installed, the server is up and running a default Web page. This is like leaving your front door unlocked when no one is minding the store.

Why didn’t Microsoft leave the server off by default? Who knows? But until you have a chance to configure your system and update IIS with the latest patches, you don’t want to be broadcasting to the Web.

At least Microsoft fixed one flaw. With 5.1, once you turn off a service, it stays off. In 5.0, when you rebooted, the Web site came right back on.

To turn off the server, open the Internet Information Services manager by choosing Start | Control Panel. In the Control Panel, double-click Performance And Maintenance. Highlight Internet Information Services and right-click. Select Pin To Start Menu so you won’t have to drill down this far ever again. Then double-click the icon to open the Microsoft Management Console (MMC).

Expand the list of Web site components in the left pane’s tree view until Default Web Site is visible. Right click Default Web Site and select Stop. The left pane will now read (Stopped). Do the same for FTP, if you installed it. For SMTP, simply right-click Default SMTP Virtual Server on the tree and select stop. A red “x” will appear to show it’s now disabled. The result should look like Figure B.

Figure B
After installation, stop Web services so that your network isn’t vulnerable to intrusion.

By the way, In Administrative Tools you'll find another new MMC, the Server Extensions Administrator, for configuring FrontPage Server Extensions if you installed them. If you were familiar with version 5.0, then you will note that two additional consoles are no longer present, the Personal Web Manager and Telnet Server Administration.

Updating, patching, securing
IIS 5.1 is no different from any other Web server in that when first installed it’s a security risk. Now that you have disabled the Web server, you can prepare for publishing a more secure Web site.

First, apply or reapply Windows XP Service Pack 1 or 1a, whichever you installed. Previous IIS patches are combined in this Service Pack. Browse to Windows Update and download any new IIS patches. Among them, you will find Cumulative Patch 811114, released in May, 2003. This release affects IIS 4.0, 5.0, and 5.1 and its components, such as FrontPage Server Extensions.

Next, download Microsoft’s IIS Lockdown Tool version 2.1. This utility helps IIS by disabling features you don’t plan to use. It does so by applying a template of options for specific Web site roles you select, such as Static Server or Dynamic Service with ASP enabled. You can run it as needed to reconfigure your site. According to Microsoft, the tool works with IIS versions 4, 5, and 5.1.

More IIS tweaks
An important step in the security process is to delete files and disable settings that can be compromised by hackers. For example, you should delete the directories c:\inetpub\isssamples and c:\windows\help\isshelp.

These directories of script samples and documentation present a security risk, as hackers have been known to use them to tunnel through IIS to the host OS.

In version 5.0, it was also considered proactive to disable unneeded file extensions (now called script mappings) that exposed dll calls, such as .printer and .idx (indexing service). But in 5.1, many of these extensions have been removed or their mappings moved to the Front Page Extensions folder.

The one remaining extension you might consider removing is called .idc (Internet database connector). To remove .idc, open the Internet Information Services Manager. In the left pane’s tree listing of your as-yet unpublished Web site, right-click on the Web Sites folder, and select Properties.

In the Web Sites Properties sheet, click the Home Directory tab, and then the Configuration Button. This will configure all the properties of any Web site created from now on.

In the Application Configuration window, highlight .idc and any other file extensions you don’t want, as shown in Figure C. Click remove, then click OK.

Figure C
Remove unneeded extensions such as .idc that may be security risks.

As a further precaution, return to the Home Directory tab and uncheck Index This Resource to turn off file indexing for your Web site. Click OK to dismiss the menu.

An Inheritance Overrides dialog will inform you that the configuration of certain child nodes override the indexing property you just set. Select all the child nodes and click OK to turn off indexing.

Publishing your Web site
Now that you've made IIS 5.1 more secure, publish your Web site. Author Web pages using your favorite authoring tools and create images with a drawing program. Place them and any media files, such as sound and video files, in the directory c:\inetpub\wwwroot and the subdirectories you create, such as \images.

The wwwroot directory is mapped to the Default Web Site folder listed in the Internet Information Services MMC tree. You can verify this fact by highlighting Default Web Site, right-clicking, and selecting Properties. Then click the Home Directory tab. The local path text box contains the path to the default Web site (Figure D). If you wish you can change this path to another directory.

Figure D
Use the Home Tab to change the location of your default Web site.

Note that via radio buttons you can also change the path of the default Web site to a share on another computer, and even redirect the site to another URL.

In the Web Site tab (Figure E), you can change your site’s description displayed in the tree (Default Web Site isn’t very interesting). This tab is also where you fill in your site’s IP address. The currently assigned IP address will appear on the drop-down list, making it easy to enter this information. You can also make adjustments to ports, timeouts, and other advanced options here. These values should not need to be changed for basic Web sites.

Figure E
In the Web Site tab, enter a description for your Web site and an IP address from the drop-down list.

Click OK. A message will inform you that IIS needs to be restarted for these changes to take effect. Click OK. Doing so will not publish the Web site to the Internet, it will only restart the IIS manager.

While the Web server is still stopped, test and edit your Web site. When you’re ready, activate the IIS 5.1 Web service by right-clicking the Default Web Site in the Internet Information Services MMC tree and choosing Start. You’re now broadcasting live.

A new Web site will take a few days to propagate throughout the Internet. After waiting a reasonable amount of time, check that the Web site is really available to your customers. Do this from a remote computer connected to the Internet, not from your own computer on your SOHO network.

With a business site up and running, remember to periodically peruse Web access logs and firewall logs for visitor statistics, errors, and security problems.

Testing and troubleshooting
So you've purchased a domain name, installed IIS 5.1, built a Web site, and turned it on...and it doesn't work. Here's a list of troubleshooting tips taken from my previous article on IIS and updated where needed:
  • First steps: Is IIS on, are your network cables connected, is your broadband modem connected, and is your service up and running? If you have a hardware firewall and router, check those as well.
  • Are your Web files accessible? Verify that you've put your Web files in the correct folder and named them correctly—especially the default home page.
  • Have you been hacked? If your Web site had been working, but pages now appear different or are no longer in your directory, immediately turn off your Web site, unplug from the network, and check your logs and files to see if a hacker has broken in. Run a virus scan.
  • Is the problem outside your network? If you've received reports that your Web site cannot be reached, ask someone on a different network to try. It may be that one leg of the Internet is experiencing problems. You can help repair the broken leg by reporting problems to that visitor's ISP.
  • Did your "static" IP address change? Go to Start | Run, type cmd, and press [Enter]. In the command line interface, type ipconfig /all and press [Enter]. Compare the IP address given in ipconfig with the address provided by your ISP. If they are different, perhaps your ISP didn't give you a static IP address after all. But before complaining, type ipconfig/release and ipconfig/renew and see if that fixes the disparity.
  • Does your domain name or IP address work? If typing doesn't work from your browser, try typing your IP address instead. Use the numbers given by ipconfig /all, as instructed above. If the address brings up your Web site, but the domain name doesn't, this suggests a DNS error. A call to your ISP is in order.
  • Did you point your domain name to the correct IP address? Recheck your account with your domain name provider to see if your domain name is correct and is matched correctly with your IP address.
  • Have you given Internet DNS servers enough time to update? If you just purchased a domain name or just changed an IP address, you should wait a few days for the Internet DNS servers to include your new information before calling for help.
  • Are your routers and firewalls configured correctly?
  • Is your cable or DSL modem configured correctly? For example, some DSL modems can function as network bridges or limited routers. You may need to switch to bridged mode for your Web site to work or further configure your modem.
  • Is IIS getting through your firewall? Check your firewall configuration to see if it is allowing your Web site to pass through on port 80.
  • Did you disable anonymous access in IIS 5.1, or did you configure permissions so that files can’t be read by Web browsers?