Web Hosting on Window 2000 (Deployment)

Published: July 11, 2002

Host Guide_KenM
Welcome to today's TechNet Chat. Our topic is Web Hosting on Window 2000 (Deployment). Questions, comments, and suggestions are welcome.

Host Guide_KenM
The Input Room (below) is where guests can enter questions for our Hosts today. We will read them and select questions to answer. The questions and answers will be posted in the Reading Room.

Host Guide_KenM
We will make an effort to answer as many questions as he can. There may be times when a question may be asked that we do not have an immediate answer for or cannot get to. We encourage you to post any of these questions in the TechNet newsgroups.

Host Guest_Mary
Thanks to everyone for attending today. Welcome to Rob Gillen, our Subject Matter Expert today who is Provisioning Technical Lead for eQuest Technologies, a consulting firm that has been working with Microsoft for several years. Rob is an experienced developer/engineer who has served as developer on the Microsoft Provisioning System for the past five years.

Host Guest_Mary
If anyone would like more information on eQuest, please email internetsolutions@eqinc.com. If anyone requires some direct feedback or follow-up, please whisper to me. Welcome, Rob.

Host Guide_KenM
Please feel free to begin posting your questions in the room below. Please begin your questions with a Q: this will help us quickly identify the questions.

Host Guest_Rob_eQuest
Q: nei : Are there plans to release any new provisioning system?

Host Guest_Rob_eQuest
A: Yes, Microsoft has just RTM'd (Released to manufacturing) the new Microsoft Provisioning System 1.0

Host Guide_KenM
This question was submitted via email prior to the chat.

Host Guide_KenM
Q: Does Microsoft provide a methodology for deploying IIS in a Hosted fashion?

Host Guest_Rob_eQuest
A: Yes, Microsoft offers a package of documents and tools called the Solution For Windows Web Hosting 1.0

Host Guest_Rob_eQuest
Q: Abby : Where can I download the microsoft provisioning system

Host Guest_Rob_eQuest
A: As this product has just released, more information will be available on http://www.microsoft.com/serviceproviders/ within the next few weeks

Host Guest_Rob_eQuest
A: Another option would be to subscribe to the newsletter (same url) and you will be notified

Host Guest_Rob_eQuest
Q: Abby : We are looking to deploy Commerce server as ASP (application Service provider) solution in about 6-8 months time. Would it be a good idea to start testing using .net web server or stick to windows 2000.

Host Guest_Rob_eQuest
A: Commerce Server 2002 does not currently operate on Windows .Net Server beta 3

Host Guest_Rob_eQuest
A: CS 2002 will be supported on .Net Server with the release of CS 2002 service pack 1

Host Guide_KenM
Please visit http://www.microsoft.com/serviceproviders/webhosting/ for additional information on today's topic.

Host Guide_KenM
For those new to the chat - Our topic is Web Hosting on Window 2000 (Deployment) .

Host Guest_Rob_eQuest
Q: Will the Provisioning System be geared for IIs or only for MCIS ?

Host Guest_Rob_eQuest
A: This is geared specifically for IIS Hosting on Windows 2000

Host Guest_Rob_eQuest
A: This product also allows for provisioning of FPSE and STS

Host Guest_Rob_eQuest
A: Also Hosted Exchange and can be extended to provision anything that as an exposed API (with custom development)

Host Guest_Rob_eQuest
Q: jhonny : what microsoft product is used to manage content ? Site Server?

Host Guest_Rob_eQuest
A: You should investigate Microsoft Content Management Server

Host Guest_Rob_eQuest
A: Site Server is a retired product

Host Guest_Rob_eQuest
Q: Are there plans to simply Windows 2000/.NET Web Server licensing for Web Hosts?

Host Guest_Rob_eQuest
A: The simple answer is yes. This information will be available on the http://www.microsoft.com/serviceproviders/ site in the next few months

Host Guide_KenM
Please visithttp://www.microsoft.com/serviceproviders/webhosting/ for additional information on today's topic.

Host Guide_KenM
There is also a presentation available at http://www.mymsevents.com/MyMSEvents/attachment.aspx?a=18\517\DEP347.ppt

Host Guest_Rob_eQuest
Q: Rob_eQuest: Who is the intended audience for the new provisioning system, is it a solution that will become available for small Web Hosts as well as the larger companies?

Host Guest_Rob_eQuest
A: this system is targeted at all ISPs/ASPs in contrast to former versions of provisioning solutions released by MS, this product is designed to scale very well from a small 2-3 server deployment to as large mutely-datacenter deployment

Host Guest_Rob_eQuest
A: if you are familiar at all with MAPS 2.5 or MAPS 4, this product is the replacement for both of those and is SIGNIFICANTLY improved

Host Guest_Rob_eQuest
Q: What are some of the security issues regarding shared

Hosting on IIS using both FTP and FPSE as publishing methods?

Host Guest_Rob_eQuest
A: This is actually a very important issue

Host Guest_Rob_eQuest
A: I was working with a client a few months back that had a few of their Hosted websites hacked due misconfigured directories and permissions.

Host Guest_Rob_eQuest
A: the problem is, that when you enable a site with Front Page Server Extensions, FPSE goes through and creates a bunch of dirs and also stamps a number of permissions

Host Guest_Rob_eQuest
A: the ACL that is the most dangerous is that it gives the Interactive Users group permissions to write to a few directories

Host Guest_Rob_eQuest
A: it ales gives this group permissions on the folder ABOVE the root of that particular web site.

Host Guest_Rob_eQuest
A: therefore, the ideal structure is to permit ONLY FPSE -or- FTP publishing to a particular web site

Host Guest_Rob_eQuest
A: so, in a Hosted environment, you may have two separate trees for your web servers

Host Guest_Rob_eQuest
A: one dir structure would hold your FPSE-Enabled sites and the other dir tree would hold sites that can publish via FTP

Host Guest_Rob_eQuest
A: To explain further, if a valid user connects to his site to publish via FTP he is now authenticated and has the permissions of the "Interactive User"

Host Guest_Rob_eQuest
A: if this user guesses the path to some one else's _vit_pvt folder (i.e. it is browseable from his FTP root) he will then have the ability to upload potentially malicious content to this dir.

Host Guest_Rob_eQuest
A: One client had a hacker upload over 25 GB of junk to folders exposed in this fashion

Host Guest_Rob_eQuest
A: so, if you keep everything separate, such that FPSE sites are in a different dir structure than FTP sites, you can avoid this security threat

Host Guest_Rob_eQuest
Q: dmtech : Has Microsoft taken any steps to strengthen security, and if so, what do these steps include?

Host Guest_Rob_eQuest
A: The short answer is yes. The longer answer is to visit http://www.microsoft.com/security/and/or http://www.microsoft.com/serviceproviders/

Host Guest_Rob_eQuest
A: both should have links to the IIS lockdown tool and other guides for securing your web server.

Host Guide_KenM
A: Also visit http://www.microsoft.com/technet/security/default.mspx

Host Guest_Rob_eQuest
A: Also, it is very important to keep your servers updated with the latest patches

Host Guest_Rob_eQuest
A: One very helpful tool recently release by MS is the Software Update Services, http://www.microsoft.com/windowsserversystem/sus/default.mspx

Host Guest_Rob_eQuest
A: This tool allows you as an administrator to basically run your own internal windows update server and then you can push the updates out to your servers on a pre-defined schedule

Host Guest_Rob_eQuest
A: sites such as the following http://www.microsoft.com/technet/security/chklist/wsrvsec.asp provide lots of good information on locking down your servers

Host Guest_Rob_eQuest
Q: Nero : I just need a location to download bootdisks for Win2000 setup... my 4th disk is corrupted

Host Guest_Rob_eQuest
A: This is available on your windows 2000 cd. There is a directory called boot or something similar with instructions and a batch file.

Host Guest_Rob_eQuest
Q: tsosms : how can I do capacity planning for web Hosting ?

Host Guest_Rob_eQuest
A: There are some very interesting tools for this

Host Guest_Rob_eQuest
A: The old standby was referred to as "homer" or the web application stress tool

Host Guest_Rob_eQuest
A: currently Visual Studio .Net has a tool called Application Center Test

Host Guest_Rob_eQuest
this is a very robust tool for developing stress tests to run against your servers

Host Guest_Rob_eQuest
A: you can simulate multiple authenticated users, various input and the test script outputs in vbscript so you can hand-modify and code the test if you prefer

Host Guest_Rob_eQuest
A: both tools offer the ability to simply watch you as you browse a site and record the actions and thereby develop the test script

Host Guest_Rob_eQuest
A: this is very helpful unless you like learning the API for all of the posting methods :)

Host Guest_Rob_eQuest
Q: nei : Cybertronic: If you are using MSFTP and customers FTP in using a username and password then they are "authenticating".

Host Guest_Rob_eQuest
A: this is correct... MSFTP only offers basic authentication (in contrast to the IIS web sites which offer Basic and Windows Integrated authentication)

Host Guest_Rob_eQuest
Q: tsosms : MY CLIENT WANT TO SETUP WEB STORE , WHICH SOFTWARE I NEED

Host Guest_Rob_eQuest
A: This technology is currently available both in Exchange Server 2000 and Sharepoint Portal Server

Host Guest_Rob_eQuest
Q: Cybertronic : Is special client software is required to do authentication with FTP?

Host Guest_Rob_eQuest
A: No, the dos prompt will work fine

Host Guest_Rob_eQuest
A: the only issue is that the credentials are passed in clear text

Host Guest_Rob_eQuest
Q: Where can I find info on the different levels of App protection in IIS5 with regards to what will not work in Pooled or High?

Host Guest_Rob_eQuest
A: This is a very complex question

Host Guest_Rob_eQuest
A: the technical answer, is that everything that works in "low" will work in "high" if the security contexts are set properly

Host Guest_Rob_eQuest
A: in a Hosted environment, you may often wish to run your Hosted clients in medium or high so that a problem with one site does not cripple the entire server

Host Guest_Rob_eQuest
A: however, there is a performance hit when you move from low to medium or isolated.

Host Guest_Rob_eQuest
A: Medium is probably the safest compromise between security and performance

A: Host Guest_Rob_eQuest
then if you have a specific site that is either a security risk, or needs higher availability you could move that to high

Host Guest_Rob_eQuest
A: The issue is that there is a separate COM+ package created for each site that you move to High Isolation which, if you have a smaller number of sites is fine, but if you are trying to run 2000+ sites on a single box that definitely would not be recommended

Host Guest_Rob_eQuest
Q: Nero : Which Firewall do you regard as safe?

Host Guest_Rob_eQuest
A: This is not an easy question to answer

Host Guest_Rob_eQuest
A: the problems are not in the firewall software itself (normally) but rather in the configuration of the firewall

Host Guest_Rob_eQuest
A: Whichever technology you choose, be sure that the engineer that configures it is very knowledgeable with that product and can lock it down as tight as is reasonable for your application

Host Guest_Rob_eQuest
Q: Cybertronic : How do you limit a user's ability to access files with ASP and OLE File System Object?

Host Guest_Rob_eQuest
A: This can be controlled by the user account that you use

Host Guest_Rob_eQuest
A: by default, the account used it IUSER_<machineName>

Host Guest_Rob_eQuest
A: however, if you enable basic auth, you can then secure the file via NTFS permissions to allow only the specific users you wish to have access to that particular file

Host Guest_Rob_eQuest
Q: MarkMichaelis : How do I copy a website configuration and all its files from one machine to another?

Host Guest_Rob_eQuest
A: The best tool is to use AppCenter

Host Guest_Rob_eQuest
Q: What are some of the settings within IIS that should be configured for a shared environment?

Host Guest_Rob_eQuest
A: I was working with a client on this very subject a little while ago

Host Guest_Rob_eQuest
A: they had been hacked in the past and wanted to lock down their servers

Host Guest_Rob_eQuest
A: after following the MS-recommended procedures, they were most of the way there

Host Guest_Rob_eQuest
A: things to look at is the asp Enable Parent Paths setting

Host Guest_Rob_eQuest
A: if you disable this it will prevent people from trying to guess the path of your system folder, i.e. using code to create URLS that looks something like ../../../winnt/cmd.exe format c:

Host Guest_Rob_eQuest
A: obviously, that could be a bad thing.

Host Guest_Rob_eQuest
A: another common mistake is to leave indexing enabled for all sites

Host Guest_Rob_eQuest
A: in a Hosted scenario, if you simply accept the defaults and leave indexing enabled, Index server will index the content on ALL Hosted sites

Host Guest_Rob_eQuest
A: This would cause a problem in that if you search on one of the Hosted sites, you could return results from other Hosted-customer's sites (obviously not a good thing)

Host Guest_Rob_eQuest
Q: nei : Are there any plans to introduce something like the WWHP again?

Host Guest_Rob_eQuest
A: yes, Version 1.5 is scheduled to be released sometime this fall

Host Guest_Rob_eQuest
Q: MarkMichaelis : AppCenter has a significant cost. Is there an easier way for once in a while kinds of copying?

Host Guest_Rob_eQuest
A: There is not a released product that I am aware of. You can backup the metabase, and copy the files but you may run into issues restoring the metabase to a different server

Host Guest_Rob_eQuest
A: it would be worth testing

Host Guide_KenM
Thanks for joining us today and thanks for the questions. It's time for us to go now. You'll be able to find the transcript of this chat soon on the TechNet Web site at http://www.microsoft.com/technet/community/chats/trans/default.mspx and http://www.microsoft.com/serviceproviders/default.mspx.

Host Guide_KenM
Please visit http://www.microsoft.com/serviceproviders/webhosting/ for additional information on today's topic. There is also a presentation available at http://www.mymsevents.com/MyMSEvents/attachment.aspx?a=18\517\DEP347.ppt

Host Guest_Rob_eQuest
Q: Cybertronic : Is the Enable Parent Paths setting something that could be done for one site and not another? I don't want to restrict myself.

Host Guest_Mary
Thanks to all for joining us today and thanks to Rob Gillen for Hosting. I hope this has been helpful. For more information about eQuest Technologies, please contact us as internetsolutions@eqinc.com

Host Guest_Rob_eQuest
A: Yes, this is a site-specific setting

Host Guest_Mary
Please look for your newsletter with the next topic and feel free to ping the Web Hosters Team with any suggestions.

Host Guide_KenM
Thanks everybody. Please see the chats schedule for upcoming topics.