IIS Insider - November 2001
Top 5 Questions and Answers on Internet Information Services
By Brett Hill
How to Make W3SVC Formatted Log Files to Use Server Time
Q: On our IIS 5, SP2 stand alone server, we have our log files setup for the W3SVC format. The server works great but the activity recorded in the log files is off by several hours. We've looked around the IIS snap-in but have not found anywhere to configure this item. Can you tell us how to get the log files to use the time as configured on the server?
A: The W3SVC log file format is not a Microsoft standard. It is a RFC working draft that can be found at http://www.w3.org/TR/WD-logfile.html. The document states "Dates are recorded in the format YYYY-MM-DD where YYYY, MM and DD stand for the numeric year, month and day respectively. All dates are specified in GMT. This format is chosen to assist collation using sort . Times are recorded in the form HH:MM, HH:MM:SS or HH:MM:SS.S where HH is the hour in 24 hour format, MM is minutes and SS is seconds. All times are specified in GMT."
GMT is Greenwich Mean Time or, as it is called these days, Standard Time. This means that you can't configure your logs to record in your local time. To make matters a bit more confusing, your log files will rollover at midnight local time, except if set to W3SVC log file format which will rollover at midnight GMT.
In IIS 5, you can configure your server to use midnight local time to rollover (and name if applicable), the log files by setting the "Use local time for file naming and rollover" checkbox on the Extended Logging Properties Sheet. Note that this does not cause events in the logfile to use the local time.
Even though the log file entries are not recorded in local time, since the W3SVC log file format is a proposed standard in widespread use, most commercial web server log reporting systems will convert the dates and times to your local time. Additionally, there is a utility called CONVLOG (http://download.microsoft.com/download/winntsrv40/Update/convlog/NT4/EN-US/convlog.exe) that allows you to convert the dates and times to your local time as well as convert log file format types.
Possible to Create Multiple Web Sites with Windows 2000 Professional?
Q: I've installed Windows 2000 and IIS 5.0 on my workstation but cannot create multiple websites. I've read that IIS supports creating many websites on a single computer. Is there some setting I'm missing?
A: IIS 5 can be installed on Windows 2000 Professional (and IIS 5.1 on Windows XP Professional). However, these are "client" operating systems and are not intended for use as servers. Consequently, there are some differences in the features that are available when IIS 5.x is installed on a client operating system. These include:
- Limited to one web site
- Limited to 10 simultaneous connections to IIS
- No IP address restrictions
- Administrative Web Site is not installed
- No ODBC connection logging
Nevertheless, IIS 5.x runs ASP and can be used as a development platform for code that will eventually be used on Windows 2000 Server.
Download or Run the Executable File
Q: Our company delivers software to our clients in the form of EXE files. We create links to these files from our delivery page but when you click on the links, nothing happens. How can we cause the popup message to appear asking the client if they want to download or run from the existing location?
A: You need to change Permission setting on the website or directory to None or Scripts. You currently have it set to Execute. When click on a link that points to an executable on an IIS server that has permissions set in the IIS snap-in to None or Scripts, the user will be asked if they want to download the executable.
Backing Up and Securing Metabase.bin
Q: I've read that the metabase.bin file contains the configuration information for IIS. How can I back up and secure metabase.bin?
A: Regarding securing the metabase, the default NTFS permissions are SYSTEM and ADMINISTRATOR Full Control. Consequently, no user account has access to the file. There is a registry entry that allows you to relocate and rename the metabase which some security experts suggest. That Registry key is HKLM\Software\InetMgr\Parameters, value name MetadataFile with the value type REG_SZ containing the full path to the filename including the filename.
While it is possible to relocate and rename the metabase, it is secured by default and if someone gains access to the system as the SYSTEM account or Administrator, it should not be much of a challenge to identify the location and name of the metabase. Consequently, I do not take much stock in this particular technique of security through obscurity.
Backing up the metabase is quite easy. You can just copy the file using Windows Explorer, xcopy or any number of other file copy commands. In IIS 5, you can make iterative backups of the metabase from within the IIS Snap-in. For those of you using IIS 4, Metaedit 2.2 use this same capability and runs on Windows NT. As if these options weren't enough, there is a script provided called Metaback.vbs that makes a backup as well.
Given that it basically couldn't be easier, I want to encourage readers to make regular backups of their metabase. If something happens to that file, and you do not have a backup you are looking at a reinstall of IIS as the metabase in IIS 4 and IIS 5 are machine specific. To mitigate against this circumstance, in addition to making a backup of the metabase, export the metabase to a text file (which is one of the feature of MetaEdit 2.2) as the exported text file can then be imported to other IIS servers.
How to Use WebDAV
Q: I have seen some information regarding the use of WebDAV on Windows 2000 but do not understand how this feature is enabled, used, and secured. Could you explain if this something we can use for publishing to our web server and what we need to be concerned about?
A: WebDAV stands for Web Distributed Authoring and Versioning and is covered by RFC 2518 and others. This feature has an eccentric name that could cause you to skip over it when mentioned, but it is a important capability of Windows 2000 and IIS 5. Like any powerful capability, it can be extremely useful and consequently can be misused as well.
In a nutshell, WebDAV allows you to publish files and folders to an IIS 5.x web server from a Windows 2000 desktop without using FTP, FrontPage Server Extensions, the Web Publishing Wizard, or any means specialized utility. You can create a special class of folder called a "web folder" very easily that is mapped to an IIS 5.x web site. You can then drag and drop content to the web folder and the content will be published to the server immediately. WebDAV uses HTTP over port 80 so it works over the internet and via proxy, presuming authentication is correctly configured.
In addition to simply publishing files to the web server, you can manipulate files on the web server very much like it was a local folder. In fact, you can think of WebDAV as a remote file management tool for IIS servers that work using HTTP and port 80 instead of Netbios and shared folders.
There are two methods to create a web folder. You can open Internet Explorer and select File-Open, then type in URL you use to access the web server. Before pressing Enter, set the Open as a Web Folder checkbox. The other method is to open My Network Places and select Add New Network Place then type in the URL to the web server.
In addition to the Windows 2000 desktop and Internet Explorer, Microsoft Office applications are WebDAV enabled. This means you can save a Power Point presentation or Word document directly to an IIS 5 web server by typing in the web server URL when saving a document.
WebDAV is enabled by default in IIS 5 and Window 2000. There is no "on" switch. To disable WebDAV, you can remove all the permissions from the file HTTPEXT.DLL. This includes the local Administrator and System accounts. Be sure to re-enable those permissions when you apply hotfixes or Service Packs that require HTTPEXT.DLL to be updated.
Windows XP contains an even deeper WebDAV integration. Using XP, all Windows32 applications are WebDAV enabled as the OS itself contains WebDAV capability. This includes the ability to map a drive to a WebDAV folder and use it as a remote file store or publishing folder. Additionally, in XP, you can use a UNC pathname to map to a IIS 5 website for directory.
Of course, all of this comes ease comes with a price. To publish using WebDAV, you must enable the Write permission on the web sites or directories using the IIS snap-in. Additionally, if you want to publish scripts such as ASP to the web site using WebDAV, you will need to enable Script Source Access.
With the Write permission enabled on the web site it is absolutely essential that your NTFS permission be properly configured. The IISLockdown tool at http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID;=DDE9EFC0-BB30-47EB-9A61-FD755D23CDEC has the ability to configure your web content such that the IUSR (Internet Guest Account) is effectively assigned the Deny Write permission. The tool can also be used to disable WebDAV.
While this is not all there is to say about WebDAV by a long shot, it is already clear that there's more to this feature than many realize. Like any powerful tool, it can be a great asset, but needs to managed for safe use.
Submit your questions to the IIS Insider. Selected questions along with the answers will be posted in a future IIS Insider column.
For a list of previous months questions and answers on IIS Insider columns, click here.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.