Note: I had written this only a couple of days after Chris Adams published his great IIS7 Intro Article. You can find that article and the video here: http://blogs.iis.net/chrisad/archive/2007/03/01/getting-started-with-iis-7-0.aspx
IIS 7 Client Beginner’s Guide:
So, you want to turn your box into a web server? There are hundreds of great reasons for doing so. You can learn about all sorts of web development features, create personal blogging spaces and photo galleries, and more! With Vista Ultimate, Professional and Home Premium Editions an enterprise class web server is at your fingertips. Let’s get started!
Turning your home machine or home server into a web server is no trivial task. There is a lot of important security information that you as a system administrator should be aware of. Here are two topics you should be familiar with before jumping off the deep end:
1. Windows Security Center’s Firewall
2. Windows Updates
3. LUA and Windows Services
Windows Security Center’s Firewall is the front line defense between your machine and the outside. By design almost all of the ports are closed to outside traffic in order to protect your machine. This poses a slight problem when trying to turn a computer into a web server. In order to make your website available to the outside world you have to add an exception to the Firewall settings. More on that later…
Windows Updates are essential to keeping your computer’s software secure. Keeping your computer updated while running a website should be a top priority. There are two great practices for using Windows Update. The first is updating your machine as soon as you complete installation/reinstallation of Vista. Second, turning on the Update Automatically setting so this can become a Set and Forget feature.
Least-Privileged User Access is a turned on by default and is active even as an administrator in Windows Vista. A great article describing what this actually is can be found at TechNet:
The Internet Information Service Administration tool can only be run by an administrator. Another important point of which to be aware is that IIS runs as a service and will continue to run unless the administrator explicitly stops it. Closing the IIS Administration UI does not turn off the web service.
Also, consider what sort of website you’re going to run from your home machine. Is this going to be a collection of simple static pages or is your website going to be running slick CGI scripts or web applications? Different websites require different amounts of time paying attention to security bulletins so be aware of what you’re jumping into.
Part 1: Installing IIS
Unless you specifically chose to install IIS as a Windows component during the initial setup, the chances are small that it is currently installed on your machine. So, how do you install IIS?
1. Go to Control Panel – Programs –Turn Windows Features on or off.
2. Scroll down to find Internet Information Services.
3. Click the box next to Internet Information Services and click OK.
4. When the IIS installation is complete open up a web browser and type http://localhost into the address bar.
That’s all there is to it. You should be looking at the default install IIS7 website.
Part 2: Configuring Your First Website
Open up the IIS Manager from the Start Menu. This can be done simply by typing inetmgr into the Start Menu search box in Windows Vista.
This is the IIS Administration UI. It allows administrators to tweak almost everything their web server does. The easiest way to access all the content served for the default web site is by right clicking on Default Web Site in the Connections Frame and clicking Explore. This will bring up the wwwroot folder that contains website’s configuration file and content. For now, this is the root directory for any website hosted by this machine.
Here are the steps for changing Default Web Site’s default document:
1. Click on Default Website in the Connections Frame
2. Double Click on the Default Document module in the Features Pane
3. Remove iisstart.htm from the list of default file name
Now when a web browser attempts to connect to this machine the IIS7 page will no longer be a default option. Make sure that a file exists with one of the default document file names or the web server will give any web browser a Page Not Found 404 Error.
Part 3: Turning the Web Server On and Off
By default the static file handler is turned on and will remain on unless you explicitly stop the service. Other web server capabilities (i.e. ASP.NET) are turned off by default. Turning your web server on and off is important in cases of your web server being compromised, upgrading and maintaining non-static web sites and minimizing your security risk when the web service is not required.
To turn the web server OFF from the IIS Management UI first select the machine node in the Connections Frame. Then click Stop under Manage Web Server in the Actions Task Pane. This will stop the web service for the entire machine.
To stop services to a single web site select that website in the Connections Frame and click Stop under Manage Web Server in the Actions Task Pane. This applies only to the currently selected web site.
Part 4: Opening Up to the Outside World
Windows Firewall blocks the World Wide Web Services port by default (Port 80). With this port blocked, other machines cannot connect to your web server. This severely limits the scope of potential web site viewers. So, in order to show your new web site and server to the outside world you must add an exception to the Windows Firewall.
1. Click Start and type firewall into the Search bar and press enter. (Note: Make sure you select Windows Firewall and not Windows Firewall with Advanced Security)
2. Click Change Settings
3. Click the Exceptions Tab and Scroll to World Wide Web Services (HTTP).
4. Click the check box and click OK.
Now your machine is accessible to the outside world. You can connect to your machine by typing in the IP address of your server into another machine’s web browser.