Exploring IIS

Logging in IIS 8

Logging in IIS 8

Logging is used for keeping the information about Site or Application usage. This information will be used by developers while fixing any issues based on the type and detail of information provided in the log file.

Enabling Logging

For enabling the logging feature in IIS, we need to turn on some features.
For more on how to turn on these features see my previous blog post here

We will need to install the marked features in the below image for enabling the logging feature.




Configuring Logging feature

#1. Open the IIS

#2. Click on the server, site, or application from the connections pane for which you want to configure the logging feature.

#3. Double click on Logging or select Logging and click Open Feature under the Actions pane, to open the Logging feature.

#4. Now you will be able to see the Logging window as below

#5. From that pane, Select the values as per your requirement. Description about those options are as follows
  • One log file per
    • If you want single log file for one site you can select Site or if you want single log file to entire server then you can select Sever. The selection of Server in this drop down is also know as Centralized Logging.
  • Log File
    • Format
      • IIS: This is a non customizable format made by ASCII for which details can be logged which can't be logged
      • W3C: Now-a-days this is the log format which is getting used widely on web servers 
      • NCSA: This is the default log format for Apache and other web servers. This is similar to the IIS format because it is also fixed format made by ASCII.
    • Select Fields
      • You can also customize the fields for logging by clicking on this feature.
    • Directory
      • Specify the path for where to save the log files.
    • Encoding
      • Specify the encoding of log file format.
  • Log Event Destination
    • To use this feature make sure that you have selected W3C as log file format.
    • Choose your option either to log file or event tracing or both of those.
  • Log File Roll Over
    • This option is for choosing when to create new log file.
    • For this you can choose any one of those options either on schedule basis or Max size basis.
Once you are done with the changes, click on Apply in Actions pane to save the changes.

IP Address and Domain Restrictions in IIS 8

IP Address and Domain Restrictions in IIS 8

In this article, i will cover how to configure Dynamic IP Restrictions.

Introduction

IP Address and Domain Restrictions is one of the great built-in features of IIS 8. On configuring this feature allows website administrator  to selectively permit or deny access to the web server, websites, folders, or files which makes your server more secure. One can configure and set the limits based on particular IP address(es) or frequency of  requests from a particular IP over a period of time. By default all the clients requesting the website are permitted to all access unless specifically rejected.

Background

This feature was available in previous versions of IIS where you can block one IP or range of IP addresses. The disadvantage in this was first you need know the person who is doing suspicious activity on your website based on the tools like Log Parser for checking the site logs then only you can block that IP or range of IP addresses by using Deny Rules. Most of the professional attackers (hackers) will use a variety of IPs from proxy servers so by the time you've blocked a handful a new range could be starting up.

Installing IP Address  and Domain Restrictions in IIS 8

This feature is not installed by default. One need to install the feature from the Turn Windows features On and Off window.

For this follow the below steps:
            1.Open the Control Panel.
       2.Click on Programs feature.
       3.In that Click on Turn Windows features on or off under Programs and Features.
       4.Install the required features.



Configuring IP Address and Domain Restrictions in IIS Manager

#1. Open the IIS Manager. (Click WIN+R, enter inetmgr in the dialog, and click OK. Alternatively,  search for IIS Manger in start window).
#2. Click on IP Address and Domain Restrictions feature in feature pane under IIS section.


#3. Once you opened this feature, you will see a window like the below image.


#4. Action pane elements are the elements which are used for defining the rules for allowing or denying the particular IP address(es). Let’s have a deeper look into each of these elements.

Edit Feature Settings:

  • This action is used for specifying the default access to all unspecified clients in Add and Deny rules.
  • On clicking this action, it will open up a window as below image.



  • Select Allow in the Access for unspecified clients dropdown if you to allow all clients by default else select Deny.
  • If you want to configure rules based on the client’s DNS name then check the Enable Domain Name Restrictions checkbox. If you click on OK to save the settings when this checkbox was checked it will show a warning (below image) which states that performing DNS lookups is a potentially expensive operation. Click on Yes to enable DNS lookup restrictions.

  • If you want to enable the requests that come through a proxy server then check Enable Proxy Mode check box.
  • Choose the Default Deny Action Type for sending the response to clients when you denied any request. It can be either Unauthorized (401), Forbidden  (403), Not Found (404) or Abort the request.
  • Once you have selected your options click on OK to save the settings.
Add Allow/ Deny Entry:

  • These two action types are used for defining the rule for allowing/ blocking the particular IP address or range of IP addresses.
  • On clicking the action, it will open up any one window as provided in the below image.
  • To create a rule for a specific IP Address, select Specific IP Address and enter the client IP address in the provided text box. 
  • To create a rule for a range of IP addresses, select  IP address range and enter the subnet and subnet mask in the provided text boxes. For example, to permit access to all IP addresses in the range from 192.168.8.0 to 192.168.8.8 then enter the subnet as 192.168.8.0 and subnet mask as the 255.0.0.0.
  • If you have enabled Domain Name Restrictions in the feature settings, then you will be able to set restrictions based on DNS names else this option will not be available. To create a rule for a client domain name, then select Domain name and enter the DNS name. 
  • After entering the details click on OK to add the rule.
Edit Dynamic Restriction Settings:
  • This is the new feature that came with IIS 8.
  • This action allows to dynamically determine whether to block certain clients, based on number of concurrent requests at a time or number of requests over a period of time.
  • On configuring this feature one can secure their website from the automated attacks like Dictionary attacks.
  • On Clicking this action, it will open up a window as provided in the below image.
  • If you want to restrict the client based on number of concurrent requests, then check the Deny IP Address based on number of concurrent requests check box and enter Maximum number of concurrent requests count in the provided text box..
  • If you want to restrict the client based on number of requests over a period of time, then check the provided check box and enter  the details in the provided text boxes.
  • Check the Enable the Logging Only Mode check box if you want IIS to log requests that would be rejected.
View Ordered List:
  • This action is used for changing the rule priority.
  • On clicking on this action, you will be able to see the screen which is showing rules places in the order and with different action elements as provided in the below image.

  • Rules that are located top in the list have higher priority.
  • Use Move Up and Move Down actions are for changing the priority of the rules.
  • Once you are done with changing the order of the rules then click on View Unordered List to return to the screen that allows you to add and remove rules.


Remove:
  • This action is used for remove the rules that are not required.
  • To view this action click on any of the rule in the feature pane and then click on Remove to remove the rule.
  • On clicking the remove, you will get a warning as below image. Click on Yes to Remove the Rule. 

#5. Feature pane elements which gives the information about the rules that are applicable to current web site or virtual application

Mode:
  • This displays the type of rule. It contains the values either Allow or Deny which indicates that whether the created rule is to allow or deny access to content.
Requester:
  • This displays the specific IP address or range of IP addresses  or domain name which is defined in the Add  Allow/ Deny Restriction Rule.
Entry Type:
  • This displays whether the item is local or inherited. Local items are added in current application level, and inherited items are added from a parent application level.

Server Certificates in IIS 8

Server Certificates in IIS 8

Certificates are part of Secure Sockets Layer (SSL) encryption. Server certificates enable users to confirm the identity of a Web server before they transmit sensitive data, such as a credit card number. Server certificates also contain the server's public key information so that data can be encrypted and sent back to the server.

To know how to use this feature follow the below steps.

#1. Open the Internet Information Services (IIS) Manager. You can open IIS from the Start screen by searching for the "inetmgr" command in the search box or writing the same in the Run window.

#2. Click on the Server node.

#3. From the features pane (center pane), double click on the "Server Certificates" which is under the IIS features section.


#4. Once you opened the server certificates, you will be able to see some elements in the Actions Pane and Features Pane.


Following tables gives brief introduction to those elements.

Action Pane Elements:

Element NameDescription
ImportOpens the Import Certificate dialog box to restore a lost or damaged certificate that you previously backed up, or to install a certificate sent to you by another user or certification authority (CA).
Create Certificate RequestOpens the Request Certificate wizard to provide information about your organization to an external certification authority.
Complete Certificate RequestOpens the Complete Certificate Request dialog box to install the certificates that you receive from your certification authority.
Create Domain CertificateOpens the Create Certificate wizard to provide information about your organization to an internal certification authority.
Create Self-Signed CertificateOpens the Create Self-Signed Certificate dialog box to create certificates to use in server testing environments and for troubleshooting third-party certificates.
Enable/ Disable Automatic Rebind of Renewed CertificateAutomatically rebind a renewed certificate by using Certificate Rebind.
ViewOpens the Certificate dialog box so that you can view details about a certificate. Select a certificate to see this option.
ExportOpens the Export Certificate dialog box to export certificates from a source server when you want to apply the same certificate to a target server, or when you want to back up a certificate and its associated private key. Select a certificate to see this option.
RemoveRemoves the item that is selected from the list on the feature page. Select a certificate to see this option.

Feature pane Elements:

Element NameDescription
NameDisplays the names of certificates that have been issued to clients that are running on either Internet or intranet hosts.
Issued ToDisplays the FQDNs (Fully Qualified Domain Name) of either the Internet or intranet hosts to which certificates have been issued.
Issued ByDisplays the FQDNs of servers that have issued certificates to clients that are running on either Internet or intranet hosts.
Expiration DateDisplays the date that the certificate expires.
Certificate HashDisplays binary data produced by using a hashing algorithm. Although this data uniquely identifies a certificate, the hash data cannot be used to trace a certificate because hashing is a one-way process.
Certificate StoreDisplays the name of the provider that stores the certificate.


#5. As you see in the above tables, Actions pane elements are used in the process of creating the certificate request and competing the same. Let's have a deeper look into the Action pane elements.

Create Certificate Request
  • The first step in creating the server certificate is to generate a certificate request. This request can be submitted to a CA, which will, in turn, generate a certificate that can be installed on the server.
  • Certificate requests can only be configured at a server level. Once a certificate has been installed, it can then be configured for use at a website level.
  • For creating the Certificate Request, Click on the Create Certificate Request  in the actions pane to begin the process.
  • Enter the details in the opened dialog box.
  • Common name property should be filled in with the server name upon which the website will be answering requests. The remaining fields should be filled in according to the legal status of your organization. Depending on the CA you submit this request to and the type of certificate you are requesting, the CA may verify these details before issuing you a certificate. See the below image if any help required in filling that.

          After filling the details, click on Next to continue.

  • Select the cryptographic provider and bit length that you want to use for this certificate. At the time of writing, 2,048-bit key lengths are considered secure for the foreseeable future. Longer key lengths can be chosen to provide additional security; however, selecting a longer key length puts additional load on both the client and server when performing the SSL/TLS handshake. See the below image if any help required in filling that.

          Click on Next to continue
  • Choose a file name to save the certificate request to, as shown in below image, and click Finish to close the wizard.


Note: If you didn't specify the file name with path, then that will saved in <Rootfolder>/Windows/System32 directory (C:/Windows/System32)

         At this point, a Certificate Enrollment Request exists in the local machine's certificate store that
corresponds with the certificate request file that was just generated. After submitting the certificate
request to a CA and receiving your certificate, the new certificate will match the pending Certificate
Enrollment Request.

        To view the Certificate Enrollment Request:

             1. In the Windows Start screen, type mmc.exe, and press Enter or type the same in Run window.
             2. Select File and then Add/Remove Snap in.
             3. Select the Certificates snap-in and click Add. Click OK to exit all the dialogs.
             4. Expand the Certificate Enrollment Requests node to see all pending requests.


         The generated certificate request file is now submitted to a CA, which generates a signed certificate. The higher-assurance certificates (that tend to cost more money) involve additional due diligence by the CA.

Complete Certificate Request
  • Once you receive the certificate from the CA, click on Complete Certificate Request which is in the  Actions  pane.This will open the Complete Certificate Request wizard.
  • Enter the details in that wizard.
          File name containing the certificate authority's response : File location on your local machine.
          Friendly name             : Enter the friendly name with which you can easily recognize the certificate. 
          Certificate Store : You will be able to see two options in that named Personal and Web store. The Web Hosting store works like the Personal store, so all of the existing tools work in the same way. The main difference between Web Hosting store and Personal store is that Web Hosting store is designed to scale to higher numbers of certificates.


Click on OK to install the certificate.

Create Domain Certificate

A domain certificate is an internal certificate that does not have to be issued by an external certification authority (CA). If your Windows domain has a server that acts as a CA, you can create a domain certificate. This approach helps you reduce the cost of issuing certificates and eases certificate deployment.


To request and install a certificate using the Domain Certificate Request, follow the below steps.
  • Click on the Create Domain Certificate to begin the certificate request generation process.
  • This will open a new wizard like the wizard opened for Create Certificate Request. Fill the details in that wizard and click on Next to continue the process.

  • Enter your CA address in the Online certificate Authority text box. The CA name takes the form of the Common Name entered when installing Active Directory Certificate Services (by default, <domain name>-<server name>-CA), followed by the FQDN. and enter the friendly name with which you can recognize the certificate easily.

  • Click on Finish to complete the wizard and submit the request to the designated CA. The certificate will automatically be issued by the CA and installed into the local machine certificate store on the IIS 8.0 server.
Create Self-Signed Certificate:


When a CA is not available, a self-signed certificate may be all that is required. This is particularly true in development environments where a developer may simply wish to test that his or her application works over SSL/TLS. A self-signed certificate is one where the server signs its own certificate. Because no machine other than the server trusts it as a CA, any remote machine accessing the site will result in a warning being displayed to the user. To create self signed certificate follow the below steps.

  • Click on the Create Self-Signed Certificate to begin the self signed certificate generation process.
  • This will open a new wizard. Enter the friendly name in the provided text box and select the certificate store.

  • Click on OK to create the self signed certificate.

View

To view the server certificate installed on your server follow the below steps.

  • Click on any certificate in the feature pane, then you will be able to see the View option in the action pane.

  • Click on the View to see the certificate. On clicking that will open up a dialog box which shows that certificate details.
Export

To export any certificate which is installed on your server follow the below steps.
  • Click on any certificate in the feature pane, then you will be able to see the View option in the action pane.
  • Click on the Export to take the backup of the certificate. On clicking that will open a wizard. Fill the details in that wizard.
  • Export to will be the path where to save that certificate and password is required to secure the certificate and is also used at the time of importing the same.
  • After entering the details click on OK to export the certificate.
Import: 

This option provides the facility to restore the certificate on the server. There are some situation where you can use this option.
  • When you need to restore the certificate which you received the from any user or Certification Authority (CA).
  • When the certificate that you restored previously got damaged or lost on the server.
When click on Import in actions page it will open a dialog box, enter the certificate details in that dialog box.

          Certificate file     : File location on your local machine.
          Password             : Enter the password that you entered while taking the backup
          Certificate Store : You will be able to see two options in that named Personal and Web store. The Web Hosting store works like the Personal store, so all of the existing tools work in the same way. The main difference between Web Hosting store and Personal store is that Web Hosting store is designed to scale to higher numbers of certificates.

Check the check box Allow this certificate to be exported, if you want to export this certificate in future.


Once entered all the details click OK to import the certificate.

Remove

To Remove any certificate which is installed on your server follow the below steps.
  • Click on any certificate in the feature pane, then you will be able to see the Remove option in the action pane.
  • Click on the Remove, to remove that particular certificate.
  • On clicking Remove, it will show a alert as follows.
Click on Yes to remove the certificate. 

Reference: Professional Microsoft IIS 8

How to access the site using domain name instead of localhost in IIS

How to access the site using domain name instead of localhost in IIS

Whenever we host any website in IIS ( Internet Information Services ), we used to access the website with localhost or with that particular machine IP address in the way of http://localhost/TestSite/TestPage.aspx

Did you ever think of accessing your website with a domain name as http://www.testsite.com instead of http://localhost/testsite or http://127.0.0.1/testsite on your local machine?

How can I tell my IIS that http://www.testsite.com  is pointing to the files on my local computer not try to access the internet?

The answer behind all these questions is Hosts file.

This will be in <Windows Root Folder>\System32\Drivers\etc\. In general for the people who used to install Windows Operating System in C drive will be C:\Windows\System32\drivers\etcYou can open this file in Notepad, Notepad++ or any text editor that you have. If you open this file, it will be as follows


Note: You need administrator privileges to save your changes in this file.

Case 1:
If you want to create a new website which is possible for accessing through domain name follow the below steps.

#1. Open IIS.
#2. Expand the Server node and click on Sites folder.
#3. Click on Add Website in Actions pane.

Note: If need any help for the above steps then please check my previous post How to setup basic website in iis 8.

#4. Enter the details in the Add Website window as follows.


#5. Click on Ok to create website.

#6. If you try to browse your website now, you will see that your webpage is not available alert in Chrome. You will see same kind of issue in other browsers also.
     This is because, the address you entered is going to search in the internet instead of your localhost.
To overcome this open the Hosts file in any text editor and do the following changes.
(add " 127.0.0.1       www.testsite.com " to hosts file)


Now try to reload the page by clearing the browser cache. It will work as follows.


Case 2:
If you want to access the website using domain name which is created already then follow the below steps.

#1. Open IIS.
#2. Expand the Server node and then expand Sites folder.
#3. Click on Website that you want to access using domain name and then click on Bindings in the Actions pane.


#4. Select the binding of type http and then click on Edit. This will open a new window as follows.


Enter the host name in the provided text box.
I am entering this as www.google.com because i want to access my site with google address.

#5. Now do the change in hosts file as we did in #6 in case 1.



#6. Once done this change you can access your local website with google address.


Note: The changes that you are doing in hosts files are applicable to that particular local machine in which that file exits.

How to Setup a Basic Website in IIS 8

How to Setup a Basic Website in IIS 8

In general hosting part of the application is not done by developer but however in some scenario where the team size is small or we need to host the application on the local server, we developer does all the work. In this article, I am going to show how to host an asp.net application on IIS 8.

#1. Open the IIS manager either from the Start screen by searching for the "inetmgr" command in the search box or writing the same in the Run window.


Note: You can also achieve the same by going to Control Panel and clicking on Administrative Tools  ( which is under System and Security ) and then select Internet Information Services (IIS).

#2. Once you have opened the Internet Information Service (IIS) Manager,  Expand the Server node and then click on sites folder. Click on Add Website in the Actions pane.


Note: You can also achieve the same by right clicking on Sites folder and then select Add Website

#3. Once you click on Add Website, it will open up a window. Please enter the all details as per the example provided below.



In that i have provided details ad follows Site Name as TestSite, provided the physical path of the application and in the binding section i have selected the Ip Address as All Unassigned and Port as 80 ( Default Settings ).

After entering the details press Ok to create your site.

#4. If it shows any alert as follows then press Cancel and change the port number and click Ok.



#5. To browse your hosted application, right click on the website name and go to Manage Web Site and select Browse.



Note: You can also achieve the same by clicking on Browse in Actions pane.

#6. On clicking on browse, your site will be opened in your default browser as follows.

How to install IIS features on Windows 8

How to install IIS features on Windows 8

Windows 8 comes with a new version of IIS (Internet Information Services), version 8.

Lets follow the following steps to install IIS features on Windows 8.

#1. On the Start page search for Control Panel and select the same.

#2. On selecting the Control Panel, this will open up a new window. In that choose Programs.

#3. Under Programs and Features, choose Turn Windows features on or off.

#4. This will open up a Windows Features window as follows.

#5. In windows features list expand the Internet Information Services node and select the features that you want to install as per your project requirements.

#6. After selecting the features to apply your changes. This will open up a window for applying your changes as follows.

#7. Once this is done, you can open the browser and navigate to localhost by typing the  http://localhost in the address. The default web site opens and should displays an II8 image as follows.

#8. Image may be different in your case as it will open IIS 8 logo or the same. This image will come for IIS 8.5 and for IIS 8.0 that will show a different image.