Authenticating to the Administration Web Site
As another security measure, the Administration Web Site denies anonymous connections. The site requires unauthenticated users to supply their credentials, so only operators and members of the Administrators group can connect. By default, the Administration Web Site uses Integrated Windows authentication, but you can change the authentication method. To do so, open the Administration Web Site's Properties dialog box, click the Directory Security tab, then click Edit in the Anonymous access and authentication control area. In the Authentication Methods dialog box, which Figure 5 shows, select the access that's right for your environment.
Integrated Windows authentication works seamlessly when you've configured AD to run in Win2K's native mode. If you use Microsoft Internet Explorer (IE) 4.0 or later to connect to the Administration Web Site, the client and server use the Kerberos 5.x authentication protocol to authorize you. (For information about Kerberos versus NT LAN Manager—NTLM— authentication, see the sidebar "Kerberos vs. NTLM.")
However, Integrated Windows authentication works only if the browser supports it and can fail if the connection is established over HTTP proxy. Only Basic authentication works with all browsers and over any number of proxies and gateways. But Basic authentication has a major drawback: The client passes credentials in clear text to the server. In addition, credentials are Base64 encoded, and malicious users can easily intercept the credentials while they're in transit. If you want to use Basic authentication, consider enabling Secure Sockets Layer (SSL) support in IIS. Enabling SSL encrypts all traffic between the browser and IIS; thus, passwords won't be transmitted in the clear. Of course, this security doesn't come cheap. Using SSL increases latency and can slow server performance.
IIS 5.0 offers an improved version of Basic authentication called Digest authentication. Digest authentication is similar to Basic authentication in that it works over proxy servers, but passwords are never actually transmitted. For Digest authentication to work, the user's browser must support it (i.e., the user must have IE 4.0 or later) and the domain server that runs Win2K must store a clear-text copy of the password. For more information about using Digest authentication, see the Microsoft article "Setting Up Digest Authentication for Use with Internet Information Services 5.0" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q222028).
Regardless of which authentication method you use, administering IIS remotely through the Internet Services Manager (HTML) tool is as simple as typing
http://LEONBR_HM:3182
in your browser, where LEONBR_HM is the computer name and 3182 is the port number. (Make sure that hosts other than Localhost can connect and look up the port number that your Administration Web Site uses.) Figure 6, page 10, shows the Administration Web Site. If you're connecting to IIS over the Internet, you need to supply a Fully Qualified Domain Name (FQDN) and a URL (e.g., http://www.braginski.com:3182).
Microsoft designed Internet Services Manager (HTML) to provide the same functionality as the Internet Information Services snap-in. However, you should be aware of a few differences. Because Internet Services Manager (HTML) is written in HTML, the tool doesn't support right-clicking a Web site or virtual directory to access its properties. Instead, you need to click Properties in the Administration Web Site's left pane to bring up property pages. Another difference is that although Internet Services Manager (HTML) lets you configure SSL if a server certificate is installed, the tool doesn't bring up the Key Manager to start a certificate-creation process. Despite these limitations, Internet Services Manager (HTML) is a nice complement to remote administration through MMC.
The Right Tool for the Job
IIS provides two ways to administer your Web servers remotely. In an enterprise consisting of many Web servers, connecting to all the Web servers from one MMC console might be the best option. If you're at home and you need to connect to one of your IIS machines, your best option is to connect to the server over the Internet and use the Administration Web Site to administer the machine. The choice of tool you make will always be unique to your environment.