You can use Delegated Administration Console to automate the provisioning of Web sites and File Transfer Protocol (FTP) sites for hosted organizations. You can also use it to delegate many aspects of Web and FTP site administration to administrators and customer service representatives (CSRs) within a hosted organization.
Delegated Administration Console makes available many of the Web and FTP site configuration options that are available in Internet Services Manager (ISM) and the Internet Information Services (IIS) metabase. Microsoft Provisioning System configures settings not available in Delegated Administration Console by using the same settings configured for the Master WWW Service.
When you provision a Web or FTP site for an organization, Microsoft Provisioning System configures IIS metabase properties for the Web or FTP site. Except for the ASPEnableParentPaths property, Microsoft Provisioning System uses the settings for the Master WWW Service.
For security reasons, Microsoft Provisioning System configures the ASPEnableParentPaths metabase property as False. This prevents the use of the "..\" syntax in Active Server Pages (ASP) applications. Although you can change this property to True by using Delegated Administration Console or by submitting a direct XML request to IIS Provider, you should not do so in a shared Web-hosting environment. For more information about this, see article Q184717 "AspEnableParentPaths MetaBase Property Should Be Set To False" in the Knowledge Base at the Microsoft Web site(http://www.microsoft.com/).
Within Delegated Administration Console, some settings can be configured by the administrator within the hosted organization. Some can be configured by administrators at the parent organization level. Some options can be configured only by service provider administrators and CSRs.
The following tables list the options available for creating and configuring Web and FTP sites in Delegated Administration Console and indicate which roles can configure each option.
| Configuration setting | Description | Role |
|---|---|---|
| Create Web site | Create a new Web site for an organization and specify site identification. | Administrators at the parent organization level and higher |
| Specify log file location | Specify the path to the log file for this Web site. | Service provider administrators |
| Performance tuning | Optimizes Web server performance based on the number of hits per day that this Web site will handle. You can adjust this setting based on actual usage data from the Web site log files. | Administrators at this organization level and higher |
| Bandwidth throttling | Specifies the maximum number of kilobytes per second (KBps) to be used by the Web server for this Web site. For more information, see "Throttling Bandwidth" in the Internet Information Services (IIS) 5.0 product documentation at the Microsoft Web site(http://www.microsoft.com/). | Service provider administrators |
| Process throttling | Sets the maximum CPU use for this Web site as a percentage of available CPU. For more information, see "Throttling Processes" in Internet Information Services 5.0 at the Microsoft Web site(http://www.microsoft.com/). | Service provider administrators |
| Script source access | Allows users to access source files in the Web site directory, including the source code for scripts, such as scripts in ASP applications. If Read is also selected, then source files can be read. If Write is also selected, users can also write to these files. | Administrators at this organization level and higher |
| Read | Allows users to view directory content, file content, and properties on the Web site. | Administrators at this organization level and higher |
| Write | Allows users to change directory content, file content, and properties on the Web site. | Administrators at this organization level and higher |
| Directory browsing | Allow users to view file lists and collections on the Web site. | Administrators at this organization level and higher |
| Execute permissions | Specifies the application permissions for this Web site as follows: None specifies that no executable files or scripts, such as ASP applications, can run on this Web site. Scripts only specifies that only scripts, such as ASP applications, can run on this Web site. Execute specifies that both executable files and scripts, such as ASP applications, can run on this Web site. | Administrators at this organization level and higher |
| Application Protection | Not configurable from Delegated Administration Console. | Not applicable |
| Enable Parent Paths | Specifies whether an ASP page can allow paths relative to the
current directory (using the ..\ notation). This setting is
disabled by default.
Caution
|
Service provider administrators |
| Enable default documents and specify their file names | Specifies the file that the Web server will serve by default when a user navigates to the Web site. | Administrators at this organization level and higher |
| Enable a document footer and specify the footer file name | Automatically appends a footer to each page from the specified file. | Administrators at this organization level and higher |
| Anonymous access | An authentication method that gives users access to the Web site without prompting them for a user name or password. | Administrators at this organization level and higher |
| Basic authentication | An industry-standard authentication method, defined in the HTTP specification, for collecting user name and password information. It passes passwords in an unencrypted form, so is not recommended unless you are sure that the connection between the user and the Web server is secure. | Administrators at this organization level and higher |
| Integrated Windows authentication | Also called Windows NT Challenge/Response. A secure form of authentication because the user name and password are not sent across the network. | Administrators at this organization level and higher |
| Content expiration | Enables content expiration for this Web site and provides the following settings: None prevents content from being cached on users' computers. Expire after specifies how long content is cached on a user's computer before it is refreshed. | Administrators at this organization level and higher |
| Configuration setting | Description | Role |
|---|---|---|
| Create FTP site | Administrators at the parent organization level and higher | |
| Allow anonymous connections | Allows users to log on with the user name "anonymous." For more information, see "Configuring FTP site access" later in this topic. | Administrators at this organization level and higher |
| Allow only anonymous connections | Prevents users from logging on with Windows 2000 user names. With this option enabled, no account other than the anonymous account can log on. For more information, see "Configuring FTP site access" later in this topic. | Administrators at this organization level and higher |
| Read | Allows users to view directory content, file content, and properties on the FTP site. | Administrators at this organization level and higher |
| Write | Allows users to change directory content, file content, and properties on the FTP site. | Administrators at this organization level and higher |
| Log visits | Allows logging of visits to this FTP site. The log file is stored in the location specified for the FTP service within Internet Services Manager. | Administrators at this organization level and higher |
In addition to configuring the settings described in the previous section, administrators can also start and stop FTP and Web sites and view resource usage information. For more information about using these features, see Delegated Administration Console Help.
With Delegated Administration Console, you can configure logon requirements for FTP sites by using the two options: Allow anonymous logon and Allow anonymous logon only. When the Allow anonymous logon option is enabled, clients can log on with the user name "anonymous." Traditionally, anonymous FTP users log on by using their e-mail addresses as passwords. Note that Internet Explorer automatically logs on anonymously to all FTP sites that permit anonymous logon. Allow anonymous logon is enabled by default when you create an FTP site.
By default, FTP clients are also permitted to log on with a Windows 2000 user name and password with permissions to use that computer. You can use this feature to control users' access to files on drives formatted with the NTFS file system. In some cases, however, this feature can create a security risk. To mitigate this risk, you can use the Allow anonymous only option, which prevents users from logging on with Windows 2000 user names. With this option enabled, no account other than the anonymous account can log on. This is useful for security because only one account, the one that is assigned for anonymous logon, is permitted access, and intruders cannot try to gain access with the administrator account. The same anonymous account, IUSR_computer_name is configured for FTP and Web sites provisioned by Microsoft Provisioning System.