Microsoft Home Microsoft Home
Microsoft FrontPage 2000 Server Extensions Resource Kit

Remote Administration


Activating Remote Administration on IIS 4.0 and 5.0

Whether you are using the command-line remote administration Fpremadm utility or the server extensions HTML Administration Forms to administer an IIS 4.0 or later server remotely, you need to activate the HTML Administration Forms using the method described in this topic.

You should run the HTML Administration Forms over a secured port. It is not possible to use a secured port unless the server has a security certificate installed. If you do not already have a security certificate before activating the HTML Administration Forms, use the Key Manager application to make a security certificate request, submit the request to a key authority, and then use the Key Manager application to install the certificate returned by the key authority. The IIS documentation contains more details on this process.

Once you have a security certificate, you can enable the HTML Administration Forms either as a separate IIS Web site or as a virtual directory on an existing Web site. The advantages of using a separate site is that a separate IP address can make the forms harder to discover, and a separate site allows additional security settings to be enabled such as distinct non-standard port numbers. The disadvantage of using a separate Web site is that an additional IP address is required for the machine.

To activate the HTML Administration Forms for remote use

  1. Determine the Windows NT machine account (or group of accounts) that will be granted access to the HTML Administration Forms.

    This account should be a member of the machine's Administrators group. If necessary, create a new account using the Windows NT User Manager. Depending on the machine's account configuration, giving access to the Administrators group may be a good alternative to giving access to multiple individual machine accounts.

  2. Open the Windows Explorer at the hard drive location of the HTML Administration Forms, which by default is C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\. Select the Admisapi folder, click Properties on the File menu, and then click Permissions on the Security tab.
  3. In the Directory Permissions dialog box, update the Name list of authorized users and groups by using the Add and Remove buttons.

    Remove all users and groups that are not authorized. In particular, make sure that no group that is added to the list contains the IUSR_machinename anonymous access account, and that any wide-access accounts such as EVERYONE are removed.

  4. In the Name list, type the machine's SYSTEM account.

    This account is required to allow IIS to access the file during the security validation process.

  5. For each user or group in the Name list, change Type of Access to Read.
  6. Click Replace Permissions on Subdirectories and Replace Permissions on Existing Files, and click OK to accept the changes. Click OK again to close the folder Properties dialog box.
  7. Start the IIS Internet Service Manager application, and open the IIS and machine's folders.
  8. Right-click the icon labeled with the machine name, and then click Create New Web Site.
  9. In the Description field of the New Web Site Wizard, type the name of the site, for example FrontPage Server Extensions Administration Forms, and then click Next.
  10. Select the IP address to use for this site. The IP address must have been pre-configured before running the New Web Site Wizard. Do not use the TCP Port field because the HTML Administration Forms will only be accessed through a secure port. Click Next to continue.
  11. Type the path to the HTML Administration Form files, usually C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\Admisapi, and make sure that the Allow anonymous access to this web site check box is cleared. Click Next.
  12. Click Allow Read Access and Allow Execute Access (includes script access), and then click Finish.
  13. Right-click the new Web site icon created in the left pane, which will be labeled with the name you typed in step 9. Click Properties.
  14. On the Web Site tab, type a non-standard port number in the SSL Port field, for example 8234.
  15. In the Directory Security tab, click the Secure Communications Edit button. Select the Require Secure Channel check box, and then click OK.
  16. Add any TCP/IP access restrictions that you want.
  17. Click OK to accept the changes.

 

The forms are now usable for remote administration using a URL such as https://machinename:8234/fpadmin.htm, where machinename corresponds to the IP address you typed in step 5, and 8234 corresponds to the port number you entered.

To create a virtual directory to host the HTML Administration Forms on an existing Web site:

  1. Determine the Windows NT machine account (or group of accounts) that will be granted access to the HTML Administration Forms.

    This account should be a member of the machine's Administrators group. If necessary, create a new account using the Windows NT User Manager. Depending on the machine's account configuration, giving access to the Administrators group may be a good alternative to giving access to multiple individual machine accounts.

  2. Open the Windows Explorer at the hard drive location of the HTML Administration Forms, which by default is C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\. Select the Admisapi folder, click Properties on the File menu, and then click Permissions on the Security tab.
  3. In the Directory Permissions dialog box, update the Name list of authorized users and groups by using the Add and Remove buttons.

    Remove all users and groups that are not authorized. In particular, make sure that no group that is added to the list contains the IUSR_machinename anonymous access account, and that any wide-access accounts such as EVERYONE are removed.

  4. In the Name list, type the machine's SYSTEM account.

    This account is required to allow IIS to access the file during the security validation process.

  5. For each user or group in the Name list, change Type of Access to Read.
  6. Click Replace Permissions on Subdirectories and Replace Permissions on Existing Files, and click OK to accept the changes. Click OK again to close the folder Properties dialog box.
  7. Start the IIS Internet Service Manager application, and open the IIS and machine's folders.
  8. Right-click the Web site icon that will be used to host the HTML Administration Forms, such as Default Web Site. Click Create New Virtual Directory on the shortcut menu.
  9. In the Alias field of the New Virtual Directory Wizard, type the alias name of the HTML Administration Forms, such as fpadmin, and then click Next.
  10. Enter the path to the HTML Administration Form files, usually C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\Admisapi, and then click Next.
  11. Select the Allow Read Access and Allow Execute Access (includes script access) check boxes, and click Finish.
  12. Right-click the new Fpadmin virtual directory icon, and then click Properties on the shortcut menu.
  13. On the Directory Security tab, click the Password Authentication Method box's Edit button.
  14. Make sure that the Allow Anonymous check box is cleared, and that one or both of the Basic Authentication or Windows NT Challenge/Response check boxes is selected, and then click OK.
  15. Under Secure Communications, click Edit.
  16. Click Require Secure Channel, and then click OK.
  17. Add any TCP/IP access restrictions that you want.
  18. Click OK to accept the changes.

 

The forms are now activated for remote administration using a URL such as https://machinename/fpadmin/fpadmin.htm.

Administration

  BACK  TOP
 
  Last Updated June 1999
©1999 Microsoft Corporation. All rights reserved. Terms of Use. Disclaimer