Last month, I discussed some of the ways an intranet can help a school better leverage its investment in information technology. This month, I’d like to look at the nuts and bolts of how to build an intranet from the ground up, using some simple and inexpensive tools, many of which might already be installed on your network.
In this column, I will examine how to configure and secure Microsoft’s Internet Information Server (IIS) and how to use vbScript to create a personalized interface for each of your users.
The first thing you will need is an NT server running IIS or an NT workstation running Peer Web Services. Once the server is set up and configured, create a directory below the wwwroot directory. Set the NT file server (NTFS) permissions on this directory, so that the appropriate users have access to it.
Since you will be running scripts from this directory, you’ll need to be very careful about granting permission to write. For most users, permission to read and execute will be sufficient. Be sure to remove access for the group “Everyone,” otherwise, access will not be restricted. As you add files to this directory, you’ll adjust individual file permissions accordingly.
Next, you will need to configure IIS to use these NTFS permission assignments to control intranet access. You can do this through Internet Service Manager (ISM). In ISM, expand the default web site and find the directory you created earlier. Right-click on it and select its properties. Under the “Directory Security” tab, click the button to edit Anonymous Access and Authentication Control. Deselect the box to “Allow Anonymous Access” and check the box to use “Windows NT Challenge and Response.”
Users who are not authenticated to the NT domain already will be prompted for their network user-name and password, which will be encrypted before it is sent to the server. To take advantage of these security features, however, your users must be using Internet Explorer, and their browsers must be configured to bypass any proxy servers when trying to access the intranet server.
To make your intranet more appealing, you might want to create pages dynamically and, based on the user, create personalized pages for him or her. For example, administrative users might have access to some documents that students and faculty aren’t allowed to see. To take advantage of the “point and click” nature of the web browser, you should include a link to these pages, but shouldn’t present these links to users who will be denied access. Using vbScript programming, you can create a page that displays the user’s name and a list of links to pages the user can access.
To do this, create a default document called index.asp. The extension “asp” indicates to the server that this is an Active Server Page (ASP) and will include code to be executed on the server. Remember to configure your server to recognize this filename as a default document in ISM. Also, make sure the permissions for this directory are set to “Script” on the directory tab of the directory’s properties page in ISM, and make sure your web server will support active server pages.
An ASP document works the same way a hypertext markup language (HTML) document does, with one exception. In an ASP document, the author can include executable code between the <% and %> tags, and this code will be processed by the server instead of being passed to the browser. A server side-script can be contained between one set of <% %> tags, or it can be divided into smaller pieces to place the script’s output in different places throughout the page. The important thing to remember is that the server sees all the text between the server side-tags as a single program, and it ignores the HTML.
In the first line of this ASP document, you should tell the server what language you will be writing your server side code in. IIS will understand jscript or vbScript, but vbScript is the default. You can indicate the language with the command <% @ language=vbscript %>.
vbScript provides two collection objects that are instrumental in all ASP programmingthe request object and the response object. You can think of these objects as indexed storage bins of information that are passed between the server and the browser. The request object contains all the information sent to the server by the client’s browser, including environment variables, cookie files, and HTML form contents. The response object contains any information that the server sends back to the client, such as header information, cookie files, and server-generated HTML code.
To access information in these storage bins, the author of the script must refer to the appropriate section of the bin in which the information is stored. In object-oriented programming, these sections are called properties, and the storage bins are called objects.
For example, your first objective is to retrieve the log-on name of the person trying to access your page. This information is stored in the “Server Variables” property of the request object. Beneath the first line of the page where you selected the scripting language, open the main script and put the user’s log-on name into a variable called “user” by typing the following code:
Welcome to the intranet ” & user & “
The first line will create a variable called “user,” in which it will store the user-name of the person accessing the page in YOURDOMAIN/USERNAME format.
The second line sends the HTML code contained in the quotation marks to the client’s browser. The browser will display “Welcome to the intranet,” followed by the user-name of the person accessing the page. This text will be centered and in large type. Note that the contents of the “align” attribute are contained in single, rather than double, quotation marks. Using double quotation marks here, while standard in HTML, would create an error in vbScript. Note, also, that since you want to send the contents of the “user” variablenot the word “user”to the browser, it is not included inside the quotation marks with the rest of the HTML code. Instead, it is appended, or concatenated, to the HTML with the “&” character.
Now that you know who your user is, you can create links on your page dynamically by using the “response.write” method combined with an “if-then” decision structure. For example, if you have a page called “evaluations.htm” that the user “principal” has access to, you can present a link to this document on the main page that only the principal will see, using the following decision structure:
If user=”YOURDOMAIN/PRINCIPAL” then
Remember that this script only controls who sees the link. It doesn’t provide any security on the evaluations.htm file. You will need to do this using NTFS file permissions.
You can continue to develop this page by including the links that all users will see outside of the script in standard HTML code. You can also extend the if-then decision structure using “or” and “else” statements to deal with multiple users and documents that several people have access to. However, as your intranet grows, you’ll probably want to keep track of which links are displayed for each user in a database and use vbScript to query the database.
Of course, all this only scratches the surface of intranet development. To really take advantage of the power of Active Server Pages, you’ll need to learn more about the language and available technology. In addition to the many books, some great online resources offer tutorials and downloadable code snippets. Two great online sources include Kathi’s ASP Tutorial Page and ASPFree, and I’ve created a sample of the page I described above that you can download (see links below).
As you begin to master the vbScript language and experiment with things like database and file system access, the possibilities begin to seem very powerful. From student access, to grades, to collaborative curriculum development, school web site developers can create powerful and flexible solutions that help their schools and districts make the most of their technology purchases.
Kathi’s ASP Tutorial Page
Downloadable sample of vbScript page