Daily Archives: April 17, 2014

Setup vmlab.local (20)

Posted on by

IIS 6.0 setup on Windows Server 2003 R2

  1. IIS Services (Core component Services)
    1. Web Server
      1. Virtual Directory
      2. Virtual Server: related closely with DNS
      3. Using HTTP/HTTPS Protocols
        1. TCP/IP (Port & Address)
        2. Default Web Server Port: 80
    2. FTP (File Transfer Protocol)
      1. Default Access port:21
    3. SMTP/POP3
      1. Simple Mail Transfer Protocol: Communication protocol between two MTA (Mail Transfer Agent) Servers
      2. Post Office Protocol 3: Communication protocol from a mail Server to a client
        1. IMAP (another type of receiving client protocol)
    4. NNTP (Network News Transfer Protocol) – intranet and news group protocol
    5. Terminal Service Remote Desktop
      1. Able to access with a Web Browser (IE)
  2. TCP Ports and Protocols (Default)


Install IIS Service

  1. On websvr1, open Manage Your Server>Add or Remove a Role


  2. Next


  3. Select Application Server (IIS)


  4. Next


  5. Finish


  6. Open IIS Manager


Build Out Web Server

  1. On DC1>DNS Manager, create a CNAME www and map to websvr1.vmlab.local


Setup a root CA on websvr1

  1. Install Certificate Services


       
     


       
     


       
     


  2. Administrative Tools>Certification Authority


  3. CA MMC


  4. On IE, go to http://websvr1/certsrv/ and input credentials


  5. Certificate Service Site should be loaded


  6. Check CRL share properly or not. Open Run> type \\websvr1\Certenroll\


  7. It works


Build out SubCA

  1. Typically, for the security reason, we’d better have a sub CA to create a new server certificate not from Root CA.
  2. Deploy another Windows server 2003 R2 and name it subca for setup sub CA and test out
  3. Install Certificate Services on this server as well


       
     


       
     


       
     


       
     


       
     


       
     


       
     

  4. Install IIS service to use Sub CA server serivce


       
     


       
     


       
     

Obtain a Server Certificate

  1. Back to IIS console on websvr1
  2. On Default Web Site>Properties>Directory Security>server certificate


  3. Next


       
     


       
     

  4. Select Send the request immediately to an online certificate authority


       
     


       
     


       
     


       
     


       
     


       
     


       
     


       
     


       
     

  5. Click View Certificate


       
     


       
     


       
     

  6. Click Edit to set require to use secure channel (SSL) for communication from a client to this server


       
     


       
     

  7. Test with http://www.vmlab.local on IE , but it will generate an error to display


  8. Test again with https://www.vmlab.local and it should work as below


       
     




     

EFS (Encrypting File System)

Recreate Recovery agent

  1. Open Group Policy Management and Edit Default Domain Policy>Computer Policies>Windows Settings>Security Settings>Public Key Policies>Encrypting File System

  2. The Certificate for Administrator status is not trusted since it was built in

  3. Its intended purpose is for File Recovery

  4. Delete built in Administrator recovery agent cert

  5. Right click on Encrypting File System >Create Data Recovery Agent

  6. New recovery agent is created

  7. The certificate status Is ok

Test EFS

  1. Right click the target file and properties> Under General Tab>Advanced

  2. Check Encrypt Contents to secure data (It supposes not to be compressed to apply EFS- which color scheme is blue)

  3. Select Encrypt the file only

  4. The file color scheme is changed to Green and attribute to AE as well

  5. Go to the properties>Advanced> Details

  6. Data Recovery Agent for the file as defined by policy