windows 2008 lab 6-iis and certificate services

8/10/2019 Windows 2008 Lab 6-Iis and Certificate Services

1/13

Windows Server 2008 Lab 6

Created 2/22/2012 by Donna P. Warren Page 1

Introduction

IIS is Microsoftsweb server that has been tailored specifically to business users and provides

many features that make it easy for a business to use ecommerce, provide interactive websites

and host web browser based applications.

In todays lab you will perform the following tasks:

Task 1: Install IIS 7

Task 2: Creating Web Content

Task 3: Creating Virtual Directories

Task 4: Configuring IP Address Restrictions

Task 5: Install Active Directory Certificate Services

Task 6: Using the Certification Authority Tool

Task 7: Configuring a Certificate Template for Autoenrollment

Task 8: Configuring a Group Policy for Autoenrollment

Task 9: Configuring Credential Roaming

Task 1: Install IIS 7

1. Click Start -> All Programs -> Administrative Tools -> Server Manageror click onthe server manager icon on the task bar


2/13



2. In the Server Manager window, scroll down to Roles Summary, and then click AddRoles.The Add Roles Wizard will start with a Before You Begin page. Click Next

3. Check the web server (IIS) role, if any roles or features are missing the screen belowwill appear

4. Click on Add Required Features and then clickNext

5. An introductory page will open with links for further information, click Next


3/13



6. Add the following role Services to the default ones:

7. ASP.NET (Click on Add Required Features when the dialogue box appears)

8. Make sure IIS Client Certificate Mapping Authentication and read its description on the rightside of the window. This selection enables you to use digital IDs for security.

1. Click Next

2. Check to make sure all of the features are installed and then click Install

3. When the installation results page appears, IIS is now installed so click Close tocomplete the process.

4. Open internet explorer to confirm that the Web server works by typinghttp://localhostinthe address bar. The following page should open
http://localhost/http://localhost/http://localhost/http://localhost/


4/13



Task 2: Creating Web Content

1. Open Notepad and copy the following text (use your actual domain name and notmydomain.com)

Welcome to my first web page

www.mydomainname.com

Note: use your actual domain name and notmydomainname.com

2. Click File -> Save As. The Save As dialog box appears

3. Click Browse Folders. The dialog box expands to display the contents of your Documentsfolder

4. Create a New Folder. Called wwwand press Enter

5. In the Save As typedrop-down list, select All Files


5/13



6. In the File Nametext box, type Default.htm, and click Save.

7. Create another folder in your Documents folder called Sales

8. Create a file inside it called Default.htm, containing the following text:

Mydomainname Sales

sales.mydomainname.com

9. Close the Notepad window

10.Click Start-> Administrative Tools -> DNS. Click Continue in the User Account Controlmessage box

11.Expand server name and the Forward Lookup Zones folder

12.Right-click the mydomainname.com zone and, from the context menu, select New Alias(CNAME). The New Resource Record dialog box appears, as shown below

13.In the Alias Nametext box, type www

14.In the Fully Qualified Domain Name (FQDN) For Target Hosttext box, typemyservername.mydomainname.com, then click OK.

15.Repeat the process to create another New Alias (CNAME) record, using the alias namesalesand the target host name myservername.mydomainname.com


6/13



16.Open a command prompt and do annslookup on mydomainname.com,www.mydomainname.com andsales.mydomainname.com

17.Press Ctrl+Prt Scr to take a screen shot of the DNS Manager console showing the twoCNAME records you created. Press Ctrl+V to paste the image into your lab 6 word

Task 3: Creating Virtual Directories

1. Open Windows Explorer, and browse to the Documents\www folder you created earlier

2. In the www folder, create a subfolder called Public

3. In the Public folder, use Notepad to create a file called Default.htm that contains thefollowing text:

Mydomainname.

www.mydomainname.com

Public

4. In Internet Explorer, type http://www.mydomainname.com/public in the address box,and press Enter. The Public page you created appears

5. In the Internet Information Services (IIS) Manager window, right-click the wwwsite youcreated earlier and, from the context menu, select Add Virtual Directory. The Add Virtual

Directory dialog box appears, as shown

6. In the Alias text box, type Links.

7. In the Physical Path text box, type or browse to the C:\Users\you\Links folder

8. Click Test Settings. The Test Connection dialog box appears


7/13



9. Click Close. The Test Connection dialog box closes

10.In the Add Virtual Directorytext box, click Connect As. The Connect As dialog boxappears

11.In the IIS manager, Select the Specific User option, and clickSet. The Set Credentialsdialog box appears

12.In the User Name text box, type mydomainname\you

13.In the Password and Confirm Password text boxes, type Password1. Then click OK.

14.Click OK to close the Connect As dialog box.

15.Click Test Settings again.

16.In Internet Explorer, type the URL for the Links virtual directory, and press Enter

17.In the Internet Information Services (IIS) Manager window, select the www site. Thewww Home Web page appears.

18.Double-click the Directory Browsing icon, and enable directory browsing

19.Switch to Internet Explorer, and click the Refresh button

20.In the Internet Information Services (IIS) Manager window, with the www site selected,click the Content View tab

21.Press Ctrl+Prt Scr to take a screen shot of the Internet Information Services (IIS)Manager window. Press Ctrl+V to paste the image into your lab 6 word

Task 4: Configuring IP Address Restrictions

1. Open Server Manager, and select the Rolesnode in the scope (left) pane.

2. In the detail (right) pane in the Web Server (IIS) section, click Add Role Services. TheAdd Role Services wizard appears, displaying the Select Role Servicespage.

3. Select the Security > IP and Domain Restrictions checkbox, and click Next.TheConfirm Installation Selectionspage appears.

4. Click Install. The wizard installs the role service, and the Installation Resultspageappears.

5. Click Close.

6. Open Internet Explorer. In the address box, type http://127.0.0.1, and press Enter.

7. On your partner server, open Internet Explorer, and try to connect to the following URL:http://www.mydomainname.com

8. On Server1 open the Internet Information Services (IIS) Manager window, and expand theservername and Sites nodes. (whatever you named your server)

9. Select Default Web Site. The Default Web Sitehome page appears.

10.Double-click the IPv4 Address and Domain Restrictionsicon. The screen below appears


8/13



11.In the actions pane, click Edit Feature Settings. The Edit IP And Domain Restrictions

Settings dialog box appears.

12.From the Access For Unspecified Clients drop-down list, select Deny, and click OK.

13.Switch to Internet Explorer, and click the Refreshbutton.

14.On your second server, in Internet Explorer, try again to connect to your web site

15.In the Internet Information Services (IIS) Manager window, in the actions pane, click AddAllow Entry. The Add Allow Restriction Rule dialog box appears, as shown

16.Leave the Specific IPv4 Address option selected. In the text box, type 127.0.0.1, and clickOK. The new rule you created appears in the IPv4 Address And Domain Restrictionslist.

17.Switch to Internet Explorer, and click the Refreshbutton


9/13



18.On your partner server, switch to Internet Explorer, and try again to connect to thehttp://server.mydomainname.com URL

19.On your second server, click Start. Then click All Programs > Accessories > CommandPrompt. A command-prompt window appears

20.In the command-prompt window, type ipconfig, and press Enter

21.Back on your own server, create a new Allow entry for your second servers IP address

22.Retest your access to the Web site from your server and your second server, just as you didin steps 17 to 18.

23.In the Internet Information Services (IIS) Manager window, in the actions pane, click AddAllow Entry. The Add Allow Restriction Rule dialog box appears

24.Select the IPv4 Address Range option and, in the text box, type 10.10.10.0.

25.In the Mask text box, type 255.255.255.0, and click OK. The new rule you created appearsin the IPv4 Address And Domain Restrictions list.

26.Press Ctrl+Prt Scr to take a screen shot of the Internet Information Services (IIS) Managerwindow showing the three rules you created. Press Ctrl+V to paste the image in your lab 6word file

27.Click Edit Feature Settings again, and select Allow from the Access For UnspecifiedClientsdrop-down list. Then, click OK

28.Log off

Task 5: Install Active Directory Certificate Services

Certificate Services enable an organization to use PKI with digital certificates to establish proof

of identity of network users. In this activity, you use Server Manager to install a root CA. ActiveDirectory should already be installed in Windows Server 2008 before you begin.

1. Click Start, Administrative Tools, and click Server Manager

2. Find the Roles Summary section and click Add Roles

3. If you see the Before You Begin page, click Next

4. Click Active Directory Certificate Services. Click Next

5. In the Introduction to Active Directory Certificates Services window, click Next

6. Ensure the box is checked for Certification Authority

7. Click Next in the Select Role Services window

8. Make certain that Enterprise is selected in the Specify Setup Type window

9. Ensure that Root CA is selected on the Specify CA Type window

10.Click Next.

11.Select Create a new private key, if it is not already selected in the Set Up PrivateKey window.


10/13



12.Click Next

13.Use the default cryptographic service hash in the Configure Cryptography for CAscreen and

14.click Next

15.In the Configure CA Name window, use the automatically generated name and suffixto identify the CA. The CAs name cannot be more than 64 characters in length.

16.Click Next

17.In the Set Validity Period window, use the default of 5 years and click Next

18.Use the default certificate database location as presented in the Configure CertificateDatabase screen

19.Click Next on the Configure Certificate Database screen

20.Review the Active Directory Certificate Services information you have configured

21.Press Ctrl+Prt Scr to take a screen shot of the window and press Ctrl+V to paste theimage into your lab 6 word

22.Click Install (Notice the warning that the name and domain settings of the computercannot be changed after the CA is installed)

23.The installation may take a few minutes to complete.

24.Click Close.

25.Close Server Manager

Task 6: Using the Certification Authority Tool

Most services management tasks are performed using the Certification Authority tool or MMC

snap-in. In this activity you launch the tool and survey its capabilities

1. Click Start, point to Administrative Tools, and click Certification Authority.

2. Click the CA server name in the tree in the left pane

3. In the tree in the left pane, right-click the name of the root CA you created

4. Point to All Tasks. Notice the options on the menu, including options to StopService, Back up CA, Restore CA, and Renew CA Certificate

5. Click the pointer in an open area to close the menus

6. Right-click the root CA in the tree and click Properties

7. Press Ctrl+Prt Scr to take a screen shot of the window and press Ctrl+V to paste theimage into your lab 6 word

8. Click the Security tab in the Properties dialog box

9. Click each group in the Group or user names box and view the permissions given tothat group by default

10.Click the Certificate Managers tab


11/13



11.Click Restrict certificate managers

12.Click each of the remaining tabs to see the parameters that can be set

13.Click OK in the Properties dialog box

14.Close the Certification Authority tool

Task 7: Configuring a Certificate Template for Autoenrollment

Autoenrollment is an important feature that saves time for users and CA administrators.

1. Click Start, click Run, enter mmc in the Run box, and click OK

2. Click File and click Add/Remove Snap-in

3. Click Certificate Templates in the Available snap-ins window and click the Addbutton.

4. Click OK in the Add or Remove Snap-ins window

5. Click Certificate Templates in the tree in the left pane

6. Scroll through the middle pane to view the existing certificate templates

7. In the middle pane, right-click Workstation Authentication and click Properties.

8. Click the Security tab

9. On the Security tab you can select the group for which to enable autoenrollment. If thegroup you want to configure is not displayed by default, you can use the Add button to

add that group. Ensure that Authenticated Users is selected

10.Click the Allowbox for Autoenroll


12.Click OK in the Workstation Authentication Properties dialog box

13.Close the MMC console for Certificate Templates and click No to not save the settingsfor Console1

Task 8: Configuring a Group Policy for Autoenrollment

Description: Even though you have configured autoenrollment in a certificate template, it must

still be authorized in Windows Server 2008 Active Directory and by Active Directory on users

who log into the network. This is accomplished by creating an autoenrollment group policy.

1. Click Start, click Run, enter mmc in the Run box, and click OK2. Click File and click Add/Remove Snap-in

3. Click Group Policy Management Editor in the Available snap-ins window and clickthe

1. Addbutton

4. In the Select Group Policy Object dialog box, click Browse


12/13



5. Double-click Default Domain Policy in the Browse for Group Policy Object dialog box

6. Click Finish in the Select Group Policy Object window

7. Click OK in the Add or Remove Snap-ins window

8. Maximize the windows, if necessary

9. In the left-pane tree, click Default Domain Policy [server and domain name].

10.In the left pane, expand User Confi guration, if necessary

11.In the left pane, expand Policies, if necessary

12.In the left pane, expand Windows Settings

13.In the left pane, expand Security Settings

14.In the left pane, double-click Public Key Policies

15.In the middle pane, double-click Certificate Services ClientAuto-Enrollment

16.In the Certificate Services ClientAuto-Enrollment Properties dialog box, click thedown arrow for Configuration Model and select Enabled

17.In the Certificate Services ClientAuto-Enrollment Properties dialog box, check theboxes for Renew expired certificates, update pending certificates, and remove

revoked certificates and for Update certificates that use certificate templatesif

these boxes are not already checked


19.Click OK in the Certificate Services ClientAuto-Enrollment Properties dialog box

20.Leave the Default Domain Policy console open

Task 9: Configuring Credential Roaming

Active Directory security works with client computers through the use of group policies. In thisactivity, you learn how to enable CA client synchronization through credential roaming

1. Open the Group Policy Management Editor snap-in to the Default Domain Policy

2. Ensure that the following are expanded in the tree in the left pane:

a. Default Domain Policy [server and domain name]

b. User Confi guration

c. Policies

d. Windows Settings

e. Security Settings

3. Double-click Public Key Policies

4. In the middle pane, double-click Certificate Services ClientCredential Roaming

5. In the Certificate Services ClientCredential Roaming dialog box, click Enabled toenable credential roaming Leave the default settings for the remaining parameters


13/13



6. Press Ctrl+Prt Scr to take a screen shot of the window and press Ctrl+V to paste theimage into your lab 6 word

7. Click OK in the Certificate Services ClientCredential Roaming dialog box

8. Click OK in the Changing RUP Exclusion List information box

9. Close the Default Domain Policy console

10.Click No when asked whether to save changes to the console