Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1
Advanced Internet
Information Services 7.5/8/8.5
Lab Instr uctions
Version 1.3
Document created: 7th of December 2016
This is an authored content – please respect intellectual property!
Author: CQURE
http://cqure.us
2
Contents
Welcome to IIS training! ........................................................................................................................................ 5
CQURE Academy ...................................................................................................................................................... 7
Note Pages (Page 1)............................................................................................................................................. 10
Note Pages (Page 2)............................................................................................................................................. 11
Lab 1: Installing IIS 10 with the Default Settings ....................................................................................... 12
Lab 2: Installing IIS Using DISM Installation ................................................................................................ 18
Lab 3: IIS Basic configuration steps ................................................................................................................ 19
Lab 4: Websites and Application Pools ......................................................................................................... 24
Lab 5: Creating Web Application .................................................................................................................... 26
Lab 6: Working with Application Pools ......................................................................................................... 28
Lab 7: Configuring Application Settings ....................................................................................................... 32
Lab 8: Running both ASP.NET 3.5 and ASP.NET 4.5 Applications....................................................... 38
Lab 9: Configuring ASP.NET Settings for development .......................................................................... 43
Lab 10: Configuring Multiple Applications .................................................................................................. 45
Lab 11: ASP.NET Security.................................................................................................................................... 50
Lab 12: Tracing and Logging for ASP.NET ................................................................................................... 52
Lab 13: Request Filtering .................................................................................................................................... 54
Lab 14: IIS Modules .............................................................................................................................................. 56
Lab 15: Configuring Managed Modules ....................................................................................................... 60
Lab 16: Securing the IIS Web Server and Web Sites ................................................................................ 63
Lab 17: CPU Throttling: Sand-boxing Sites and Applications .............................................................. 66
Lab 18: Central certificate store ....................................................................................................................... 72
Lab 19: Configuring FTP Protection ............................................................................................................... 77
Lab 20: Authorization, Authentication and Access ................................................................................... 80
3
Lab 21: IIS Hardening .......................................................................................................................................... 85
Lab 22: IIS under attack ...................................................................................................................................... 90
Lab 23: Logging ..................................................................................................................................................... 95
Lab 24: Delegation and Remote Administration ....................................................................................... 96
Lab 25: Configuring Delegated Administration ......................................................................................... 98
Lab 26: Configuring Feature Delegation .................................................................................................... 103
Lab 27: Automating webserver management .......................................................................................... 105
Lab 28: Command-line and Scripting for IIS ............................................................................................. 109
Lab 29: Manage IIS tasks using WMI and AppCmd ............................................................................... 114
Lab 30: Tuning IIS ................................................................................................................................................ 116
Lab 31: Web Farms ............................................................................................................................................. 123
Lab 32: Shared Configuration ......................................................................................................................... 125
Lab 33: Web Deploy ........................................................................................................................................... 128
Lab 34: Configuring Network Load Balancing .......................................................................................... 132
Lab 35: Troubleshooting IIS ............................................................................................................................ 135
Lab 36: Troubleshooting Authorization ...................................................................................................... 137
Lab 37: Troubleshooting Communication ................................................................................................. 140
Lab 38: Troubleshooting Configuration ..................................................................................................... 141
Lab 39: Application Initialization (Optional) .............................................................................................. 142
Lab 40: Url Rewrite and Application Initialization (Optional) ............................................................. 150
Lab 41: IIS Backup – Web Deploy ................................................................................................................. 157
Lab 42: JavaScript Profiling (Optional) ........................................................................................................ 158
Lab 43: Network traffic monitoring (Optional) ........................................................................................ 159
Lab 44: IIS on Nano Server (Optional) ......................................................................................................... 159
Lab 45: IIS and HTTP2 (Optional) .................................................................................................................. 164
Lab 46: IIS WildCard HostHeader support (Optional) ........................................................................... 171
4
Lab 47: OneToOne certificate mapping (Optional) ................................................................................ 173
CQURE Academy says thank you! ................................................................................................................. 182
5
Welcome to IIS training!
Before you start doing exercises, please take a look how classroom environment looks like. In
this course, you will use cloud service to perform the labs. You will connect to the server using
RDP connection. Your instructor will provide you username and password to access the
environment. Virtual machines are based on Hyper-V platform. Your instructor will provide you
the guideline how to start, shutdown, save and create snapshots on virtual machines. Please
read the lab instructions carefully as sometimes it is required to return to the starting point. It
is necessary to follow the instructions, so that labs do not interfere with each other. Each virtual
machine is a member of the domain: cqure.tec. Each machine has Windows Server 2012
installed. Within our training we will use Web Applications that are hosted for company
Raccoons.
At the beginning of usage of each machine you may be requested to configure IP addresses
for them. Our goal was to make such a simple task as fast as possible so we build up the scripts
that you may just run on each machine.
6
The following table shows the role of each virtual machine used in this course:
Virtual Machine Name Hostname Role
IIS8_DC DC Domain Controller
IIS8_WEBA WEBA Primary Web Server
IIS8_WEBB WEBB Primary Web Server
IIS8_NODE1 NODE1 Used for IIS installation – Regular
IIS8_NODE2 NODE2 Used for IIS installation – Core
IIS8_NODE3 NODE3 Used for IIS installation – Unattended
IIS8_NODE4 NODE4 Primary Web Server
IIS8_NODE5 NODE5 Primary Web Server
IIS8_WEB2 WEB2 Secondary Web Server
Please note that:
1. All necessary files are on the ISO image delivered to the course.
2. It may be necessary to configure IP addresses for each VM, please find ipaddress.iso
available and run the appropriate script from it. Verify the configuration.
3. Sometimes it may be necessary to configure during the exercise the firewall rules, so
please be prepared for that.
4. New-WinUserLanguageList en-US, Set-WinUserLanguageList en-US in Powershell will
help you to set your keyboard layout.
5. You may not see the correct error pages if you have option Show friendly errors set.
6. Before You begin with the labs please create snapshots/checkpoints for every VM in
the course!
…enjoy!
7
CQURE Academy
Please note that this training is a part of CQURE Academy and you are eligible to receive the
certificate of Certified Security Professional.
Do not forget to check our website: http://cqure.pl for new and existing training and
consultancy offers. You will find there useful tools as well.
Please have a look at the next two pages for enlargement:
8
9
10
Note Pages (Page 1)
11
Note Pages (Page 2)
12
Lab 1: Installing IIS 10 with the Default Settings
Machines used in this Lab: NODE1 – please check if there is a VM checkpoint (snapshot)
before Installation!
To install IIS 10 on NODE1, use the following steps:
1. Logon as Administrator // P@ssw0rd
2. Open Server Manager.
3. Under Manage menu, select Add Roles and Features:
4. Select Role-based or Feature-based Installation:
13
5. Select the appropriate server (local is selected by default), as shown below:
6. Select Web Server (IIS):
7. Add Management Tools Feature
14
8. No additional features are needed for IIS to be selected (.net framework 3.5 will be
added automatically in the next step), click Next:
9. Click Next:
15
10. Customize your installation of IIS, or accept the default settings that have already
been selected for you. Make sure that under Application Development section the
ASP, ASP.NET 3.5, ASP.NET 4.6, .Net Extensibility 3.5, .Net Extensibility 4.6,
ISAPI Extensions and ISAPI Filters are checked and then click Next.
11. Click Specify and alternate source path:
16
12. Mount with VM properties Media>DVD the Windows Server 2016 ISO (ask the
Trainer for the location of the ISO file) and in Specify Alternate Source Path window
type Path: D:\Sources\sxs, click OK and Install
13. When the IIS installation completes, the wizard reflects the installation status:
17
14. Click Close to exit the wizard.
15. Open a web browser (Internet Explorer or Edge). If the window opens, browse to
http://localhost.
If You will see an error “This app can’t open, …can’t be opened using the
Build-in Administrator Account. Sign in with a different account and try
again.” Click Win + R type gpedit.msc and click OK, then enable the
following policy go to Computer Configuration>Windows
Settings>Security Settings>Local Policies>Security Options>User
Account Control: Admin approval mode for the built in administrator
account. Restart the computer and repeat the step with running a web
browser and type http://localhost
16. Notice that the IIS Welcome page loads, indicating that IIS is successfully installed
and running.
17. After this exercise you should have successfully verified that the IIS Welcome page
opens.
18. Create a Checkpoint of actual state. In the VM properties select Action>Checkpoint
and in the name add “Node1WithIIS”
18
Lab 2: Installing IIS Using DISM Installation
Machines used in this Lab: DC, NODE3
Start the NODE3 virtual machine and log on as Administrator with the password of
P@ssw0rd.
Turn on Network Discovery
1. On NODE3, open network settings.
2. Click the information bar with the text Network discovery and file sharing are turned
off. Network computers and devices are not visible. Click to change....
3. Click Turn on network discovery and file sharing.
4. Click Yes, turn on network discovery and file sharing for all public networks.
5. Close Network.
Install IIS using DISM and verify once completed
1. Open PowerShell as Administrator.
DISM.EXE /enable-feature /online /featureName:IIS-WebServerRole /featureName:IIS-WebServer
2. Wait for the feature installation.
3. Notice that Web Server (IIS) is installed. Open Internet Explorer.
4. Browse to http://localhost, notice that the IIS Welcome page appears.
5. Alternatively run the following to fully install IIS and it components:
DISM.EXE /enable-feature /online /featureName:IIS-WebServerRole /featureName:IIS-WebServer
/featureName:IIS-CommonHttpFeatures /featureName:IIS-StaticContent /featureName:IIS-
DefaultDocument /featureName:IIS-DirectoryBrowsing /featureName:IIS-HttpErrors
/featureName:IIS-ApplicationDevelopment /featureName:IIS-ASPNET /featureName:IIS-
NetFxExtensibility /featureName:IIS-ASPNET45 /featureName:IIS-NetFxExtensibility45
/featureName:IIS-ISAPIExtensions /featureName:IIS-ISAPIFilter /featureName:IIS-
ServerSideIncludes /featureName:IIS-HealthAndDiagnostics /featureName:IIS-HttpLogging
/featureName:IIS-LoggingLibraries /featureName:IIS-RequestMonitor /featureName:IIS-HttpTracing
/featureName:IIS-CustomLogging /featureName:IIS-ODBCLogging /featureName:IIS-Security
/featureName:IIS-BasicAuthentication /featureName:IIS-WindowsAuthentication /featureName:IIS-
DigestAuthentication /featureName:IIS-ClientCertificateMappingAuthentication /featureName:IIS-
IISCertificateMappingAuthentication /featureName:IIS-URLAuthorization /featureName:IIS-
RequestFiltering /featureName:IIS-IPSecurity /featureName:IIS-Performance /featureName:IIS-
HttpCompressionStatic /featureName:IIS-HttpCompressionDynamic /featureName:IIS-WebDAV
19
/featureName:IIS-WebServerManagementTools /featureName:IIS-ManagementScriptingTools
/featureName:IIS-ManagementService /featureName:IIS-FTPServer /featureName:IIS-FTPSvc
/featureName:IIS-FTPExtensibility /featureName:NetFx4Extended-ASPNET45 /featureName:IIS-
ApplicationInit /featureName:IIS-WebSockets /featureName:IIS-CertProvider /featureName:IIS-
ManagementConsole
Lab 3: IIS Basic configuration steps
Machines used in this Lab: DC, NODE1, NODE2, NODE3
Configure NODE1 for ASP debugging, detailed error messages, and HTTP compression
1. On NODE1, open Internet Information Services (IIS) Manager.
2. In the Connections pane, expand NODE1 > Sites, and then click Default Web Site.
3. In the details pane, double-click ASP.
4. In the Compilation section, expand Debugging Properties.
5. In the Enable Client-side Debugging list, click True.
6. In the Enable Server-side Debugging list, click True.
7. In the Send Errors to Browser list, click True.
8. In the Actions pane, click Apply.
9. In the Connections pane under NODE1 > Sites, click Default Web Site.
20
10. In the details pane, double-click HTTP Response Headers.
11. In the Actions pane on the right, click Set Common Headers.
12. The Set Common HTTP Response Headers dialog box appears. Select Expire Web
content, and then click OK.
13. In the Connections pane under NODE1 > Sites, click Default Web Site.
14. In the details pane, double-click Compression.
15. Notice that Enable static content compression is checked.
16. In the Connections pane under NODE1 > Sites, click Default Web Site.
17. In the Details pane, double-click Error Pages.
18. In the Actions pane on the right, click Edit Feature Settings
19. The Edit Error Pages Settings dialog box appears. Click Detailed errors, and then
click OK.
20. On NODE3, in the Internet Explorer, browse to http://NODE1/default.asp.
21. Notice that you get a detailed HTTP Error 404 page, indicating that the NODE1 web
server has been configured properly.
Configure NODE3 to:
trace server errors
enable directory browsing
enable windows authentication and impersonation
enable dynamic output compression and SMTP
1. On NODE3 in Server Manager, make sure Tracing, Windows Authentication,
Directory Browsing and ASP.NET 4.6 role features are checked:
21
2. Proceed with the installation of the selected options. Next open Internet
Information Services (IIS) Manager.
3. In the Connections pane, expand NODE3 | Sites, and then click Default Web Site.
4. In the Actions pane on the right, under Manager Website section click Failed
Request Tracing Rules.
5. The Edit Web Site Failed Request Tracing Settings dialog box appears. Select
Enable, and then click OK.
6. In the details pane, in the IIS section, double-click Failed Request Tracing Rules.
7. In the Actions pane, click Add.
8. The Add Failed Request Tracing Rule dialog box appears. Click Next.
9. In the Status code(s) field, type 500.
10. Select Trace Providers, and then in the Provider Properties list under Verbosity for
ASP, select Critical Error and repeat the same for ASPNET,ISAPI,WWW.
11. Click Next and then click Finish.
12. In the Connections pane, click Node3>Sites>Default Web Site.
13. In the details pane, in the IIS section, double-click Directory Browsing.
14. In the Actions pane, click Enable.
15. In the Connections pane, click Default Web Site.
16. In the Details pane, in the IIS section, double-click Authentication.
17. In the Details pane, click Windows Authentication.
18. In the Actions pane, click Enable.
19. In the same window, click ASP.NET Impersonation.
22
20. In the Actions pane, click Enable.
21. In Internet Information Services (IIS) Manager, in the Connections pane, click
Default Web Site.
22. In the Details pane, in the IIS section, double-click Output Caching.
23. In the Actions pane, click Add.
24. The Add Cache Rule dialog box appears. In the File name extension field, type .aspx.
25. Select User-mode caching and then click OK.
26. In the Connections pane, click Default Web Site.
27. In the Details pane, in the ASP.NET section, double-click SMTP E-mail.
28. In the E-mail address field, type [email protected].
29. In SMTP Server field, type SMTP.CQURE.TEC.
30. In the Actions pane, click Apply.
31. Browse to http://localhost/aspnet_client.
32. Notice that there is a detailed HTTP Error 500.24.
33. Under Detailed Error Information, right-click C:\inetpub\logs\FailedReqLogFiles, and
then click
34. Copy.
35. Open Run. Right-click the Open field and then click Paste.
36. Click OK.
37. Double-click W3SVC1.
38. Notice that there is a failed request log for the server error: fr00001.xml.
Configure NODE2 to have no default documents, and redirect requests to NODE1
1. On NODE2, in the Windows Powershell window, type:
import-module servermanager
add-windowsfeature Web-Server, Web-WebServer, Web-Security, Web-Filtering,
Web-Mgmt-Tools, Web-Mgmt-Console, Web-ASP, Web-Http-Redirect
and then press Enter.
2. In the command prompt window, type cd \windows\system32\inetsrv\config and
then press Enter.
23
1. Open the applicationHost.config file with notepad.
2. Scroll down to <defaultDocument enabled="true"> (approximately line 169), and
change "true" to "false".
3. Scroll down to <httpRedirect enabled="false" /> (approximately line 246), and
modify this line to read:
<httpRedirect enabled="true" exactDestination="false" childOnly="false"
destination="http://192.168.127.101/" />
4. On the File menu, click Save.
5. On the File menu, click Exit.
6. On NODE3, in Internet Explorer, browse to http://NODE2 or You Can use the IP
address of the NODE2 server (e.g. http://192.168.127.106)
7. Notice that the IIS Welcome page loads and the address field has changed to
http://192.168.127.101.
When you finish the lab, revert the virtual machines to their initial state. To do this, from
NODE3 Virtual Machine window click “Action” in Menu and choose “Revert”.
24
Lab 4: Websites and Application Pools
Machines used in this Lab: DC, WEBA
1. Start the DC virtual machine.
2. Start the WEBA virtual machine and log on as CQURE\Administrator.
Add Basic, Windows Integrated and Digest Security features to the IIS Role
1. On WEBA, in Server Manager, in the console pane, Add Roles and then from Roles
check if Web Server (IIS) is installed, if not add IIS Role.
2. In the same window under Security, select Basic Authentication, Windows
Authentication, and Digest Authentication.
3. Click Next and then click Install.
4. When the installation is complete, verify the details pane, in the summary section,
notice that IIS and Basic Authentication, Windows Authentication, and Digest
Authentication are listed as Installed.
Create a virtual directory
1. Open Internet Information Services (IIS) Manager.
2. In the Connections pane, expand WEBA | Sites and then click Default Web Site.
3. In the Actions pane, click View Virtual Directories.
4. Click Add Virtual Directory.
5. The Add Virtual Directory dialog box appears. In the Alias field, type Public.
6. Next to the Physical path field, click the Browse (...)button.
7. The Browse For Folder dialog box appears. Browse to C:\inetpub, and then click Make
New Folder.
8. Type Public, and then click OK.
9. Click OK.
10. Open Computer and then browse to C:\inetpub\wwwroot.
11. Select all, then right-click and then click Copy.
12. Browse to C:\inetpub\public, right-click, and then click Paste.
25
Configure the public virtual directory for anonymous authentication
1. In Internet Information Services (IIS) Manager, in the Connections pane, expand
Default Web Site and then click Public.
2. In the Details pane, double-click Authentication.
3. Click Anonymous Authentication. Make sure that it is enabled if not Enable.
4. In the Actions pane, click Edit.
5. The Edit Anonymous Authentication Credentials dialog appears. Notice that
Specific user is selected and set to IUSR.
6. Click Cancel.
7. Open Local Users and Groups MMC and then click Users.
8. In the details pane, right-click Guest, and then click Properties.
9. The Guest Properties dialog box appears. Clear Account is disabled, and then click
OK.
10. Open Local Security Policy e.g. in cmd type secpol.msc
11. The Local Security Policy window opens. In the console pane, expand Local Policies
and then click User Rights Assignment.
12. In the details pane, right-click Allow log on locally, and then click Properties.
13. The Allow log on locally Properties dialog appears. Click Add User or Group.
14. The Select Users, Computers, or Groups dialog box appears. Click Locations.
15. The Locations dialog box appears. Click WEBA, and then click OK.
16. In the Enter the object names to select field, type Guest, and then click OK twice.
17. Close Local Security Policy.
18. From the Menu Start: Switch User.
19. Logon as WEBA\Guest with no password.
20. Open Internet Explorer.
21. Internet Explorer window opens. Browse to http://localhost. Note that we’ve set the
default site to the Public virtual directory so there’s no need to use localhost/public.
22. Notice that the IIS Welcome page loads.
22. Go to: Switch User.
23. Log on as CQURE\Administrator with the password of P@ssw0rd.
26
Lab 5: Creating Web Application
Machines used in this Lab: DC, WEBA
1. Start the DC virtual machine.
2. Start the WEBA virtual machine and log on as CQURE\Administrator.
Create a site named Raccoons
1. On WEBA, in Internet Information Services (IIS) Manager, in the Connections
pane, click Sites.
2. In the Actions pane, click Add Web Site.
3. The Add Web Site dialog box appears. In the Site name field, type Raccoons.
4. In Physical path, click the Browse (...) button.
5. The Browse For Folder dialog box appears. Browse to C:\inetpub, and then click
Make New Folder.
6. Type Raccoons, and then click OK.
7. In the Port field, type 88, and then click OK.
Copy the Raccoons Application to the Appropriate Directory
1. In the properties of WEBA VM select Media choose DVD and mount
ISO_IIS8_Labfiles.iso
2. In Windows Explorer, browse to DVD Drive>AllFiles>Step2>Raccoons.
3. Select all, then right-click, and then click Copy.
4. Browse to C:\inetpub\Raccoons, right-click, and then click Paste.
Add the .NET 3.5 Feature and ASP.NET to the server (it may have been added for you)
1. In Server Manager, in the console pane, go to Server Roles and under Web Server
IIS>Web Server>Application Development select ASP and add features.
2. Then in the Features add .NET Framework 3.5 Features.
3. Click Next twice.
27
4. Click Next, till the confirmation summary will appear and then click “Specify an
alternate source path” and type “D:\sources\sxs” to point Mounted Windows Server
2016 ISO binaries, select OK and Install.
5. When the installation is complete, click Close.
Delegate administrative access
1. Internet Information Services (IIS) Manager, in the Connections pane, expand
Sites and then click Raccoons.
1. In the Actions pane, click Edit Permissions.
2. The Raccoons Properties dialog box appears. Click the Security tab.
3. Click Edit.
4. The Permissions for Raccoons dialog box appears. Click Add.
5. The Select, Users, Computers, or Groups dialog box appears. In the Enter the object
names to select field, type ITAdminsGG, and then click Check Names.
6. Click OK.
7. Next to Full control, select Allow and then click OK twice.
In order to proceed to the next Lab don't revert machines.
28
Lab 6: Working with Application Pools
Machines used in this Lab: DC, WEBA, NODE1
Create an application pool named TempPool
1. On WEBA, in Internet Information Services (IIS) Manager, expand WEBA and then
click Application Pools.
2. In the Actions pane, click Add Application Pool.
3. The Add Application Pool dialog box appears. In the Name field, type TempPool.
4. Click OK.
5. In the details pane, notice that TempPool appears in the list of application pools.
Rename Raccoons to RaccoonsPool
1. On WEBA, in Internet Information Services (IIS) Manager, expand Sites and then
click Raccoons.
2. In the Actions pane, click Basic Settings.
3. The Edit Site dialog box appears. Click Select.
4. The Select Application Pool dialog box appears. In the Application pool list, click
TempPool, and then click OK twice.
5. In the Connections pane, click Application Pools.
6. In the Details pane, click Raccoons.
7. In the Actions pane, click Rename.
8. Type RaccoonsPool, and then press Enter.
9. In the Connections pane, under WEBA>Sites click Raccoons.
10. In the Actions pane, click Basic Settings.
11. The Edit Site dialog box appears. Click Select.
12. The Select Application Pool dialog box appears. In the Application pool list, click
RaccoonsPool, and then click OK twice.
Configure Windows Integrated authentication
1. In the Connections pane, expand Sites and then click Raccoons.
29
2. In the Details pane, double-click Authentication.
3. Click Windows Authentication. In the Actions pane, click Enable.
4. In the Details pane, click Anonymous Authentication.
5. In the Actions pane, click Disable.
6. Start NODE1.
7. Log on to NODE1 as Local Admin with the password of P@ssw0rd. Note that this
account is not a domain one.
8. Open Internet Explorer.
9. The Windows Internet Explorer window opens. Browse to http://WEBA.CQURE.TEC.
10. IIS Welcome page appears indicating that the previous anonymous public site
configuration is correct.
11. Browse to http://WEBA.CQURE.TEC:88.
12. Notice that there is an error message and the page will not load. Windows
authentication has failed for this user/machine.
13. Question: Why does Windows authentication fail?
14. Answer: Because account you used is not the domain account so user account
cannot be authenticated.
13. On WEBA, Open Internet Explorer.
14. The Windows Internet Explorer window opens. Browse to http://localhost:88.
15. If you have problems with accessing port 88, for a moment you may disable firewall
on the Web server hosting the website. We all know that it is a bad practice, right?
15. Notice that the Raccoons Bank page appears. Windows authentication is successful.
Configure TempPool to use LocalSystem as worker process identity
1. On WEBA in Internet Information Services (IIS) Manager, in the Connections
pane, click Application Pools.
2. In the Details pane, click TempPool.
3. In the Actions pane, click Advanced Settings.
4. The Advanced Settings dialog box appears. Under the Process Model section, click
Identity.
5. Next to Identity, click the Browse (...) button.
30
6. The Application Pool Identity dialog box appears. In the Built-in account list, click
LocalSystem.
7. Click OK twice.
Stop, start and recycle RaccoonsPool
1. In the Connections pane, click Application Pools.
2. In the Details pane, click RaccoonsPool.
3. In the Actions pane, click Stop.
4. In the Details pane, notice that the status of RaccoonsPoolchanges to Stopped.
5. In the Actions pane, click Start.
6. In the Details pane, notice that the status of RaccoonsPoolchanges to Started.
7. In the Actions pane, click Recycle.
Configure TempPool for Classic Pipeline Mode
1. In the Connections pane, click Application Pools.
2. In the Details pane, click TempPool.
3. In the Actions pane, click Basic Settings.
4. The Edit Application Pool dialog box appears. In the Managed pipeline mode list,
click Classic.
5. Click OK.
Remove TempPool
1. In the Connections pane, click Application Pools.
2. In the Details pane, click TempPool.
3. In the Actions pane, click Remove.
4. The Confirm Remove dialog box appears. Click Yes.
Configure Health and Recycling settings for RaccoonsPool
1. In the Connections pane, click Application Pools.
2. In the Details pane, click RaccoonsPool.
3. In the Actions pane, click Recycling.
31
4. The Edit Application Pool Recycling Settings dialog box appears. Select Fixed
number of requests.
5. In the Fixed Number of requests field, type 1000.
6. Click Next.
7. On the Recycling Events to Log page, select Number of requests.
8. Click Finish.
9. In the Actions pane, click Advanced Settings.
10. The Advanced Settings dialog box appears. In the Rapid-Fail Protection section,
click Failure Interval (minutes).
11. In the value column, type 10 and then click OK.
When you finish the lab, revert the virtual machines to their initial state. To do this, from
WEBA Virtual Machine window click “Action” Menu and choose “Revert”. Repeat this step on
NODE1.
32
Lab 7: Configuring Application Settings
Machines used in this Lab: DC, WEBA
Start the DC virtual machine
Start the WEBA virtual machine and log on as CQURE\Administrator
Install IIS ,ASP.NET and Basic Security features to the IIS Role
1. On WEBA, in Server Manager, in the console pane, Add Roles and then click Web
Server (IIS).
2. Right-click Web Server (IIS), and then click Add Role Services.
3. The Add Role Services dialog box appears. In the Role services box, under
Application Development, select ASP.NET, ASP, ASP.NET 3.5, ASP .NET 4.6,
4. The Add Role Services box appears. Click Add Required Role Services.
5. In the Role services box, under Security, select Basic Authentication.
6. Click Next, till the confirmation summary will appear and then click “Specify an
alternate source path” and type “D:\sources\sxs” to point Mounted Windows Server
2016 ISO binaries, select OK and Install.
7. When the installation is complete, click Close.
8. In the details pane, in the Role Services section, notice that ASP.NET and Basic
Authentication are listed as Installed.
Create the application and copy the ASP.NET application files
1. Open Internet Information Services (IIS) Manager.
2. In the Connections pane, expand WEBA | Sites and then click Default Web Site.
3. In the Actions pane on the right, click View Applications. Click Add Application.
4. The Add Application dialog box appears. In the Alias field, type SalesSupport.
5. Next to the Physical path field, click the Browse (...) button.
6. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and
then click Make New Folder.
7. Type SalesSupport and then click OK.
33
8. Click OK.
9. In the properties of WEBA VM select Media choose DVD and mount
ISO_IIS8_Labfiles.iso
10. In Windows Explorer, browse to DVD Drive>AllFiles>Step3>Labfiles>SalesSupport.
11. Select all, then right-click and then click Copy.
12. Browse to C:\inetpub\wwwroot\SalesSupport, right-click, and then click Paste.
Configure Basic Security
1. In Internet Information Services (IIS) Manager, in the Connections pane, expand
Default Web Site and then click Sales Support.
2. In the Details pane, double-click Authentication.
3. Click Anonymous Authentication.
4. In the Actions pane, click Disable.
5. In the Details pane, click Basic Authentication.
6. In the Actions pane, click Enable.
7. Click Edit.
8. The Edit Basic Authentication Settings dialog appears. In the Default domain and
Realm fields, type CQURE.
9. Click OK.
10. Open Internet Explorer.
11. Internet Explorer window opens. Browse to http://localhost/salessupport.
12. The Connect to localhost dialog box appears. Notice that there is a warning about
basic authentication and insecure credentials.
13. In the User name field, type Alisa. Note that Alisa is a marketing account manager
with a domain account in the CQURE domain.
13. In the Password field, type P@ssw0rd and then click OK.
14. Notice that the Sales Support Resources page loads successfully.
14. Close Internet Explorer. Note that you must close the browser to reset the session
so you can try logging in as a different user.
15. Open Internet Explorer.
34
16. The Windows Internet Explorer window opens. Browse to
http://localhost/salessupport.
17. The Connect to localhost dialog box appears. In the User name field, type bob. Note
that Bob does not have a domain account in the CQURE domain.
15. Leave the Password field blank and then click OK.
16. Click OK two more times.
17. Notice that you get an HTTP 401.1 Unauthorized error. Note that detailed error
messages show up locally by default.
18. Close Internet Explorer.
Configure custom error pages
1. In Windows Explorer, browse to the course labfiles DVD
Drive>AllFiles>Step3\WBErrors.
2. Select all, right-click and then click Copy.
3. Browse to C:\inetpub\custerr\, right-click, and then click Paste.
4. In Internet Information Services (IIS) Manager, in the Connections pane under
Default Web Site, click SalesSupport.
5. In the Details pane, double-click Error Pages.
6. In the Actions pane, click Edit Feature Settings.
7. The Edit Error Pages Settings box appears. Click Custom error pages.
8. Click OK.
9. In the Details pane, under the Status Code column, click 401.
10. In the Actions pane, click Edit.
11. The Edit Custom Error Page dialog box appears. Click Set.
12. The Set Localized Custom Error Path dialog box appears. In the Relative file path
field, delete the existing text and then type 401.aspx. Click OK twice.
13. In the Details pane, under the Status Code column click 404 and in the Actions
pane, click Edit.
14. The Edit Custom Error Page dialog box appears. Click Set.
15. The Set Localized Custom Error Path dialog box appears. In the Relative file path
field, delete the existing text and then type Other_Errors.aspx.
35
16. Click OK twice. Note that in a real world situation, you would repeat these steps for
each error that you wanted to assign to a custom error message.
17. Open Internet Explorer. Browse to http://localhost/salessupport.
18. The Connect to localhost dialog box appears. In the User name field, type bob.
19. Leave the Password field blank and then click OK three times. Do you see the custom
error page as expected?
Note: You are not seeing custom error properly as system.webServer/httpErrors
section is made delegation safe!
In IIS 7.0, httpErrors section was not delegated by default which means custom errors were
not available to site owners for customization. Reason why the section was not delegated is
because once the section is delegated, site owners are free to return any file they can read
as a custom errors response which wasn’t secure. Server Administrators can delegate the
section securely using custom application pool identities and file ACLs which require lot of
work.
Since IIS 7.5, if system.webServer/httpErrors@allowAbsolutePathsWhenDelegated property
is set to false custom errors module will only allow paths relative to site root folder (not
absolute paths) when the section is delegated. If server Administrators want to allow
absolute paths in web.config files even when section is delegated, they can set
allowAbsolutePathsWhenDelegated property to true. Error 500.19 (configuration error)
with detailed error description “Absolute physical path <folder> is not allowed in
system.webServer/httpErrors section in web.config file. Use relative path instead.” will be
generated if allowAbsolutePathsWhenDelegated is set to false and an absolute path is
detected in web.config. This restriction is applied to properties path and
prefixLanguageFilePath but not defaultPath. Here is how httpErrors section will look like if a
site owner wants to configure localized custom errors when only relative paths are allowed:
<httpErrors>
<clear/>
<!-- Make module return
%SITEROOT%\myerrorsfolder\%LANGUAGECODE%\401.htm -->
<error statusCode="401" prefixLanguageFilePath="myerrorsfolder"
path="401.htm" />
<error ...
36
</httpErrors>
With this feature, hosters can now easily delegate custom errors section to site owners.
With httpErrors section now made delegation safe, the section is delegated in a fresh
install. Because the behavior is controlled by
system.webServer/httpErrors@allowAbsolutePathsWhenDelegated property, this attribute
is locked in the default configuration. This ensures that this property cannot be overridden
by site owners to enable absolute file paths. As relative path restriction is not applied to
defaultPath property, system.webServer/httpErrors@defaultPath is locked as well and
cannot be used in web.config files.
Additionally – in this scenario try to use absolute URL to the error page. Note the
difference!
20. Notice that there is now a custom error message directing you to contact your
district sales manager.
21. Close Internet Explorer.
22. Open Internet Explorer.
23. The Windows Internet Explorer window opens. Browse to
http://localhost/salessupport/brokenlink.
24. The Connect to localhost dialog box appears. In the User name field, type Alisa.
25. In the Password field, type P@ssw0rd and then click OK.
26. If you are prompted, add the site to the allowed list.
27. Notice that you get a custom error that is slightly different. Since the path
“brokenlink” doesn’t exist, this is a custom 404 error. Try to use custom error page in
many variants – absolute path, or absolute URL.
28. Close Internet Explorer
Below you can find print screens from the configuration details to support the challenge
a little bit:
37
Absolute path:
Absolute URL:
In order to proceed to the next Lab don't revert machines.
38
Lab 8: Running both ASP.NET 3.5 and ASP.NET 4.5
Applications
Machines used in this Lab: NODE1
Now that you have explored the setup state of IIS, try running some sample ASP.NET code to
confirm that both ASP.NET 3.5 and ASP.NET 4.6 applications can run simultaneously on a
single IIS installation.
First, set up a simple ASP.NET 3.5 application on IIS:
1. Open the D:\>Tools> examples.zip file from provided ISO image
2. In Windows Explorer on NODE1, navigate to the "wwwroot" directory for your IIS
installation, the "wwwroot" directory will be at "c:\inetpub\wwwroot".
3. Copy the folder "example35" from "examples.zip", and paste it into the directory
"c:\inetpub\wwwroot". When you are done the directory structure should look like
the following:
4. The newly created "example35" folder needs to be configured as an ASP.NET 3.5
application in the IIS Manager. Go back to the IIS Manager window, click on the
Default Web Site node, and select Refresh. The treeview of child nodes under the
Default Web Site now shows the "example35" folder:
39
5. Right-click the example35 folder and select Convert to Application:
6. The Add Application dialog will pop up. By default all directories within Default
Web Site are part of the application pool called DefaultAppPool. This means that
newly created folders containing ASP.NET run as ASP.NET 4.5 applications by default.
40
7. Since we want to run the example35 folder as an ASP.NET 3.5 application, the
application pool needs to be changed. Click Select, and the Select Application Pool
dialog that pops up. Change the application pool to .NET v2.0 as shown below:
8. Click OK button to accept the application pool change, and then click OK again to
commit the changes to IIS. The IIS Manager window appears again. In the treeview
showing "Default Web Site", the icon for "example35" is changed to indicate it is now
a separate ASP.NET application.
41
9. At this point start an instance of Internet Explorer and navigate to the following Url:
http://localhost/example35
After a short pause the application displays a list of .NET Framework features supported in
this application.
10. In Windows Explorer, if you navigate to the "c:\inetpub\wwwroot\example35"
directory, you can use notepad to look at the code for "default.aspx" and the
information in "web.config". For example, the contents of web.config include
directives that configure the .NET Framework compilers to run in "3.5" mode. The
.NET Framework code in "default.aspx" demonstrates some C# constructs that were
introduced in .NET 3.5 – specifically LINQ-to-Object queries.
Configure it to use .NET 4.5
1. Go back to the Windows Explorer window that has the .zip file "examples.zip" open.
2. Open up the contents of the "example45" folder.
3. In the second Windows Explorer window that you have open, navigate to
"c:\inetpub\wwwroot".
4. Copy the "default.aspx" file from the .zip file and paste it directly into
"c:\inetpub\wwwroot". The folder contents for "c:\inetpub\wwwroot" should now look
like:
42
5. Now go back to Internet Explorer and navigate to the following Url:
http://localhost/default.aspx
After a short pause a second application pool will start running an ASP.NET 4.5 application
for the "Default Web Site". The browser once again displays a list of .NET Framework features
supported in this application with a new entry at the end of the list for dynamically typed
variables (i.e. the dynamic keyword introduced in .NET 4.0/4.5). Notice that unlike the
"example35" application that required special web.config entries, no web.config file was
required to configure and run the "default.aspx" page in the "Default Web Site". This is
because .NET Framework 4.5 is the default .NET Framework used by ASP.NET applications in
IIS 8.0, and as a result no extra configuration is required.
6. If you use Notepad to open the "default.aspx" page that you just copied, you will also
see a few changes compared to the version in the "example35" directory. There are
no namespace directives at the top of the page since the .NET Framework 4.5 is the
default on IIS 8.0. The code on the page demonstrates using a dynamic variable,
which is a compiler concept introduced in .NET 4.0/4.5.
43
Lab 9: Configuring ASP.NET Settings for development
Machines used in this Lab: DC, WEBA
ASP.NET Connection Strings
1. On WEBA, in Internet Information Services (IIS) Manager, in the Connections
pane, expand Sites | Default Web Site and then click SalesSupport.
2. In the Details pane, double-click Connection Strings.
3. In the Actions pane, click Add.
4. The Add Connection String dialog box appears. In the Name field, type Local
Resources.
5. Click Custom.
6. In the Custom field delete the existing text and then type data and click OK.
source=.\SQLEXPRESS;AttachDbFileName=d:\resources.mdf;IntegratedSecurity=True
Configure ASP.NET Session State settings to rename the cookie to SalesSupport
1. In the Connections pane, click SalesSupport.
2. In the Details pane, double-click Session State.
3. In the Cookie Settings section, in the Name field, delete the existing text and then
type SalesSupport_SessionID.
4. In the Actions pane, click Apply.
Add a custom control: CQURE. TestControls Version=1.0.0.0
1. In the Connections pane, click SalesSupport.
2. In the Details pane, double-click Pages and Controls.
3. In the Action pane, click Register Controls.
4. Click Add Custom Control.
5. The Add Custom Control dialog box appears. In the Tag prefix field type CQURE.
6. In the Namespace field, type TestControls.
7. In the Assembly field, type Version=1.0.0.0.
8. Click OK.
Add application settings at site and application levels
44
1. Open Internet Explorer.
2. Internet Explorer window opens. Browse to
http://localhost/salessupport/test.aspx.
3. The Connect to localhost dialog box appears. In the User name field, type Alisa.
4. In the Password field, type P@ssw0rd and then click OK.
5. Notice that the Raccoons Bank Sales Application Settings Test Page opens. It should
report “No Application Settings defined.”
6. In Internet Information Services (IIS) Manager, in the Connections pane, click
Default Web Site.
7. In the Details pane, double-click Application Settings.
8. In the Actions pane, click Add.
9. The Add Application Setting dialog box appears. In the Name field, type
DefaultLocation.
10. In the Value field, type New York. Click OK.
11. In Internet Explorer, click the Refresh button. Notice that it now reports
“DefaultLocation = New York”.
12. In Internet Information Services (IIS) Manager, in the Connections pane, click
SalesSupport.
13. In the Details pane, double-click Application Settings. Notice in the details pane
that DefaultLocationis inherited.
14. In the Actions pane, click Add.
15. The Add Application Setting dialog appears. In the Name field, type debug_mode.
16. In the Value field, type true. Click OK.
12. In Internet Explorer, click the Refresh button. Notice that it now reports
“DefaultLocation = New York” and “debug_mode = true”.
Question: How might the application settings be used in real world Web applications?
Answer: The application can customize content or actions based on the settings. This
gives flexibility to the Administrator to customize the application at deployment time.
In order to proceed to the next Lab don't revert machines.
45
Lab 10: Configuring Multiple Applications
Machines used in this Lab: DC, WEBA
Create three application pools named SalesSupport, SalesSupport_De, and
SalesSupport_Test
1. On WEBA, in Internet Information Services (IIS) Manager, in the Connections
pane, click Application Pools.
2. In the Actions pane, click Add Application Pool.
3. The Add Application Pool dialog box appears. In the Name field, type
SalesSupport. Click OK.
4. In the Actions pane, click Add Application Pool.
5. The Add Application Pool dialog box appears. In the Name field, type
SalesSupport_De. Click OK.
6. In the Actions pane, click Add Application Pool.
7. The Add Application Pool dialog box appears. In the Name field, type
SalesSupport_Test. Click OK.
8. In the Details pane, notice that SalesSupport, SalesSupport_DE, and
SalesSupport_Test appear in the list of application pools.
Create the applications SalesSupport_De and SalesSupport_Test
1. In the Connections pane, click Default Web Site.
2. In the Actions pane, click View Applications.
3. Click Add Application.
4. The Add Application dialog box appears. In the Alias field, type SalesSupport_De.
5. Next to the Physical path field, click the Browse (…)button.
6. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and
then click Make New Folder.
7. Type SalesSupport_De and then click OK twice.
8. Click Add Application.
9. The Add Application dialog box appears. In the Alias field, type SalesSupport_Test.
10. Next to the Physical path field, click the Browse (…)button.
46
11. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and
then click Make New Folder.
12. Type SalesSupport_Test and then click OK twice.
13. In the Details pane, notice that SalesSupport, SalesSupport_DE, and
SalesSupport_Test appear in the list of applications.
Use XCopy to deploy the files
1. Open Command Prompt.
2. Type cd c:\inetpub\wwwroot and then press Enter.
3. Type xcopy /e SalesSupport\*.* SalesSupport_De and then press Enter.
4. Type dir SalesSupport_De and then press Enter to confirm that the files were copied.
5. Type xcopy /e SalesSupport\*.* SalesSupport_Test and then press Enter. Shortcut:
Press Up Arrow twice, and then Backspace and change the last few characters of the
previous command line to _Test, and then press Enter.
6. Type dir SalesSupport_Test and then press Enter to confirm that the files were
copied.
Assign the applications to the appropriate application pools
1. In Internet Information Services (IIS) Manager, in the Connections pane, click
Default Web Site.
2. In the Actions pane, click View Applications.
3. In the Details pane, click SalesSupport.
4. In the Actions pane on the right, click Basic Settings.
5. The Edit Application dialog box appears. Click Select.
6. The Select Application Pool dialog box appears. In the Application pool list, click
SalesSupport, and then click OK twice.
7. In the Details pane, click SalesSupport_De.
8. In the Actions pane, click Basic Settings.
9. The Edit Application dialog box appears. Click Select.
10. The Select Application Pool dialog box appears. In the Application pool list, click
SalesSupport_De, and then click OK twice.
11. In the Details pane, click SalesSupport_Test.
47
12. In the Actions pane, click Basic Settings.
13. The Edit Application dialog box appears. Click Select.
14. The Select Application Pool dialog box appears. In the Application pool list, click
SalesSupport_Test, and then click OK twice.
15. In the Connections pane, click SalesSupport_De.
16. In the Details pane, double-click Authentication.
17. Click Anonymous Authentication.
18. In the Actions pane, click Disable.
19. In the Details pane, click Basic Authentication.
20. In the Actions pane, click Enable.
21. Click Edit.
22. The Edit Basic Authentication Settings dialog appears. In the Default domain and
Realm fields, type CQURE.
23. Click OK.
24. In the Connections pane, click SalesSupport_Test.
25. In the Details pane, double-click Authentication.
26. Click Anonymous Authentication.
27. In the Actions pane, click Disable.
28. In the Details pane, click Basic Authentication.
29. In the Actions pane, click Enable.
30. Click Edit.
31. The Edit Basic Authentication Settings dialog appears. In the Default domain and
Realm fields, type CQURE.
32. Click OK.
Configure production application pool recycling for unlimited requests
1. In the Connections pane, click Application Pools.
2. In the Details pane, click SalesSupport.
3. In the Actions pane, click Recycling.
4. The Edit Application Pool Recycling Settings dialog box appears. Clear the Regular
time intervals check box, and then click Next.
5. Click Finish.
48
6. In the Details pane, click SalesSupport_De.
7. In the Actions pane, click Recycling.
8. The Edit Application Pool Recycling Settings dialog box appears. Clear Regular
time intervals check box, and then click Next. Click Finish.
Configure the application pool to record recycled events
1. In the Details pane, click SalesSupport_Test.
2. In the Actions pane, click Recycling.
3. The Edit Application Pool Recycling Settings dialog box appears. Select Fixed
number of requests.
4. In the Fixed number of requests field, type 1024 and then click Next.
5. On the Recycling Events to Log page, select Number of requests, On-demand,
and Configuration changes.
6. Click Finish.
Configure.NET compilation debug setting to False
1. In the Connections pane, click SalesSupport.
2. In the Details pane, double-click .NET Compilation.
3. Under Behavior, in the Debug list, click False.
4. In the Actions pane, click Apply.
Question: What is the advantage of disabling the debug setting in .NET compilation?
Answer: The compiled code will be smaller and faster without debug code. It is a good idea
to use this setting when an application is fully tested and deployed to final production.
Configure application globalization settings for Germany
1. In the Connections pane, click SalesSupport_De.
2. In the Details pane, double-click .NET Globalization.
3. In the Culture list, click German (Germany) (de-DE).
4. In the UI Culture list, click German (Germany) (de-DE).
5. In the Actions pane, click Apply.
6. Open Internet Explorer.
49
7. The Windows Internet Explorer window opens. Browse to
http://localhost/salessupport.
8. The Connect to localhost dialog box appears. In the User name field, type Alisa.
9. In the Password field, type P@ssw0rd and then click OK.
10. Open a second tab in Internet Explorer and then browse to
http://localhost/salessupport_test.
11. Open a third tab and then browse to http://localhost/salessupport_de.
12. Right-click the notification area and then click Task Manager.
13. The Task Manager window opens. Click the Processes tab.
14. Under the Image Name column, notice that there are at least three instances of
w3wp.exe running, indicating at least three separate application pools. Close Task
Manager.
15. In Internet Explorer, browse to http://localhost/salessupport_de/test.aspx. Notice
that the date is now in dd.mm.yyyy format, the cultural default for Germany.
In order to proceed to the next Lab don't revert machines.
50
Lab 11: ASP.NET Security
Machines used in this Lab: DC, WEBA
Set the machine key
1. On WEBA, in Internet Information Services (IIS) Manager, in the Connections
pane, click SalesSupport_De.
2. In the Details pane, double-click Machine Key.
3. In the Actions pane, click Generate Keys.
4. Click Apply.
Configure the SalesSupport_Test site for medium trust level
1. In the Connections pane, click SalesSupport_Test.
2. In the Details pane, double-click .NET Trust Levels.
3. In the Trust level list, click Medium (web_mediumtrust.config).
4. In the Actions pane, click Apply.
Configure File and Folder security
1. In the Connections pane, click SalesSupport.
2. In the Details pane, click the Content View tab at the bottom of the window. Click
test.aspx.
3. In the Actions pane, click Edit Permissions.
4. The test.aspx Properties dialog box appears. Click the Security tab.
5. Click Advanced.
6. The Advanced Security Settings for test.aspx dialog box appears. Click Edit.
7. Disable inheritance..
8. The Windows Security dialog box appears asking if you want to copy the inherited
permissions. Use the ones that you had but remote Users.
9. Click Users (WEBA\Users), and then click Remove.
10. Click Add.
11. The Select User, Computer, or Group dialog box appears. In the Enter the object
name to select field, type Network Service. Note that since we have removed Users,
51
we need to specifically allow the Network Service account. Note that SalesSupport
application pool must be running under the Network Service account with pass-
through authentication as well!
12. Click Check Names, and then click OK.
13. The Permission Entry for test.aspx dialog box appears. In the Permissions section,
next to Full control, select Allow. Click OK. Click Add.
14. The Select User, Computer, or Group dialog box appears. In the Enter the object
name to select field, type ITAdminsGG.
15. Click Check Names, and then click OK.
16. The Permission Entry for test.aspx dialog box appears. In the Permissions section,
next to Full control, select Allow.
17. Click OK four times.
18. In Internet Explorer, browse to http://localhost/salessupport/test.aspx.
19. The Connect to localhost dialog box appears. In the User name field, type Alisa.
20. In the Password field, type P@ssw0rdand then click OK.
21. Click OK two more times. Notice that Alisa no longer has access to test.aspx.
22. Click the Refresh button.
23. The Connect to localhostdialog box appears. In the User name field, type Gina. Note
that Gina is a member of the ITAdminsGG security group.
24. In the Password field, type P@ssw0rd and then click OK.
25. Notice that Gina has access to the page.
26. Close Internet Explorer.
In order to proceed to the next Lab don't revert machines.
52
Lab 12: Tracing and Logging for ASP.NET
1. On WEBA in Server Manager, in the console pane, expand Roles and then click Web
Server (IIS).
2. Right click Web Server (IIS), and then click Add Role Services.
3. The Add Role Services dialog box appears. Select Health and Diagnostics to select
all of the Health and Diagnostics services.
4. Click Next, and then click Install.
5. When the installation completes, click Close.
6. Open Notepad and then press Enter.
7. The Notepad window opens. On the File menu, click Open.
8. The Open dialog box appears. In the Text Documents list, click All Files.
9. Browse to C:\inetpub\wwwroot\SalesSupport_Test.
10. Click test.aspx, and then click Open.
11. In the first line of the file, modify the trace=”false”attribute to read trace=”true” so
that the line reads:
<@ Page Language=”C#” trace=”true” %>
12. On the fifth line of the file, type This message should appear between the double
quotes, so that the line reads:
Response.Write(“This message should appear”);
Question: How would an application use tracing?
Answer: A developer can add trace commands to the Web application code to record
information that can be used for debugging and monitoring. The Administrator has the
ability to enable or disable tracing as needed.
13. On the File menu, click Save.
14. Close Notepad.
15. In Internet Explorer, browse to http://localhost/salessupport_test/test.aspx.
16. If the Connect to localhost dialog box appears, in the User name field, type Gina.
17. In the Password field, type P@ssw0rd and then click OK.
53
18. Notice that This message should appear at the top of the page.
19. Scroll down and notice that the trace information appears at the bottom of the page.
20. In the Trace Information section, the next to last lines contain the trace messages
from the test.aspx file. Notice that the warning message is red.
19. Close Internet Explorer.
20. In Internet Information Services (IIS) Manager, in the Connections pane, click
Default Web Site.
21. In the Actions pane, click Failed Request Tracing. If Failed Request Tracing does not
appear, close and reopen IIS Manager for the added Health and Diagnostics features
to appear.
21. The Edit Web Site Failed Request Tracing Settings dialog box appears. Select
Enable, and then click OK.
22. In the Details pane, double-click Failed Request Tracing Rules.
23. In the Actions pane, click Add.
24. The Add Failed Request Tracing Rule wizard appears. On the Specify Content to
Trace page, click ASP.NET (*.aspx), and then click Next.
25. On the Define Trace Conditions page, in the Status code(s)field, type 200 and then
click Next.
26. On the Select Trace Providers page, under Providers, clear all check boxes except
ASPNET.
27. Click ASPNET.
28. Under Areas, clear all check boxes except Page.
29. Under Verbosity, notice that it is set to Verbose.
30. Click Finish.
31. In Internet Explorer, browse to http://localhost/salessupport_test/test.aspx.
32. If the Connect to localhost dialog box appears, in the User name field, type Gina.
33. In the Password field, type P@ssw0rdand then click OK.
34. Press CTRL + O.
35. The Open dialog box appears. Click Browse.
36. Browse to C:\inetpub\logs\FailedReqLogFiles\W3SVC1.
37. In the HTML Files list, click All Files.
54
38. If there is more than one, click the most recent fr######.xmlfile, and then click Open.
Click OK.
39. The failed request log opens. Notice in the Request Summary section the details of
the request: AppPool is SalesSupport_Test, Authentication is Basic, User from token is
CQURE\Gina.
40. In the Errors and Warnings section, click Expand All.
41. Notice that the warning “This is a warning.” appears.
In order to proceed to the next Lab don't revert machines.
Lab 13: Request Filtering
1. On WEBA in Internet Explorer, browse to http://localhost/. Notice that the IIS
graphics appear and IIS Welcome page appears.
2. Close Internet Explorer.
3. Open Notepad and then press Enter.
4. The Notepad window opens. On the File menu click Open.
5. The Open dialog box appears. In the Text Documents list, click All Files.
6. Browse to C:\inetpub\wwwroot.
7. Click web.config, and then click Open.
8. After the sixth line, <system.webServer>, press Enter and then add the following
security section:
<security>
<requestFiltering>
<fileExtensions allowUnlisted="false" >
<add fileExtension=".aspx" allowed="true"/>
</fileExtensions>
</requestFiltering>
</security>
Question: How could you disable only certain extensions, such as .MP3 and .WMA?
Answer: Set the allowUnlisted property to “true”. Add the unallowed file extensions and set
their allowed properties to “false”.
9. On the File menu, click Save. Close Notepad.
55
10. Open Internet Explorer.
11. Internet Explorer window opens. Browse to http://localhost/iis-8.png.
12. Notice that HTTP Error 404.7 appears. Detailed error messaging states that “The
request filtering module is configured to deny the file extension”.
13. Browse to http://localhost/iisstart.htm.
14. Notice the same error.
15. Open Command Prompt.
16. Type cd \inetpub\wwwroot and then press Enter.
17. Type copy iisstart.htm *.aspx and then press Enter.
18. Type dir, and then press Enter and notice that the file was copied to iisstart.aspx.
19. In Internet Explorer, browse to http://localhost/iisstart.aspx.
20. Notice that the page with the aspx extension loads without error but the image still
does not display.
In order to proceed to the next Lab revert WEBA to default state.
56
Lab 14: IIS Modules
Machines used in this Lab: DC, WEBB
Start the WEBB virtual machine and log on as CQURE\Administrator
Backup the current Web server configuration.
1. On WEBB, if Server Manager opens, Close the Server Manager and open Command
Prompt.
2. Type cd c:\windows\system32\inetsrv\and then press Enter.
3. Type appcmd add backup original and then press Enter.
4. Notice that the AppCmd completes the backup and reports BACKUP object "original"
added.
Question: When using the appcmd add backup command, where are the backup
configuration file placed?
Answer: In a new folder, in the C:\Windows\System32\inetserv\backup\ folder.
Examine the modules currently installed on the Web server
1. Open Internet Information Services (IIS) Manager.
2. In the Connections pane, click WEBB.
3. In the Details pane, in the Group by list, click Category.
4. In the Details pane, in the Server Components section, double-click Modules.
5. In the Group by list, click Module Type.
6. Notice that the DefaultDocumentModule and the DirectoryListingModule entries
are listed in the Native Modules section.
Question: What do the DefaultDocumentModule and DirectoryListingModules do?
Answer: The DefaultDocumentModule offers the functionality of offering the Web browser a
default file when a specified folder or directory is specified by the URL. The
57
DirectoryListingModule will supply the Web client with a list of the folder contents, when a
folder or directory is specified by the URL.
Remove the Default Document Module and the Directory Listing Module
1. In the Connections pane, expand WEBB | Sites, and then click Default Web Site.
2. In the Actions pane, click Browse *:80(http).
3. Internet Explorer window opens. Notice that the page opens as expected.
4. Open | Computer and then browse to C:\windows\system32\inetsrv\config\.
5. In the Details pane, double-click applicationHost.config.
6. The Notepad window opens. Find the <globalModules> section.
7. Delete the DefaultDocumentModule and the DirectoryListingModule entries from
within the <globalModules> tag by deleting these two lines:
<add name="DefaultDocumentModule" image=
"%windir%\System32\inetsrv\defdoc.dll" />
<add name="DirectoryListingModule" image=
"%windir%\System32\inetsrv\dirlist.dll" />
8. Scroll down to the bottom of the file and find the <system.webServer> section.
9. Delete the references to the DefaultDocumentModule and the
DirectoryListingModule from within the <handlers accessPolicy="Read, Script">tag
by replacing:
<add name="StaticFile" path="*" verb="*"
modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule"
resourceType="Either" requireAccess="Read" />
With the line:
<add name="StaticFile" path="*" verb="*" modules="StaticFileModule"
resourceType="Either" requireAccess="Read" />
10. Delete the DefaultDocumentModuleand the DirectoryListingModuleentries from
within the <modules> tag. Delete the two lines:
58
<add name="DefaultDocumentModule" lockItem="true" />
<add name="DirectoryListingModule" lockItem="true" />
11. On the File menu, click Save.
12. Close Notepad.
Validate that the modules have been removed
1. In Internet Information Services (IIS) Manager, in the Connections pane, click
WEBB.
2. In the Details pane, in the Server Components section, double-click Modules.
3. In the Native Modules section, notice that the DefaultDocumentModule and the
DirectoryListingModule entries are gone.
4. In Internet Explorer, click the Refresh button. Notice that the Web page is now blank,
even though Internet Explorer indicates that it is done loading.
5. In Internet Explorer, browse to http://localhost/default.aspx. Notice that the Web
page loads after you specify the default document.
Question: Why did the Web page get restored after the file name, default.aspx was added to
the URL?
Answer: The Web server is still completely operational, but no longer offers default
documents or directory browsing. So if a full URL is specified, complete with a file name, then
the Web server will return that file to the Web client, if available.
Restore the modules to the Web server configuration
1. In the Command Prompt, type appcmd restore backup original and then press
Enter.
2. Notice that the AppCmd completes the restore and reports that the original
configuration has been restored.
Question: After the AppCmd completes the restore, where does it restore the configure files
to?
59
Answer: The files are restored to the C:\Windows\System32\inetsrv\config folder.
Validate that the modules have been restored
1. Use IE to browse to http://localhost/, and then click Refresh.
2. Notice that the page once again loads properly from the default document. Close
Internet Explorer.
In order to proceed to the next Lab don’t revert machines.
60
Lab 15: Configuring Managed Modules
Machines used in this Lab: DC, WEBB
Install the logging managed module on WEBB
1. In Windows Explorer, browse to C:\inetpub\.
2. Right-click inetpub, and then click New | Folder.
3. Type logging_module and then press Enter.
4. Browse to the course labfiles. In the properties of WEBB VM select Media choose
DVD and mount ISO_IIS8_Labfiles.iso
5. In Windows Explorer, browse to DVD
Drive>AllFiles>Step4\Labfiles>logging_module.
6. Select all, then right-click and then click Copy.
7. Browse to C:\inetpub\logging_module, right-click, and then click Paste.
8. Browse to C:\inetpub\logging_module\logs\.
9. Right-click logs, and then click Properties.
10. The logs Properties dialog box appears. Click the Security tab. Click Edit.
11. The Permissions for logs dialog box appears. In the Group or user names section,
click Users (WEBB\Users).
12. In the Permissions for Users box, next to Modify, select Allow. Click OK twice.
13. In Internet Information Services (IIS) Manager, in the Connections pane, click
Sites.
14. In the Actions pane, click Add Web Site.
15. The Add Web Site dialog box appears. In the Site name field, type logging_module.
16. In the Physical path field, type C:\inetpub\logging_module.
17. In the Port field, type 8181. Click OK.
Confirm the installation of the logging managed module
1. In the Actions pane, click Browse *:8181 (http).
2. Internet Explorer window opens. Click Go on to Second Page.
3. Notice that the second page loads. Close Internet Explorer.
61
4. In Internet Information Services (IIS) Manager, in the Connections pane, click
logging_module.
5. In the details pane, in the Server Components section, double-click Modules.
6. In the Managed Modules section, click Logger.
7. In the Actions pane, click Edit.
8. The Edit Managed Module dialog box appears. Notice that the type is listed as
HttpLogger.
9. Click Cancel.
10. In Windows Explorer, browse to C:\inetpub\logging_module\logs.
11. Double-click [yyyymmdd].txt.
12. The Notepad window opens. Notice the log entries for
http://localhost:8181/default.aspx and http://localhost:8181/second_page.htm.
13. Close Notepad.
Question: Why do the log file entries have the numbers 8181 listed?
Answer: The logging module records the complete URL of the requested Web site files. The
logging_module web site was configured to use port number 8181, which is a secondary
Web site port.
Test the Web site forms authentication functionality
1. In Internet Information Services (IIS) Manager, in the Connections pane, click
Default Web Site.
2. In the Actions pane, click Browse *:80 (http).
3. Internet Explorer window opens. Click Shared Documents.
4. In the Email field, type [email protected].
5. In the Password field, type P@ssw0rd.
6. Click Login.
7. If you get the AutoComplete Passwords dialog box, click No.
8. Click Confidential Memo. Notice that the image representing the Confidential
Memo appears.
9. Click the Back button. Click Signout. Click Home.
62
Examine the modules currently running on the Web server
1. In the Internet Information Services (IIS) Manager window, in the Connections
pane, click WEBB.
2. In the details pane, in the Server Components section, double-click Modules.
3. In the Managed Modules section, click OutputCache.
4. In the Actions pane, click Edit.
5. The Edit Managed Module dialog box appears. Notice that the module is configured
properly and is set to run normally. Click Cancel.
Remove the forms authentication managed module
1. In the Connections pane, click Default Web Site.
2. In the details pane, in the Server Components section, double-click Modules.
3. In the Managed Modules section, click Forms Authentication.
4. In the Actions pane, click Remove.
5. The Confirm Remove dialog box appears. Click Yes.
Test the new configuration
1. In the Internet Explorer window, click Shared Documents. Notice that you now get
Access is denied error message, indicating that the logon failed because the forms
authentication module has been removed.
Question: Why is the Access denied error message displayed at this point?
Answer: The Access is denied error message indicates that the logon failed because the
forms authentication module has been removed.
In order to proceed to the next Lab revert WEBB to default state.
63
Lab 16: Securing the IIS Web Server and Web Sites
Machines used in this Lab: DC, WEBB
Start the WEBB virtual machine and log on as CQURE\Administrator.
Create a self-signed server certificate for the Web server
1. On WEBB, Open | Administrative Tools | Internet Information Services (IIS)
Manager.
2. In the Connections pane, click WEBB.
3. In the details pane, in the Group by list, click Category.
4. In the details pane, in the Security section, double-click Server Certificates.
5. In the Actions pane, click Create Self-Signed Certificate.
6. The Create Self-Signed Certificate dialog box appears.
7. In the Specify a friendly name for the certificate field, type WEBB.CQURE.TEC.
8. Click OK. Notice that the new self-signed certificate has been added to the certificate
list.
Question: What are the advantages and disadvantages of using self-signed certificates?
Block IP addresses as specified in the service request
1. In the Connections pane, click WEBB.
64
2. In the details pane, in the IIS section, double-click IP Address and Domain
Restrictions.
3. In the Actions pane, click Add Deny Entry.
4. The Add Deny Restrictions Rule dialog box appears. In the Specific IPv4 address field,
type 192.168.128.1
5. Click OK.
6. In the Actions pane, click Add Deny Entry.
7. The Add Deny Restrictions Rule dialog box appears.
8. Click IP address range.
9. In the IP address range field, type 192.168.130.0.
10. In the Mask field, type 255.255.255.0.
11. Click OK. Notice that the new IP restrictions have been added to the list.
Question: When would you want to use this feature to block IP addresses?
Answer: An organization may want to block malicious users or restrict access from a certain
domain or location.
Configure ISAPI and CGI Restrictions
1. In the Connections pane, click WEBB.
2. In the details pane, in the IIS section, double-click ISAPI and CGI Restrictions.
Notice that ASP.NET, WebDAV are currently listed.
3. In the Action pane, click Edit Feature Settings.
65
4. The Edit ISAPI or CGI Restrictions Settings dialog box appears. While it’s not a
recommended practice, you can easily allow unspecified CGI and ISAPI modules. Click
Cancel.
Set the rights and permissions for Active Directory users
1. In Windows Explorer, browse to C:\inetpub\.
2. Right-click wwwroot and then click Properties.
3. The wwwroot Properties dialog box appears. Click the Security tab.
4. Click Edit.
5. The Permissions for wwwroot dialog box appears. Click Add.
6. The Select Users, Computers, or Groups dialog box appears. Click Locations.
7. The Locations dialog box appears. If CQURE.TEC is not already highlighted, then in
the Location tree, click CQURE.TEC.
8. Click OK.
9. In the Enter the object names to select field, type ITAdminsGG and then click Check
Names.
10. Click OK. Notice that the Read & execute, List folder contents, and Read options
are allowed.
11. Click Add.
12. The Select Users, Computers, or Groups dialog box appears. In the Enter the object
names to select field, type Hugo and then click Check Names. Click OK.
13. Next to Full control, select Allow. Click OK.
Test and validate the new configuration
1. In the Group or user names field click ITAdminsGG. Notice that the Read & execute,
List folder contents, and Read options are allowed.
2. In the Group or user names field click Hugo Garcia. Notice that the all the options
are allowed.
3. Click OK.
In order to proceed to the next Lab don't revert WEBB.
66
Lab 17: CPU Throttling: Sand-boxing Sites and
Applications
Machines used in this Lab: DC, WEBB
Problem: In a multi-tenanted deployment, such as a shared hosting environment, it is
important to create a sand-box for each tenant. Without the sand-box, a tenant could
intentionally or unintentionally impact other tenants negatively by accessing other tenants'
contents or by monopolizing resources, such as memory, CPU, and bandwidth.
Solution: On Internet Information Services (IIS) on Windows Server 2012, the sand-box is
scoped to an IIS application pool. It offers both security boundaries at the Windows process
level by running each tenant in separate user identity and the resource limitations are also
enforced at the process.
On Windows Server 2012, IIS CPU Throttling feature enables customers to truly limit how
much CPU each tenant can consume as a percentage of CPU. Furthermore, this feature is
configurable per IIS application pool, which means each tenant could have different limits,
which can lead to a new business model in which tenants can pay more for higher limits.
It is important to clarify that IIS CPU Throttling is not a reservation of a CPU resource. Rather
it is a way to limit the maximum usage.
Step by Step Instructions:
Prerequisites:
IIS is installed on Windows Server.
o IIS CPU Throttling is part of IIS application pool configuration. Therefore,
a default install of IIS will have this feature installed. There is no specific IIS
feature that needs to be installed from Server Manager.
There is at least one site with a corresponding IIS application pool.
o Default Web Site and DefaultAppPool can be used for this exercise.
67
o Copy from the labfiles DVD Drive>Tools>CPUThrottlingTest to
inetpub/wwwroot/CPUThrottlingTest
o Create Application CPUThrottlingTest with application pool (might be
DefaultAppPool) using NET 4.5
o ASP.NET must be installed, default.aspx must be on the list with Default
Documents.
Configure CPU Throttling
1. On WEBB Open IIS Manager.
2. Select Application Pools in the left navigation window:
3. Select DefaultAppPool:
4. In the Action pane, select Advanced Settings:
68
5. Under CPU group, locate the following configurations:
o Limit: Indicates the maximum CPU usage (in 1000th of a percent) for this
application pool. If there are multiple processes associated to this application
69
pool, the limit is applied to the total sum of all processes under this
application pool.
o LimitAction: Indicates what action to take when the limit value is met above.
For Windows Server 8, new actions, Throttle and ThrottleUnderLoad
have been added:
Throttle: The feature will throttle the CPU consumption to the value
set for Limit.
ThrottleUnderLoad: The feature will throttle the CPU consumption to
the value set for Limit, but only if there is a contention on the CPU.
This means that the application pool may consume more CPU activity
when the CPU is idle.
o LimitInterval: Not used for both Throttle and ThrottleUnderLoad. This
configuration attribute is carried over from previous versions of Windows for
backward compatibility.
6. Run application in the web browser (localhost/CPUThrottlingTest). Open Task
Manager or Process Monitor and verify the CPU load based on w3wp.exe
7. In the Application Pool properties Set the maximum limit of 20%, enter:
a. Limit: 20000 (20% in 1000th of a percent)
b. LimitAction: Throttle
70
8. Verify the dependency of Limit setting and the CPU usage for w3wp.exe process.
9. Note that the configuration settings in question can be set as default values so that
they don't have to be configured individually per application pool. To configure the
application pool defaults, select Set Application Pool Defaults under Actions pane:
10. The same settings are exposed there to configure the application pool defaults:
71
11. Remove the application so that it does not disturb other exercises.
Usage Scenarios
IIS CPU Throttling feature is designed for a multi-tenanted environment. Try these
settings in an environment where there are thousands of sites and applications, like a
shared hosting deployment.
Set different limits for different "groups" of tenants to simulate those customers who
are allowed to consume more CPU resources than others.
Set ThrottleUnderLoad as LimitAction to observe the behavior. It functions like
Throttle, if there are contentions on the CPU. If there aren't any contentions on the
CPU, the application pool is allowed to use more CPU resources than the value set for
Limit.
Create a sand-box with memory and bandwidth limits, along with IIS CPU Throttling
feature on Windows Server 2012. Memory and bandwidth limits are not discussed
specifically in this documentation because these features exist on Windows Server
2008 and Windows Server 2008 R2.
Summary
You have successfully explored IIS CPU Throttling feature in Windows Server.
72
Lab 18: Central certificate store
Machines used in this Lab: DC, WEBB
Preparing file server
1. Switch to DC machine
2. Log on as Administrator
3. Launch cmd.exe
4. Type "md c:\certstore" and press Enter
5. Launch server manager
6. On the upper toolbar click "Manage" and then "Add Roles and Features"
7. Click "Next"
8. Leave the default (Role-based) installation type and click "Next"
9. Leave local server selected and click "Next"
10. Expand "File and Storage Services" then "File and iSCSI Services" and select "File
Server"
11. Click "Next"
12. On the "Features" screen click "Next"
13. Click "Install" and wait until installation finishes and click "Close"
14. In the left pane of the Server Manager click "File and Storage Service" and then
"Shares"
15. Expand the "Tasks..." button and select "New Share..."
16. Select "SMB Share – Quick" and click "Next"
17. Select "Type a custom path"
18. Click "Browse" and select c:\certstore folder
19. Click "Next"
20. Leave default values for share name and click "Next"
21. Leave default share settings and click "Next"
22. Leave default permissions (readonly share permissions) and click "Next"
23. Click "Create" and then "Close"
73
Copying certificates to central store
1. On DC attach the ISO file provided by going to the properties of VM select Media
choose DVD and mount ISO_IIS8_Labfiles.iso
2. In Windows Explorer, browse to DVD Drive>Certs
3. Launch cmd.exe.
4. Go to the Certs folder on the mounted ISO.
5. Type "copy *.pfx \certstore" and press Enter. Verify if files was actually copied.
6. Type "exit" and press Enter to close cmd.exe window.
Trusting your certificates
1. These steps are necessary only if you plan to browse your website from machine
other than DC.
2. Remember that following steps are necessary because you use self-signed certificates
for the lab. In real life scenarios certificates are signed by one of TRCA configured on
your machine.
3. Log on as Administrator, launch mmc.exe.
4. Press Ctrl+M and select "Certificates". Click "Add".
5. Select "Computer account". Click "Next" and then "Finish". Click "OK"
6. Navigate to Trusted Root Certificate Authorities\Certificates.
7. From the menu select Action -> All Tasks -> Import. Click "Next".
8. Select your certificate from \\dc\certstore and import it. Note that you should change
filetype to "*.pfx" to see your files.
9. Specify P@ssw0rd as certificate password. Note that there is "@" sign in the
password string.
10. Repeat steps 7-9 for all your certificates.
Verifying address resolution
1. Open cmd.exe and try to ping www.cqure.tec
2. If the name is not recognized:
a. Open DNS Management Console and expand "Forward Lookup Zones" and
then "cqure.tec".
74
b. Right-click the zone and select "New Alias (CNAME)".
c. Type "www" as alias name and "webb.cqure.tec" as FQDN for target host.
d. Click OK.
e. Return to the cmd.exe window and type "ipconfig /flushdns" to clean the
name resolution cache.
f. Ping www.cqure.tec and verify if name is resolved correctly.
3. Ping test123.acme.net
4. If the name is not recognized:
a. Open DNS Management Console and on "Forward Lookup Zones" right click
then “New zone”, proceed clicking Next, on zone type leave defaults (primary
zone stored in AD), then Next, in the Zone name type: "acme.net", then Next
and Finish zone creation.
5. Right-click the Acme.net zone and select "New Alias (CNAME)".
a. Type "*" as alias name and "webb.cqure.tec" as FQDN for target host.
b. Click OK
c. Return to the cmd.exe window and type "ipconfig /flushdns" to clean the
name resolution cache.
d. Ping test123.acme.net and verify if name is resolved correctly.
Installing CCS support
1. Switch to WEBB machine and log on as Administrator
2. Launch Server Manager and on the upper toolbar click "Manage" and then "Add
Roles and Features"
3. Click "Next"
4. Leave the default (Role-based) installation type and click "Next"
5. Leave local server selected and click "Next"
6. Expand the "Web Server (IIS)" then "Web Server" and "Security"
7. Select "Centralized SSL Certificate Support". Click "Next"
8. On the "Features" screen click "Next"
9. Click "Install" and wait until installation finishes and click "Close"
75
Configuring CCS
1. Stay on WEBB machine and launch IIS Manager.
2. In the left pane select your server name.
3. If asked about to Web Platform Components press "No".
4. Double click "Centralized Certificates" under the "Management" in the central pane.
5. Click "Edit Feature Settings" in the right pane.
6. Click "Enable Centralized Certificates".
7. Type the UNC path to a share you created previously – \\dc\certstore.
8. Type username and password. Administrator credentials will work properly but
using dedicated user account is more secure.
9. In the "Certificate Private Key Password" type P@ssw0rd twice. Note that there is "@"
sign in the password string. Click "OK"
10. Verify if certificates from your share appeared in the central pane.
Creating new website
1. Stay on WEBB machine and launch IIS Manager.
2. In the left pane expand your server name and right click "Sites".
3. Select "Add Website" and fill out the dialog box with values:
a. Site name – www.cqure.tec
b. Physical path – c:\inetpub\wwwroot\cqure
c. Type – https
d. Host name – www.cqure.tec
e. Require Server Name Identification – true
f. Use Centralized Certificate Store – true
4. If asked about duplicate :80 binding – click "No"
5. Note that you cannot select certificate and click OK
6. Repeat above steps and create virtual site for www.acme.net
a. Site name – www.acme.net
b. Physical path – c:\inetpub\wwwroot\acme
c. Type – https
d. Host name – www.acme.net
76
e. Require Server Name Identification – true
f. Use Centralized Certificate Store – true
Testing new website
1. Switch to DC machine
2. Log on as Administrator
3. Launch cmd.exe
4. Type "ping www.cqure.tec" and verify if the IP address was resolved correctly
5. Launch Internet Explorer and navigate to https://www.Cqure.tec
6. If asked – accept the warning caused by self-signed certificate by clicking on
"Continue to this website"
7. Click on the certificate icon and select "View certificates"
8. Verify properties of the certificate used for encrypting data transmission
a. Verify if dates are OK
b. Verify if subject equals to server name (www.Cqure .tec)
c. Verify if certificate is trusted
9. Repeat above steps for https://www.acme.net.
a. What do you observe for certificate subject?
77
Lab 19: Configuring FTP Protection
Machines used in this Lab: DC, WEBB
FTP Server installation
10. Switch to WEBB machine
11. Log on as Administrator
12. Launch server manager
13. On the upper toolbar click "Manage" and then "Add Role"
14. Click "Next"
15. Leave the default (Role-based) installation type and click "Next"
16. Leave local server selected and click "Next"
17. Expand the "Web Server (IIS)" then "FTP Server"
18. Select "FTP Service"
19. Click "Next"
20. On the "Features" screen click "Next"
21. Click "Install" and wait until installation finishes and click "Close"
FTP Server configuration
1. Launch IIS Manager
2. In the left pane right click your server name and select "Add FTP Site"
3. Fill the dialog box with values:
a. FTP Site Name – FTP1
b. Physical Path – c:\inetpub\ftproot
4. Press "Next"
5. Switch SSL option to "No SSL" and click "Next"
6. Configure options:
a. Authentication – Basic
b. Allow Access to – All Users
c. Permissions – Read
7. Click "Finish"
78
8. Verify your FTP server by launching cmd.exe and typing ftp 127.0.0.1. If it asks for
username it means that server works properly.
Attacking unprotected FTP server
1. Create a local copy of Brutus utility from ISO
2. Launch BrutusA2.exe utility
3. Set your attack parameters:
a. Target – 127.0.0.1
b. Type – FTP
4. Press "Start"
5. If attack finishes note elapsed time and attempts count.
6. Navigate to c:\inetpub\logs\logfiles\ftpsvc and open the logfile. Try to identify attack
evidence. Note that IIS log files use UTC time not local one.
Protecting your FTP Server
1. Launch IIS Manager
2. In the left pane select your server name
3. Double click "FTP Logon Attempt Restrictions" in the central pane
4. Select "Enable FTP Logon Attempt Restrictions" and change the time period to 120
seconds
5. Leave default values and press "Apply" in the right pane
Attacking protected FTP server
6. Launch BrutusA2.exe utility
7. Set your attack parameters:
a. Target – 127.0.0.1
b. Type – FTP
8. Press "Start"
9. Observe the result of an attack
10. Try to repeat steps you used to verify FTP configuration:
a. Launch cmd.exe
79
b. Type "ftp 127.0.0.1" and press Enter
c. Could you see the difference?
80
Lab 20: Authorization, Authentication and Access
Machines used in this Lab: DC, WEBB
Disable IE ESC mode
1. On WEBB, log on as CQURE\Administrator // P@ssw0rd
2. launch Server Manager and select Local Server in the left pane.
3. Find the IE Enhanced Security Configuration entry in the main pane and switch it to
disabled for admins and users.
Turn off the Web site cache for the shared documents folder
1. On WEBB, in Internet Information Services (IIS) Manager, in the Connections
pane, ensure WEBB > Sites > HR > docs is expanded, and then click shared.
2. In the details pane, in the HTTP Features section, double-click HTTP Response
Headers.
3. In the Actions pane, click Add.
4. The Add Custom HTTP Response Header dialog box appears. In the Name field, type
Cache-Control.
5. In the Value field, type no-cache and then click OK.
Sign into the Raccoons Bank Web site and retrieve the confidential memo
1. In Internet Information Services (IIS) Manager, in the Connections pane, click HR.
2. In the Actions pane, click Browse *:80 (http).
3. The Windows Internet Explorer window opens. Click Shared Documents.
4. In the Email field, type [email protected].
5. In the Password field, type P@ssw0rd.
6. Click Login.
7. If you get the AutoComplete Passwords dialog box, click No.
8. Click Confidential Memo. Notice that the image representing the Confidential
Memo appears.
9. Click the Back button.
81
10. Click Signout.
Bypass the Web site forms authentication
1. In Internet Explorer, browse to
http://hr.cqure.tec/docs/shared/Raccoons_memo.jpg. Notice that the image
representing the Confidential Memo appears.
Question: Why is the confidential memo being displayed even after the user logs out?
Answer: The Web site and directory are not fully protected by forms authentication.
2. Click the Back button.
Modify the applicationHost.config to unlock the URL Authorization <configSections>
section by changing the override mode default to allow
1. On WEBB in Windows Explorer, browse to C:\windows\system32\inetsrv\config.
2. In the details pane, double-click applicationHost.config. Unlock the URL
Authorization section by changing the override mode default to 'allow'. Do this by
modifying the authorization section indicated on the next step.
3. Find the <configSections>section. Find: <section name="authorization"
overrideModeDefault="Allow" /> And replace it with:
<section name="authorization"
type="System.WebServer.Configuration.UrlAuthorizationSection,
System.ApplicationHost, Version=7.0.0.0, culture=neutral,
PublicKeyToken=31bf3856ad364e35" overrideModeDefault="Allow" />
Modify the applicationHost.config <applicationPools> section to change the Classic
.NET application pool to Integrated mode
1. Change the Classic .NET application pool to Integrated mode by finding the
<applicationPools>
section and replacing:
82
<add name="Classic .NET AppPool" managedPipelineMode="Classic" />
With:
<add name="Classic .NET AppPool" managedPipelineMode="Integrated" />
Modify the applicationHost.config file to disable all other authentication types except
for anonymous
1. Find the <authentication>section.
2. Append:
enabled="false"
To:
clientCertificateMappingAuthentication, digestAuthentication,
iisClientCertificateMappingAuthentication, and windowsAuthentication
Modify the applicationHost.config file to protect all content by removing the
managedHandler precondition from the <system.webServer> section
1. Remove the preconditions for Forms Authentication and Default Authentication
from the modules section. Do this by finding the <system.webServer> section, and
then modifying the lines indicated on the next steps.
2. Replace:
<add name="FormsAuthentication"
type="System.Web.Security.FormsAuthenticationModule"
preCondition="managedHandler" />
With:
<add name="Forms Authentication"
type="System.Web.Security.FormsAuthenticationModule" />
3. Replace
83
<add name="Default Authentication"
type="System.Web.Security.DefaultAuthenticationModule"
preCondition="managedHandler" />
With:
<add name="Default Authentication"
type="System.Web.Security.DefaultAuthenticationModule" />
4. On the File menu, click Save.
5. Close Notepad.
Reconfigure the authorization and authentication so that the protected content uses
forms authentication
1. In Windows Explorer, browse to D:\AllFiles\Step6\Labfiles\RaccoonsHRSite.
2. In the details pane, double-click Web.Config.
3. The Notepad window opens. Find the line <authorization>section.
4. Add the line <allow users="[email protected]" />, above the line <!--<deny
users="?" />-->.
5. Remove the commenting brackets from the line <!--<deny users="?" />-->,
changing it to<deny users="?" />.
6. On the File menu, click Save.
7. Close Notepad.
8. In Internet Information Services (IIS) Manager, in the Connections pane, click
shared.
9. In the details pane, in the Security section, double-click Authentication.
10. Click Anonymous Authentication.
11. In the Actions pane, click Disable.
Test and validate the new Web site configuration
1. In Internet Explorer, in the Email field, type [email protected].
2. In the Password field, type P@ssw0rd.
3. Click Login.
84
4. Click Confidential Memo.
5. Click the Back button.
6. Click Signout.
7. In Internet Explorer, browse to
http://hr.cqure.tec/docs/shared/Raccoons_memo.jpg. Notice that you are
redirected to the login page and that proper authentication is now required to access
the Raccoons Memo file.
85
Lab 21: IIS Hardening
Machines used in this Lab: DC, NODE1
IIS platform is much bigger than it looks. It has many security features implemented on the
platform basics and many features to be configured when configuring the Web Site settings.
In the lab you will configure the security settings for the platform and for the Web Site.
Starting your lab environment
1. Launch DC and wait until it starts, logon as CQURE\Administrator with password
P@ssw0rd
2. Launch NODE1 machine and logon as CQURE\Administrator with password
P@ssw0rd
Verifying existing configuration
1. Switch to DC machine
2. Start Internet Explorer
3. Type http://NODE1.CQURE.TEC in the address field and verify if web server on node
1 is working correctly
4. Type https://NODE1.CQURE.TEC in the address field and verify if web server on
node 1 is working correctly with SSL (or maybe not )
5. Install the NMAP application and then start NMAP Zenmap GUI from the lab files
ISO>Tools (To mount the ISO go to DC VM properties
Media>DVD>ISO_IIS8_Labfiles.iso).
6. Type NODE1.CQURE.TEC in the target field
7. Select Quick scan as a profile
8. Click Scan
9. Verify open ports
Remove IPv6 bindings
If your server will not serve content to IPv6 clients (which is the most common scenario) you
should remove binding to this protocol.
86
1. Switch to NODE1
2. Start cmd.exe
3. Type ipconfig and try to identify IPv6 addresses.
4. Type ncpa.cpl
5. Right click Ethernet and select properties
6. Uncheck checkbox next to Internet Protocol Version 6 (TCP/IPv6)
7. Click OK
8. Right click Ethernet and select Disable and then Enable it.
9. Close Network Connections window
10. In the cmd.exe console type ipconfig to verify there's no IPv6 addresses
Configuring firewall
1. Stay on NODE1
2. Start cmd.exe
3. Type wf.msc to launch firewall management console
4. Select Inbound rules from the left pane
5. You may sort rules list by Enabled column for easier identification of enabled rules
6. Disable IPv6 Rule
a. Find Core Networking – IPv6 (IPv6-In) rule
b. Right click it
c. Select Disable from context menu
7. Disable all other rules, leaving only those two enabled:
a. World Wide Web Services (HTTP Traffic-In)
b. World Wide Web Services (HTTPS Traffic-In)
8. Switch to DC machine
9. Start NMAP Zenmap GUI from desktop
10. Type NODE1.CQURE.TEC in the target field
11. Select Quick scan as a profile
12. Click Scan
13. Verify open ports
87
Encrypting traffic with https
1. Switch to NODE1
2. Launch Internet Information Services (IIS) Manager
3. Select NODE1 from the left pane
4. Double click on Server Certificates
5. Click Create Self-Signed Certificate from the right pane
6. Type NODE1.CQURE.TEC as a friendly name and click OK
7. Expand Sites in the left pane and select Default Web Site
8. Click Bindings… in the right pane. Click Add…
9. Create new binding
a. Type: https
b. IP Address: All Unassigned
c. Port: 443
d. SSL Certificate: NODE1.CQURE.TEC
10. Close site bindings window
11. Switch to DC machine
12. Start Internet Explorer
13. Type https://NODE1.CQURE.TEC in the address field and verify if web server on
node 1 is working correctly with SSL
14. Click Continue to this website
15. Click on the red icon next to the address bar in Internet Explorer
16. Click View certificates
17. Switch to Details tab
a. Is the Subject field valid for this website?
b. Are Valid from and Valid to fields correct?
18. Switch to Certification Path tab
a. Is this certificate trusted?
19. Click OK to close certificate properties window
20. What should change before you use such configuration in production environment?
88
Removing features
1. Switch to NODE1
2. Close all open windows and applications
3. Start Server Manager
4. Add Roles.
5. Click Remove Role Services in the Web Server (IIS) section
6. Uncheck Directory Browsing – it allows you to browse website directories when you
do not specify document name in the URI and usually is not necessary.
7. Click Next then Remove and Close
Adding features
1. Switch to NODE1
2. Close all open windows and applications
3. Start Server Manager
4. Add Role.
5. Click Add Role Services in the Web Server (IIS) section
6. Check following options under Security section:
a. Windows Authentication
b. URL Authorization
c. IP and Domain Restrictions
7. Click Next then Install and Close
Configuring IP restrictions
1. Switch to NODE1
2. Launch Internet Information Services (IIS) Manager
3. Expand NODE1 and Default Web Site in the left pane right click > Add Virtual
directory, Alias: test1 and declare a virtual directory. The path to the resource is not
important. So in c:\inetpub\wwwroot you can create a new folder “test1” and point it
as a target path.
4. Double click IP Address and Domain Restrictions icon
5. Click Add Deny Entry from the right pane
89
6. Enter domain controllers IP Address (double check the DC IP address it should
be like 192.168.127.2) as a value to deny
7. Switch to DC machine
8. Start Internet Explorer
9. Type http://NODE1.CQURE.TEC and then http://NODE1.CQURE.TEC/test1
a. What happens? What is verified first: IP restrictions or user account? Does it
make sense?
Adding other security modules
1. Switch to NODE1
2. Close all open windows and applications
3. Launch Internet Information Services (IIS) Manager
4. Select Default Web Site from the left pane
5. Open IP and Domain Restrictions module
6. Click Edit Dynamic Restriction Settings in right pane
7. Check Deny IP addresses based on the number of requests over a period of time
option
8. Type 10 as a number of requests and 10000 as time period
9. Click Apply on the right pane
10. Click Default Web Site from the left pane
11. Switch to DC machine
12. Start Internet Explorer
13. Type http://NODE1.CQURE.TEC in the address field and verify if page opens
14. Click refresh button (next to address field) several times and count refreshes until it
stops working. Is the count what you expected? Why?
90
Lab 22: IIS under attack
Machines used in this Lab: DC, NODE1,WEBA,WEBB
Internet Information Services is a great web platform that can host websites created with many
different technologies. IIS have been improved year by year ending up with the great
functionality with good performance and well-designed security concepts. IIS when being
under attack monitors traffic in a very efficient way – the goal of this exercise is to understand
how to get access to this information and how to test platform performing several
performance attacks.
We will be attacking every server which hosts IIS so that is important to turn on all VMs
!
Starting your lab environment
1. Launch DC VM and wait until it starts
2. Logon as CQURE\Administrator with password P@ssw0rd
3. Launch NODE1 machine
4. Logon as CQURE\Administrator with password P@ssw0rd
Preparing stress tool
1. Switch to DC machine
2. Mount provided ISO file and find the document named scenario1.txt Copy it to the
desktop.
3. Review scenario1.txt file. It contains data used to generate http traffic.
4. Install WCAT
a. Launch wcat.amd64.msi
b. Press Next
c. Accept license agreement and press Next
d. Click Complete
e. Click Install
91
f. Click Continue and Finish
g. Review instructions and close notepad window
5. Launch cmd.exe
6. Change working directory – type: cd "C:\Program Files\wcat"
7. Copy scenario file – type: copy "%userprofile%\desktop\scenario1.txt"
"C:\Program Files\wcat"
8. Set cscript as default script host- type: cscript //H:Cscript
9. Install wcat client – type: wcat.wsf -terminate -update -clients localhost
10. Launch wcat – type: wcat -run -s NODE1.CQURE.TEC -v 1 -t scenario1.txt
a. If you think that generated traffic is too low you can increase the value
specified after –v parameter
11. Do not close command prompt window. It allows you to easily re-launch wcat
utility
Using logparser
1. Switch to NODE1 machine
2. Log on as CQURE\Administrator // P@ssw0rd
3. Install IIS Server Role
4. Mount provided ISO file and find the file named LogParser.msi.
5. Launch LogParser.msi
6. Click Next
7. Accept license terms and click Next
8. Click Complete
9. Click Install
10. Wait until installation finishes and click Finish
11. To launch Log Parser 2.2 run CMD and type cd c:\Program Files (x86)\Log Parser
2.2\ and then LogParser.exe, hit enter to execute.
Review LogParser help displayed on the screen and try to create some queries:
a. Count entries in logs: logparser –i:IISW3C "SELECT count(*) FROM
C:\inetpub\logs\LogFiles\W3SVC1\*.log"
92
b. Count http errors: logparser -i:IISW3C "SELECT count(*) FROM
C:\inetpub\logs\LogFiles\W3SVC1\*.log WHERE sc-status<>200"
c. Details of http errors: logparser -i:IISW3C "SELECT top 10 sc-status, date,
time, cs-uri-stem FROM C:\inetpub\logs\LogFiles\W3SVC1\*.log WHERE
sc-status<>200"
d. Processing times: logparser -i:iisw3c "SELECT TOP 10 cs-uri-stem AS Url,
MIN(time-taken) as [Min], AVG(time-taken) AS [Avg], max(time-taken)
AS [Max], count(time-taken) AS Hits FROM
C:\inetpub\logs\LogFiles\W3SVC1\*.log GROUP BY Url ORDER BY [Avg]
DESC"
e. List top 20 longest requests: logparser -i:IISW3C "SELECT top 20 cs-uri-
stem,date,time,time-taken FROM
C:\inetpub\logs\LogFiles\W3SVC1\*.log ORDER BY time-taken DESC"
12. Remember that IIS stores time in UTC time zone so it may be different than your time
Using performance monitor
1. Switch to NODE1
2. Launch cmd.exe and type: perfmon
3. Select Performance Monitor entry in the left pane
4. Click on the green plus sign on the toolbar and add counters:
a. Web Service\Anonymous Users/sec
b. Web Service\Bytes Total/sec\_Total
c. Web Service\Current Connections\_Total
d. Web Service\Not Found Errors/sec\_Total – this counter is useful if you'd
like to detect automated scanning scripts.
e. Network interface\Bytes Received/sec\<All Instances> – you can delete
unused network interface cards later
f. Network interface\Bytes Sent/sec\<All Instances> – you can delete
unused network interface cards later
5. Look if perfmon notifies anything other than zero
6. Switch to DC
93
7. Launch Internet Explorer, open NODE1.CQURE.TEC website and press Ctrl+F5
several times
8. Switch to NODE1
9. Freeze perfmon using Pause button on the toolbar
10. Observe performance counter values. They are important because they should be a
baseline for admin. It is easier to detect attacks if Administrator knows everyday
behavior of his server
11. Un-freeze perfmon
12. Switch to DC and re-launch wcat
13. Switch to NODE1 and observe perfmon counters
14. Remember about these tips:
a. You can highlight perfmon graphs using Ctrl+H shortcut. It is extremely
useful if you have more than 5 counters active
b. Suggested set of counters is optimized for attacks detection. Perfmon is also
very useful for everyday performance monitoring of web applications.
c. If some counters are useless – just delete them. You can also add new
counters any time.
d. You can double click any counter and change his scale. It allows you to
monitor values that are constantly below or above display scale like Bytes
Total/sec
e. Look at IIS hardening lab and consider using Dynamic IP Restrictions for
preventing some types of attacks.
Using traces
1. Switch to NODE1
2. Launch Server Manager
3. Add Role.
4. Right click Add Role Services in the Web Server (IIS) section in the right pane
5. Check Tracing option in the Health and Diagnostics section
6. Click Next
7. Click Install and then Close
8. Launch Internet Information Services (IIS) Management
94
9. Expand Sites in the left pane and select Default Web Site entry
10. Double click Failed Request Tracing Rules in the central pane
11. Click Add in the right pane
12. Leave default All content (*) entry selected and click Next
13. Clear all checkboxes except Status code and enter 404 then press Next. This error
code means “page not found”
14. Leave default providers selected and press Finish
15. Click Failed Request Tracing in the right pane
16. Select Enable and remember location for traces. Then press OK
17. Switch to DC machine
18. Open Internet Explorer and enter URL: NODE1.CQURE.TEC/fakepath
19. Look if new files appeared in C:\inetpub\logs\FailedReqLogFiles\W3SVC1
20. Double click last one of XML files created
21. Click Add and add about:blank if asked about security settings by Internet Explorer
22. Review trace data using Request Summary, Request Details (with sub-tabs) and
Compact View tab. Remember that trace for non-existing URL is very simple. It gives
some idea about level of details but in real life scenarios may be more complicated.
Logging for IIS can provide a lot of information about how website behaves under certain
conditions. Logs can be converted to many formats, including output from the Performance
Monitor that shows you for example, network bandwidth usage graph.
When you finish the lab, revert the virtual machines to their initial state. To do this, from
NODE1 Virtual Machine window click Actions Menu and choose “Revert”.
95
Lab 23: Logging
Machines used in this Lab: DC, WEBB
Examine and configure logging options
1. On WEBB, in Internet Information Services (IIS) Manager, in the Connections
pane, click WEBB.
2. In the details pane, in the Health and Diagnostics section, double-click Logging.
3. Notice that the Log File Rollover Schedule is set for Daily.
4. Select Use local time for file naming and rollover.
5. In the Actions pane, click Apply.
Test the logging operations
1. In Internet Explorer, click the Refresh button.
2. In Windows Explorer, browse to C:\ inetpub\logs\LogFiles\W3SVC1.
3. In the details pane, double-click the newest log file. Notice the most recent log
entries at the bottom of the log. Notice that the log entries include a number of lines
with the word “GET.”
Question: What does the word “GET” mean in this log file?
Answer: The GET commands indicate requests from the client to the Web server to retrieve
the Web pages and images.
96
Lab 24: Delegation and Remote Administration
Machines used in this Lab: DC, WEBB
Start the DC virtual machine and log on as CQURE\Administrator
Start the WEBB virtual machine and log on as CQURE\Administrator
Configure WEBB for remote administration
1. On WEBB, Open | Administrative Tools | Internet Information Services (IIS)
Manager.
2. In the Internet Information Services (IIS) Manager connections pane, click
WEBB(CQURE\Administrator).
3. In the details pane, in the Management section, double-click Management Service.
4. Select Enable remote connections.
5. Click Windows credentials or IIS Manager credentials.
6. In the Actions pane, click Apply.
7. Click Start.
Test WEBB remote administration
1. On DC, Open and click Server Manager. In the Server Manager console pane, click
Roles.
2. Right-click Roles, and then click Add Roles.
3. The Add Roles Wizard appears. Click Next.
4. In the Roles box, select Web Server (IIS).
5. The Add Roles Wizard dialog box appears. Click Add Required Features.
6. Click Next twice.
7. In the Role services box, clear all check boxes except for IIS Management Console.
8. Click Next, and then click Install.
9. When the installation completes, click Close.
10. Open | Administrative Tools| Internet Information Services (IIS) Manager.
97
11. In the details pane, click Connect to a server like:
12. The Connect to Server wizard appears. In the Server name field, type WEBB, and
then click Next.
13. On the Provide Credentials page, in the User name field, type
14. In the Password field, type P@ssw0rd, and then click Next.
15. The Server Certificate Alert dialog box appears. Click Connect.
16. The Specify a Connection Name dialog box appears. Click Finish.
17. In the Connections pane, expand WEBB | Sites and then click Default Web Site.
Question: Is the IIS Management Service available for configuration remotely?
Answer: No, this service can only be configured locally
18. In the details pane, in the IIS section, double-click Default Document.
19. Click index.htm.
20. In the Actions pane, click Move Up.
21. The Default Document dialog box appears. Click Yes.
22. In the Actions pane, click Move Up.
In order to proceed to the next Lab don't revert WEBB.
98
Lab 25: Configuring Delegated Administration
Machines used in this Lab: DC, WEBB, WEBA
Configure delegated administration for the Human Resources site
1. On WEBB, Open | Computer and then browse to DVD drive>AllFiles>Step6>Labfiles
(if you are missing the ISO mounted then in the properties of VM select Media
choose DVD and mount ISO_IIS8_Labfiles.iso).
2. Right-click RaccoonsHRSite folder and copy it to c:\inetpub, then click Properties,
Sharing and then Advanced Sharing.
3. Check Share this folder checkbox and then click Permissions
4. Allow everyone full control and click OK twice
5. Click Close
6. Open Internet Information Services (IIS) Manger. Go to Management Service
feature and verify if management service is running and remote connections are
enabled.
7. In the Internet Information Services (IIS) Manger Connections pane, expand
Sites, and then click HR.
8. In the details pane, in the Management section, double-click IIS Manager
Permissions.
9. In the Actions pane, click Allow User.
10. The Allow User dialog box appears. In the Windows field, type Cqure\Hugog and
then click OK.
11. Add Hugo Garcia as a user that can Modify the content of the HR application folder.
To do it go to HR application folder and in properties go to security to add Hugo
appropriate permissions.
Share the Raccoons Sales Web Site
1. In Windows Explorer, browse to Step6 LabFiles on the DVD
Media>AllFiles>Step6>Labfiles
99
2. Right-click RaccoonsSalesSite, and copy to c:\inetpub\ then click Properties,
Sharing and then Advanced Sharing
3. Check Share this folder checkbox and then click Permissions
4. Allow everyone full control and click OK twice
5. Click Close
6. Open Internet Information Services (IIS) Manger in the Connections pane, then
select Sites and right click to Add Website. In site name type: Sales, point the path
to c:\inetpub\RaccoonsSalesSite and in Host name: sales.cqure.tec and clik OK
7. Switch to DC and open DNS in Forward Lookup Zones>Cqure.tec, then right click
to create a new Alias (Cname). Type in the alias name : Sales and in the FQDN:
WEBB.cqure.tec.
8. Switch back to WEBB open a web browser (e.g. Internet Explorer) and go to :
hr.cqure.tec, then open a second tab and type: sales.cqure.tec. If everything is
properly configured, you should see a working site for HR and Sales.
(Steps 1-20 described below are optional. You got the experience with the delegation based
on the steps above. Part below is just the extension for another approach based on file
editing and using shares.)
Configure delegated administration for the Sales site
1. Open, and click Run, then type Notepad, and then press ENTER.
2. The Notepad window opens. On the File menu, click Open.
3. The Open dialog box appears. In the Text Documents list, click All Files.
4. Browse to C:\windows\system32\intesrv\config.
5. Click applicationHost.config, and then click Open.
6. Scroll down to the <authentication>tag in the <security> section and delete the
following text for the Sales site:
<anonymousAuthentication enabled="true" userName="IUSR" />
<basicAuthentication enabled="false" />
<clientCertificateMappingAuthentication />
<digestAuthentication />
<iisClientCertificateMappingAuthentication />
<windowsAuthentication />
100
7. On the File menu, click Save.
8. On the File menu, click Open.
9. The Open dialog box appears. Browse to Labfiles (Step 6).
10. Click EnableAnonymousAuthentication.txt, and then click Open.
11. On the Edit menu, click Select All.
12. On the Edit menu, click Copy.
13. On the File menu, click Open.
14. The Open dialog box appears. In the Text Documents list, click All Files.
15. Browse to C:\windows\system32\intesrv\config.
16. Click applicationHost.config, and then click Open.
17. Scroll to the end of the applicationhost.config file and put the cursor on the line
before </configuration>.
18. On the Edit menu, click Paste.
19. On the File menu, click Save.
20. Close Notepad.
Test delegated administration for the Human Resources and Sales sites
1. Switch to WEBA VM.
2. Log on as CQURE\hugog with a password of P@ssw0rd.
3. Open Internet Information Services (IIS) Manager.
4. In the details pane, click Connect to a site.
5. The Connect to Site dialog box appears. In the Server name field, type
WEBB.cqure.tec.
6. In the Site name field, type HR, and then click Next.
7. The Provide Credentials page appears. In the User name field, type
8. In the Password field, type P@ssw0rd and then click Next.
9. The Server Certificate Alert dialog box appears. Click Connect.
10. The Specify a Connection Name dialog box appears. In the Connection Name field,
type Human Resources Site and then click Finish.
101
11. In the Connections pane, click Start Page.
12. In the details pane, click Connect to a site.
13. The Connect to Site dialog box appears. In the Server name field, type
WEBB.cqure.tec.
14. In the Site Name dialog box, type Sales, and then click Next.
15. The Provide Credentials page appears. In the User name field, type
16. In the Password field, type P@ssw0rd, and then click Next.
17. The Connect to Site dialog box appears with an error stating that the user is not
authorized to connect to the specified computer.
Question: Why does this error occur?
Answer: This error occurs because Hugo was not granted IIS Manager permission on the
Sales site.
18. Click OK.
19. Click Cancel.
20. Close Internet Information Service (IIS) Manager.
21. The Internet Information Service (IIS) Manager dialog box appears, asking if you
want to save changes. Click No.
(Steps 22-45 are optional. You got the experience with the delegation based on the steps
above. Steps is just the extension for another approach based on file editing and using
shares.)
22. Switch User.
23. Log on as CQURE\Gina with a password of P@ssw0rd.
24. Click Start, and click Run, then type Notepad, and then press Enter.
25. The Notepad window opens.
26. On the File menu, click Open.
27. The Open dialog box appears. Browse to Step6
28. Click Disable Authentications, and then click Open.
29. On the Edit menu, click Select All.
102
30. On the Edit menu, click Copy.
31. On the File menu, click Open.
32. The Open dialog box appears. In the File name field, type
\\WEBB\RaccoonsSalesSite\Web.Config and then click Open.
33. Scroll to the end of the Web.Config file and put the cursor on the line before
</configuration>.
34. On the Edit menu, click Paste.
35. On the File menu, click Save.
36. Close Notepad.
37. Open Internet Explorer.
38. The Windows Internet Explorer window opens. Browse to http://sales.CQURE.TEC.
39. Notice error 401 indicating that the user does not have permission to view this page.
Question: Why does the server report this error?
Answer: The server reports a 401 error because both Anonymous Authentication and
Windows Authentication have been disabled. The web server is unable to service a request
for a web page if no means for authentication are configured.
40. Click Start, and click Run, then type Notepad, and then press Enter.
41. The Notepad window opens.
42. On the File menu, click Open.
43. The Open dialog box appears. In the File name field, type
\\WEBB\RaccoonsHRSite\Web.Config and then click Open.
44. The Network Error dialog box appears. Click See details and note the resulting error
and notice that it says access is denied.
45. Click Cancel twice and then close Notepad.
In order to proceed to the next Lab don't revert WEBB.
103
Lab 26: Configuring Feature Delegation
Machines used in this Lab: DC, WEBB
Configure feature delegation for the Human Resources and Sales sites
1. On WEBB, in the Internet Information Services (IIS) Manger Connections pane,
click WEBB.
2. In the details pane, in the Management section, double-click Feature Delegation.
3. Click Error Pages.
4. In the Actions pane, click Read/Write.
Test feature delegation for the Human Resources site
1. On DC Switch User,
2. Log on as CQURE\hugog with a password of P@ssw0rd.
3. Open Administrative Tools| Internet Information Services (IIS) Manager.
4. The User Account Control dialog box appears. In the Password field, type P@ssw0rd,
and then click OK.
5. In the details pane, click Connect to a site.
6. The Connect to Site dialog box appears. In the Server name field, type WEBB.
7. In the Site Name dialog box, type HR, and then click Next.
8. The Provide Credentials page appears. In the User name file, type
9. In the Password field, type P@ssw0rd, and then click Next.
10. The Server Certificate Alert dialog box appears. Click Connect.
11. The Specify a Connection Name dialog box appears. In the Connection Name field,
type Human Resources Site and then click Finish.
12. In the Connections pane, click Human Resources Site.
13. In the details pane, in the IIS section, double-click Error Pages.
14. Right-click the line beginning with 404, and then click Edit.
15. The Edit Custom Error Page dialog box appears. Click Execute a URL on this site.
104
16. In the URL (relative to site root) field, type /ErrorPages/custom404.htm and then
click OK.
17. Open Internet Explorer.
18. The Internet Explorer window opens. Browse to
http://hr.CQURE.TEC/missingpage.htm.
19. Note that the custom error page is displayed.
In order to proceed to the next Lab revert WEBB to default state.
105
Lab 27: Automating webserver management
Machines used in this Lab: DC, WEBB
Verifying address resolution
1. On the DC machine open cmd.exe and try to ping www.contoso.com
2. If the name is not recognized:
a. Open DNS Management Console and expand "Forward Lookup Zones" and
verify if "contoso.com" zone exists. If not, right click on the new Forward
Lookup Zones, then click Next in the Zone Type leave everything default, click
Next two times, in the Zone Name enter “contoso.com”, then Next and Finish.
b. Right-click the zone and select "New Alias (CNAME)".
c. Type "www" as alias name and "webb.cqure.tec" as FQDN for target host.
d. Click OK
e. Return to the cmd.exe window and type "ipconfig /flushdns" to clean the
name resolution cache.
f. Ping www.contoso.com and verify if name is resolved correctly.
3. Ping test123.acme.net
4. If the name is not recognized:
a. Open DNS Management Console and expand "Forward Lookup Zones" and
verify if "acme.net" zone exists. If not, right click on the new Forward Lookup
Zones, then Next in the Zone Type leave everything default, click Next two
times, in the Zone Name enter “acme.net”, then Next and Finish.
b. Right-click the zone and select "New Alias (CNAME)".
c. Type "*" as alias name and "webb.cqure.tec" as FQDN for target host.
d. Click OK
e. Return to the cmd.exe window and type "ipconfig /flushdns" to clean the
name resolution cache.
f. Ping test123.acme.net and verify if name is resolved correctly.
106
PowerShell loop
1. Switch to WEBB machine
2. Log on as Administrator
3. Launch PowerShell ISE
4. Create a new script by pressing Ctrl+N
5. Test simple loop by typing in the upper pane:
for ($i=10001; $i -le 10100; $i++) {Write-Host ("app{0}" -f $i)}
and press F5
6. Does it work as expected?
Creating website
1. In the PowerShell ISE create new script by pressing Ctrl+N
2. Type in the PowerShell pane:
cd c:\inetpub\wwwroot\
3. Then type dir to check the folder structure and if You are missing “acme” folder.
Type in PowerShell:
md c:\inetpub\wwwroot\acme
4. Type this in the upper pane of PowerShell ISE:
New-Website -Name "pstest" -HostHeader "pstest.acme.net" -PhysicalPath
"$env:systemdrive\inetpub\wwwroot\acme"
and press F5
5. Do you know why "$env:systemdrive" syntax was used?
6. Launch Internet Information Services (IIS) Manager
7. Verify if "pstest" site was created correctly
8. Do you expect that typing http://pstest.acme.net in your web browser will work OK?
Adding the new binding to a website
1. In the PowerShell ISE create new script by pressing Ctrl+N
2. Type in the upper pane:
New-Webbinding -Name "pstest" -Protocol "https" -Port 443 -HostHeader
107
"pstest.acme.net" -SslFlags 3
and press F5
3. Switch to Internet Information Services (IIS) Manager
4. Verify if "pstest" site has two bindings – one for http and one for https with SNI and
CCS options enabled
5. Do you expect that typing https://pstest.acme.net in your web browser will work OK?
Removing website
1. In the PowerShell ISE create new script by pressing Ctrl+N
2. Type in the upper pane:
Remove-Website -Name "pstest"
and press F5
3. Switch to Internet Information Services (IIS) Manager
4. Verify if "pstest" site was deleted.
Combining scripts together
1. In the PowerShell ISE create new script by pressing Ctrl+N
2. Type in the upper pane:
for ($i=10001; $i -le 10100; $i++)
{
New-Website -Name ("app{0}" -f $i) -HostHeader ("app{0}.acme.net" -f $i) -
PhysicalPath "$env:systemdrive\inetpub\wwwroot\acme"
New-Webbinding -Name ("app{0}" -f $i) -Protocol "https" -Port 443 -HostHeader
("app{0}.acme.net" -f $i) -SslFlags 3
}
and press F5
3. Switch to Internet Information Services (IIS) Manager and verify if sites are created
properly
4. You can browse any of your new websites by selecting website name in the left pane
and then clicking on the "Browse..." icon in the right pane
108
Cleaning app* sites
1. In the PowerShell ISE create new script by pressing Ctrl+N
2. Type in the upper pane:
Remove-Website –Name "app10*"
and press F5
Generating scripts
1. Launch Internet Information Services (IIS) Manager
2. Select any of websites in the left pane
3. Double click "Directory Browsing" icon in the central pane and verify (in the right
pane) if it is disabled
4. Click on the website name again
5. Double click "Configuration editor" in the central pane
6. In the "Section" listbox select the system.webServer/directoryBrowse entry
7. Look at two settings available: enabled and showFlags
8. Change the value for "enabled" to "True"
9. Click "Generate Script" in the right pane
10. Switch to "PowerShell" tab
11. Copy all text and paste it into a new tab in PowerShell ISE. Do not press F5 yet.
12. Switch to Internet Information Services (IIS) Manager and click "Close" and then
"Cancel" in the right pane
13. Verify if directory browsing is still disabled
14. Start the script in the PowerShell ISE by pressing F5
15. Verify directory browsing configuration in Internet Information Services (IIS) Manager
109
Lab 28: Command-line and Scripting for IIS
Machines used in this Lab: DC, WEBB
Start the WEBB virtual machine and log on as CQURE\Administrator
Use PowerShell to identify all services
1. On WEBB, open Windows PowerShell.
2. At the Windows PowerShell prompt, type get-service and then press Enter. Notice
the status, name, and display name of each service.
Use PowerShell to identify running services that start with a “w”
1. Type get-service -include w* | sort-object -property status and then press Enter.
2. Notice the list of services that begin with a “w” with the “stopped” services listed first.
3. Type stop-service -service name w3svc and then press Enter.
4. Type get-service -service name w3svc and then press Enter
5. Start the w3svc service using PowerShell.
6. Type start-service -service name w3svc and then press Enter.
7. Type get-service -service name w3svc and then press Enter.
List PowerShell.exe process using the get-wmiobject cmdlet
1. Type Get-WmiObject -query "Select * From Win32_Process Where Name =
'powershell.exe'"and then press Enter.
2. Notice the detailed information for the powershell.exe process.
Question: What operating system is listed in the details?
Answer: Microsoft Windows Server 2016.
110
Load Microsoft.Web.Administration.dll
1. On WEBB, in PowerShell, type
[System.Reflection.Assembly]::LoadFrom("C:\windows\system32\inetsrv\Micros
oft.Web.Administration.dll") and then press Enter.
2. Notice the GAC, version and location for the Microsoft.Web.Administration.dll, which
signifies the DLL file was loaded.
3. Type
[System.Reflection.Assembly]::LoadFrom("C:\windows\system32\inetsrv\Micros
oft.Web.Administration.dll") and then press Enter.
4. Notice the detailed information for the sites on the server.
5. Type (New-Object Microsoft.Web.Administration.ServerManager).Sites |
ForEach-Object {$_.Name} and then press Enter.
6. Notice the names of the Websites on the server.
7. Type function findsite {$name=$args[0]; ((New-Object
Microsoft.Web.Administration.ServerManager).Sites | Where-Object {$_.Name -
match $name}); } and then press Enter.
Question: This command line didn't return any values. What did it do?
Answer: This command line created the command findsite, which integrates the
Microsoft.Web.Administration module into an easy-to-use single command.
1. Type findsite default* and then press Enter.
2. Notice the detailed information for the default Website.
3. Type (findsite default*).ID and then press Enter.
4. Notice the ID for the default Website: 1.
5. Type (findsite default*).Stop() and then press Enter.
6. Notice the status for the default Website is now “stopped”.
7. Type (findsite default*).Start() and then press Enter.
8. Notice the output is “unknown”.
111
Question: Why does the command return an output value of “unknown”?
Answer: Because it attempted to start the default Web site without first checking to see if it
was stopped or checking the result.
9. Type (findsite default*).State and then press Enter.
10. Notice the status for the default Website is now “started”.
Results: After this exercise, you should have successfully used Microsoft.Web.Administration
to gather Website information and created a function to start and stop the default Website.
Create Microsoft.PowerShell profile script to automatically load assemblies
1. On WEBB, in PowerShell, type if (test-path $profile) {echo "Path exists."} else
{new-item -path $profile –itemtype file-force}; notepad $profile and then press
Enter.
2. The Notepad window opens. Type the following:
echo "Microsoft IIS Environment Loader"
echo "Copyright 2006 Microsoft Corporation. All rights reserved."
echo "Loading IIS Managed Assemblies"
$inetsrvDir = (join-path -path $env:windir -childPath "\system32\inetsrv\")
Get-ChildItem -Path (join-path -path $inetsrvDir -childPath "Microsoft*.dll") |
For Each-Object {[System.Reflection.Assembly]::LoadFrom((join-path -path
$inetsrvDir -childPath $_.Name))}
echo "Assemblies loaded."
3. On the File menu, click Save.
4. Minimize but do not close Notepad.
5. In Windows PowerShell, type get-executionpolicy and then press Enter.
6. Notice the execution policy is set to “restricted”.
7. Type set-ExecutionPolicy Unrestricted and then press Enter.
8. In Notepad, at the end of the script, type, new-variable iismgr -value (New-Object
Microsoft.Web.Administration.ServerManager) -scope "global".
9. On the File menu, click Save.
10. Minimize but do not close Notepad.
112
11. Close Windows PowerShell and then reopen it.
12. Notice the script information that now executes when you open PowerShell.
13. Type $iismgr.Sites and then press Enter.
14. Notice the site information that is displayed.
15. Close Windows PowerShell.
16. Browse VM properties Media>DVD>ISO_IIS8_Labfiles.iso, then DVD Drive>
AllFiles>Step7\Labfiles>Scripts.
17. Right-click iis.type.ps1xml, and then click Edit.
18. The Notepad window opens. Review the code.
19. On the File menu, click Save As.
20. The Save As dialog box appears. In the Save as type list, click All Files.
21. Browse to C:\windows\System32\WindowsPowerShell\v1.0 and then click Save.
22. Close Notepad.
23. Restore Notepad, at the end of the script, type the following:
new-variable iissites -value (New-Object
Microsoft.Web.Administration.ServerManager).Sites -scope "global" new-variable
iisapppools -value (New-Object
Microsoft.Web.Administration.ServerManager).ApplicationPools -scope "global"
update-typedata -append (join-path -path $PSHome -childPath "iis.types.ps1xml")
24. On the File menu, click Save.
25. Close Notepad.
26. Open Windows PowerShell 1.0 | Windows PowerShell.
27. The Windows PowerShell window opens. Type $iissites.Find("^Default*")and then
press Enter.
28. Notice the details for the default Website are listed.
29. In Windows Explorer, browse to mouted labfiles ISO DVD
Drive>AllFiles>Step7>Labfiles>Scripts>CreateWebsite>CreateWebsite>Create
Website.
30. Double-click CreateWebsite.cs.
31. The Notepad window opens. Review the code, and then close Notepad.
113
32. In Windows Explorer, browse to Step
7\Scripts\CreateWebsite\CreateWebsite\CreateWebsite \bin\Debug.
33. Right-click CreateWebsite.exe, and then click Copy.
34. Browse to C:\and then click Paste.
35. In Windows PowerShell, type c:\CreateWebsite.exe and then press Enter.
36. Type $iissites.Find("^NewSite*") and then press Enter.
37. Notice the details for the new Website are listed.
114
Lab 29: Manage IIS tasks using WMI and AppCmd
Machines used in this Lab: DC, WEBA
Use AppCmd to identify tasks running on the Web server
1. On WEBA, Open Command Prompt.
2. Type cd c:\windows\system32\inetsrv and then press Enter.
3. Type appcmd list wp and then press Enter.
4. Notice this command lists the current running worker processes. If the command
doesn’t list any results, there aren’t any worker processes running.
5. Type appcmd list apppool and then press Enter.
6. Notice the currently running application pools are listed.
7. Type appcmd list apppool /xml | appcmd recycle apppool /in and then press
Enter.
8. Notice the message is displayed ““DefaultAppPool” successfully recycled”.
9. Type appcmd list app /site.name:"NewSite" /xml | appcmd set app /in
/applicationPool:NewAppPool and then press Enter
10. Notice the following is displayed “APP object “NewSite/” changed”.
Store configuration information to file, and then restore the configuration information
1. Type appcmd list config "Default Web Site/" /section:caching /xml /config >
config.xml and then press Enter.
2. Type appcmd set config "Default Web Site/" /in < config.xml and then press
Enter.
3. Notice the configuration changes were applied to the Default Web Site.
Use WMI to list the Default Web Site on the Web server
1. Open Notepad and then press Enter.
2. The Notepad window opens. Type:
Set oIIS = GetObject("winmgmts:root\WebAdministration")
Set oSite = oIIS.Get("Site.Name='Default Web Site'")
115
WScript.Echo "Retrieved an instance of Site"
WScript.Echo "Name: " & oSite.Name
WScript.Echo "ID: " & oSite.ID
3. On the File menu, click Save.
4. The Save As dialog box appears. In the File name field, type C:\GetSite.vbs.
5. In the Save as type list, click All Files, and then click Save.
6. Close Notepad.
7. From the command prompt, type cd \, and then press Enter.
8. Type cscript //h:cscript, and then press Enter.
9. Notice the default script has been set to “cscript.exe”.
10. Type getsite.vbs, and then press Enter.
11. Notice the Web site name and ID are displayed.
116
Lab 30: Tuning IIS
Machines used in this Lab: DC, WEBA
Start the DC virtual machine
Start the WEBA virtual machine and log on as CQURE\Administrator
ASP.NET and Dynamic Content Compression features
1. On WEBA, go to roles management, right-click Web Server (IIS), and then click Add
Role Services. Verify if ASP.NET 4.6 is installed if not add it.
2. In the Performance section, select Dynamic Content Compression.
3. Click Next and then click Install.
4. When the installation completes, click Close.
5. In the details pane, in the Role Services section, notice that ASP.NET and Dynamic
Content Compression is listed as Installed.
6. Open Internet Information Services (IIS) Manager.
7. In the Connections pane, expand WEBA | Sites and then click Default Web Site.
8. In the Actions pane, click View Applications.
9. Click Add Application.
10. The Add Application dialog box appears. In the Alias field, type SalesSupport.
11. Next to the Physical path field, click the Browse (...) button.
12. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and
then click Make New Folder.
13. Type SalesSupport and then click OK.
14. Click OK.
15. Open Computer and then browse to SalesSupport folder which is on DVD
drive>AllFiles>Step10>Labfiles (if you are missing the ISO mounted then in the
properties of VM select Media choose DVD and mount ISO_IIS8_Labfiles.iso).
16. Select all files from SalesSupport, then right-click and click Copy.
17. Browse to C:\inetpub\wwwroot\SalesSupport, right-click, and then click Paste.
117
Deploy a second copy of the SalesSupport application named SalesSupport2 using
Xcopy
1. Open Command Prompt.
2. Type cd \inetpub\wwwroot and then press Enter.
3. Type md SalesSupport2 and then press Enter.
4. Type xcopy /e SalesSupport\*.* SalesSupport2.
5. Notice that 36 files are copied.
6. At the command prompt locate the labfiles location.
7. Enter the following path DVD drive D:\AllFiles\Step10\Labfiles\SalesSupport2 and
then press Enter.
8. Type xcopy /e *.* c:\inetpub\wwwroot\salessupport2 and then press Enter.
9. When prompted to overwrite files, press A for all.
10. In Internet Information Services (IIS) Manager, in the Connections pane, click
Default Web Site.
11. In the Actions pane, click View Applications. Click Add Application.
12. The Add Application dialog box appears. In the Alias field, type SalesSupport2.
13. Next to the Physical path field, click the Browse (...) button.
14. The Browse For Folder dialog box appears. Browse to
C:\inetput\wwwroot\SalesSupport2, and then click OK twice.
Create and assign an application pool for SalesSupport2 and test functionality
1. In the Connections pane, click Application Pools.
2. In the Actions pane, click Add Application Pool.
1. The Add Application Pool dialog box appears. In the Name field, type
SalesSupport2 and then click OK.
3. In the Connections pane, expand Default Web Site and then click SalesSupport2.
4. In the Actions pane, click Basic Settings.
5. The Edit Application dialog box appears. Click Select.
2. The Select Application Pool dialog box appears. In the Application pool list, click
SalesSupport2, and then click OK twice.
6. Open Internet Explorer.
118
7. The Windows Internet Explorer window opens. Browse to
http://localhost/salessupport.
8. Notice that the Raccoons Bank Sales Support page loads successfully.
9. In Internet Explorer, browse to http://localhost/salessupport2.
10. Notice that the Raccoons Bank Sales Support page version 2.0 loads successfully.
Use Performance Monitor to measure performance
1. On WEBA, open CMD.
2. In the console pane, type perfmon and click Enter to run Performance Monitor.
3. In the details pane, right-click the graph, and then click Remove All Counters.
4. The Performance Monitor Control dialog box appears. Click OK.
5. Above the graph, click the Add button (green plus).
6. The Add Counters dialog box appears. In the Available counters list, scroll down, and
then expand Web Service.
7. Click Bytes Sent/sec.
8. In the Instances of selected object field, click <All instances>.
9. Click Add, and then click OK.
10. With Reliability and Performance monitor running, in Internet Explorer, browse to
http://localhost/salessupport/test.aspx.
11. After the page loads, click Refresh several times rapidly. Notice that the dynamically
generated time updates each time you refresh.
12. Close Internet Explorer.
13. In Reliability and Performance Monitor, notice that the graph reflects the throughput.
Note that you can right-click the graph and then click Scale Selected Counters to get
a better representation. You may need to do this a couple of times to get a zoomed
in view of the data.
Configure Output Caching
1. In Internet Information Services (IIS) Manager, in the Connections pane, expand
WEBA(CQURE)| Sites | Default Web Site and then click SalesSupport.
2. In the details pane, in the IIS section, double-click Output Caching.
3. In the Actions pane, click Add.
119
4. The Add Cache Rule dialog box appears. In the File name extension field, type
.aspx.
5. Select Kernel-mode caching.
6. Click At time intervals, and then delete the existing text and type 00:00:10.
7. Click OK.
8. Open Internet Explorer, and browse to http://localhost/salessupport/test.aspx.
9. Click Refresh several times rapidly for at least 30 seconds.
10. Notice that the time updates only every 10 seconds after the first couple of loads and
that the subsequent loads are much faster.
11. In Internet Explorer, browse to http://localhost/salessupport2/test.aspx.
12. Click Refresh several times rapidly.
13. Notice that the time updates with each load.
14. In Performance monitor, compare the two peaks for throughput on the graph.
Notice that the first peak has higher throughput than the second.
Configure Compression
1. In Internet Explorer, browse to http://localhost.
2. Click Refresh several times rapidly.
3. In Reliability and Performance Monitor, note the throughput on the graph.
4. In Internet Information Services (IIS) Manager, in the Connections pane, click
Default Web Site.
5. In the details pane, in the IIS section, double-click Compression.
6. Clear the Enable static content compression check box.
7. In the Actions pane, click Apply.
8. In Internet Explorer, browse to http://localhost.
9. Click Refresh several times rapidly.
10. In Performance Monitor, note the throughput on the graph. There should not be
much change for static compression.
Question: Why does the graph show little or no change?
120
Answer: Static compression is cached. Only the first page load requires processing the
compression.
1. In Internet Explorer, browse to http://localhost/SalesSupport/test.aspx.
2. Click Refresh several times rapidly.
3. In Reliability and Performance Monitor, note the throughput on the graph.
4. In Internet Information Services (IIS) Manager, in the details pane, select Enable
dynamic content compression.
5. In the Actions pane, click Apply.
6. In Internet Explorer, browse to http://localhost/SalesSupport/test.aspx.
7. Click Refresh several times rapidly.
8. Close Internet Explorer.
9. In Reliability and Performance Monitor, note the throughput on the graph. The
throughput has decreased because dynamic compression negates dynamic output
caching.
Configure connection limit throttling
1. Open Internet Explorer, and browse to http://localhost.
2. Right click the IIS tab, and then click New Tab.
3. In the new tab, browse to http://localhost.
4. Repeat to create another new tab, and then browse to http://localhost.
5. You should have three tabs open. Right-click one of the tabs, and then click Refresh
All.
6. Notice that all of the tabs refresh successfully.
7. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs.
8. In Internet Information Services (IIS) Manager, in the Connections pane, click
Default Web Site.
9. In the Actions pane, click Limits.
10. The Edit Web Site Limits dialog box appears. Select Limit number of connections.
11. In the Limit number of connections field, type 1.
12. Click OK.
121
13. Open Internet Explorer, and browse to http://localhost in three tabs.
14. In Internet Explorer, right-click one of the tabs, and then click Refresh All.
15. Notice that at least one of the tabs now reports Service Unavailable.
16. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs.
Use Performance Monitor to measure resource usage
1. On WEBA, open Internet Explorer, and browse to http://localhost/salessupport.
2. Open a second tab and browse to http://localhost/salessupport2.
3. In CMD run perfmon/res and click Enter, in the console pane, click Resource
Monitor.
4. In the details pane, expand Memory tab.
5. Click the Image column heading to sort by image name, and then scroll down to
w3wp.exe.
6. Notice that there are two instances running. Note the amount of memory being used
by each in the Commit (KB) and Working Set (KB) columns.
7. In Internet Information Services (IIS) Manager, in the Connections pane, click
Application Pools.
8. In the details pane, click SalesSupport2.
9. In the Actions pane, click Recycle.
10. In Reliability and Performance Monitor, notice that one of the w3wp.exe
processes consumes less memory.
11. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs.
Assign SalesSupport and SalesSupport2 to the same application pool
1. In Internet Information Services (IIS) Manager, in the Connections pane, click
SalesSupport2.
2. In the Actions pane, click Basic Settings.
3. The Edit Application dialog box appears. Click Select.
4. The Select Application Pool dialog box appears. In the Application pool list, click
DefaultAppPool.
5. Click OK twice.
122
6. In the Connections pane, click Application Pools.
7. In the details pane, click SalesSupport2.
8. In the Actions pane, click Remove.
9. The Confirm Remove dialog box appears. Click Yes.
10. Open Internet Explorer, and browse to http://localhost/salessupport.
11. Open a second tab and browse to http://localhost/salessupport2.
12. In Reliability and Performance Monitor, notice that is now only one w3wp.exe
process and less total memory consumed.
In order to proceed to the next Lab don’t revert WEBA.
123
Lab 31: Web Farms
Machines used in this Lab: DC, WEB2, NODE4
Start the DC virtual machine
Start the NODE4 virtual machine and log on as CQURE\Administrator
Start the WEB2 virtual machine and log on as CQURE\Administrator
Backup the Web site, Web application, and config files to the D: drive
1. On NODE4, Open Computer, and then browse to C
2. In the File menu, click New | Folder.
3. Type WebSiteBackup, and then press Enter.
4. Right click the new folder and share it by selecting Properties, Sharing, Advanced
Sharing. Configure Share rights to allow write by clicking on Permissions button and
selecting "Full Control".
5. Browse to\\NODE4\WebSiteBackup.
6. Browse to C:\inetpub\wwwroot.
7. In the details pane, select all, right-click, and then click Copy.
8. Browse to \\NODE4\WebSiteBackup, right-click and then click Paste.
9. Notice that the Web site files are now backed up to this shared folder.
Restore the Web site, Web application, and config files from the shared drive
1. On WEB2, open Internet Information Services (IIS) Manager.
2. In the Connections pane, expand WEB2 | Sites, and then click Default Web Site.
3. In the Actions pane, click Browse *:80 (http).
4. The Microsoft Internet Explorer window opens. Notice that the IIS default page is
displayed.
5. Open Computer, and then browse to C:\inetpub\wwwroot.
6. Notice that the folder contains the IIS default Web site files, iisstart.htm, png files, and
the aspnet_client folder.
7. Browse to the networked computer NODE4.
124
8. If the NODE4 computer is not displayed in the details pane, network discovery may
be turned off. Click the notice bar, and then click Turn on network discovery and file
sharing.
9. Browse to\\NODE4\WebSiteBackup.
10. In the details pane, select all, right-click and then click Copy.
11. Browse to C:\inetpub\wwwroot, right-click and then click Paste.
12. If a Copy File dialog box appears, indicating that you are about to overwrite any files
or folders, click Copy and Replace.
13. If a Confirm Folder Replace dialog box appears, indicating that you are about to
overwrite a folder, click Yes.
14. Notice that the new Web site files are now copied to this location.
15. In Internet Explorer, click the Refresh button.
16. Notice that the Raccoons Bank Web site has been deployed on the second Web
server.
Question: What process on the Web server led to the Raccoons Bank Web site being
displayed instead of the IIS default Web site?
Answer: After the Raccoons Bank Web site files were copied to the second Web server, the
default file default.aspx superseded the file iisstart.htm.
125
Lab 32: Shared Configuration
Machines used in this Lab: DC, NODE4, WEB2
Export and Enable Shared Configuration
1. On NODE4, Open Computer, and then browse to C
2. In the File menu, click New | Folder.
3. Type Export, and then press Enter.
4. Right click the new folder and share it by selecting Properties, Sharing, Advanced
Sharing. Configure Share rights to allow write by clicking on Permissions button and
selecting "Full Control".
5. Open Internet Information Services (IIS) Manager.
6. In the Connections pane, click NODE4.
7. In the details pane, in the Management section, double-click Shared
Configuration.
8. In the Actions pane, click Export Configuration.
9. The Export Configuration dialog box appears, allowing you to export the local
configuration files, settings, and encryption keys. In the Physical path field, type
\\NODE4\Export.
10. In the Encryption keys password and Confirm Password fields, type P@ssw0rd.
11. Click OK.
12. The Export Configuration dialog box appears indicating that the files were exported
successfully. Click OK.
13. In the details pane, select Enable shared configuration.
14. In the Physical Path field, type \\NODE4\Export.
15. In the User name field, type CQURE\Administrator.
16. In the Password and Confirm Password fields, type P@ssw0rd.
17. In the Actions pane, click Apply.
18. The Encryption Keys Password dialog box appears for you to enter the encryption
key. In the Enter encryption key Password field, type P@ssw0rd.
19. Click OK.
126
20. The Shared Configuration dialog box appears, indicating that the current encryption
keys were backed up. Click OK.
21. The Shared Configuration dialog box appears, indicating that IIS Manager and
Management service must be restarted for these changes to be completed. Click OK.
22. Close Internet Information Services (IIS) Manager.
23. Open Internet Information Services (IIS) Manager.
24. In the Connections pane, click NODE4.
25. In the details pane, in the Management section, double-click Management Service.
26. In the Actions pane, click Start.
Add the second Web server to use the Shared Configuration
1. On WEB2, in Internet Information Services (IIS) Manager, in the Connections
pane, click WEB2.
2. In the details pane, in the Management section, double-click Shared
Configuration.
3. Select Enable shared configuration.
4. In the Physical Path field, type \\NODE4\Export.
5. In the User name field, type CQURE\Administrator.
6. In the Password and Confirm Password fields, type P@ssw0rd.
7. In the Actions pane, click Apply.
8. The Encryption Keys Password dialog box appears. In the Enter encryption key
Password field, type P@ssw0rd. Click OK.
9. The Shared Configuration dialog box appears, indicating that the current encryption
keys were backed up. Click OK.
10. The Shared Configuration dialog box appears, indicating that IIS Manager and
Management service must be restarted for these changes to be completed. Click OK.
11. Close Internet Information Services (IIS) Manager.
12. Open| Internet Information Services (IIS) Manager.
13. In the Connections pane, click WEB2.
14. In the details pane, in the Management section, double-click Management Service.
15. In the Actions pane, click Start.
127
Test the Shared Configuration
1. On NODE4, in Internet Information Services (IIS) Manager, in the Connections
pane, click NODE4.
2. In the details pane, in the IIS section, double-click Default Document.
3. In the Actions pane, click Add.
4. The Add Default Document dialog box appears to allow us to add a default
document to test the shared configuration. In the Name field, type test.html and
then click OK.
5. On WEB2, in Internet Information Services (IIS) Manager, in the Connections
pane, click WEB2.
6. In the details pane, in the IIS section, double-click Default Document.
7. Notice that the default document test.html has been added to the top of the list for
the second Web server as well,
Question: Why has the default document test.html has been added to the top of the list for
the
second Web server as well?
Answer: The default document test.html has been added to the top of the list for the second
Web
because both servers are using shared configuration.
128
Lab 33: Web Deploy
Machines used in this Lab: DC, WEBA
Installing the remote service during the installation of Web Deploy on WEBA.
If you have not yet downloaded the Windows Installer file for Web Deploy, see ISO image
delivered by trainer and follow the next steps. After you start the installation, return to this
topic and follow these steps. In the WEBA VM select Media choose DVD and mount
ISO_IIS8_Labfiles.iso. In Windows Explorer, browse to DVD
Drive>AllFiles>Tools>WebDeploy_amd64_en-US.msi
1. Run the installation file and on the Welcome to the Microsoft Web Deployment
Tool Setup Wizard page, click Next.
2. On the End-User License Agreement page, select the I accept the terms in the
license agreement box, and then click Next.
3. On the Choose Setup Type page, click Custom.
4. On the Custom Setup page, click the Remote Agent Service down arrow, select
Will be installed on local hard drive, and then click Next.
5. Click Install.
6. Click Finish.
7. After you install the remote service, make sure that service is started, if necessary
type: net start msdepsvc.
8. By default, the remote service uses port 80. If necessary, you can enable this port
through the firewall by running netsh firewall add portopening TCP 80
WdeployAgent at an administrative command prompt.
To use the Web Deployment Agent Service remotely
(also called the Remote Agent Service), the following conditions must be true.
1. You have installed the Web Deployment Tool on the remote computer.
129
2. You have enabled port 80 through the firewall on the remote computer. By default,
the remote agent listens on port 80. If you are using a custom port setting, you
must enable the custom port through the firewall instead.
3. You have started the Web Deployment Agent Service (MsDepSvc) on the remote
computer..
4. You are a member of the administrator’s group on the remote computer, or you
specify administrator credentials in the Web Deploy command by using the
computerName=<serverName>,
userName=<username>,password=<password> syntax described in the Usage
section.
5. You use an elevated command prompt to run the Web Deploy command.
Note: To use the remote service at the Web Deploy command line, add the
computerName provider setting to the source or destination provider by using the syntax:
,computerName=<host>. <host> is the name of the remote server. Only one destination
computer can be specified in a Web Deploy command.
The following example shows how you can use the computerName provider setting to
return metabase information from a remote computer named Server1. Notice that there is
no space after the comma.
msdeploy -verb:dump -source:metakey=lm/w3svc/1,computerName=Server1
Web Deploy converts the computer name into the default Web Deploy URL. For example,
computerName=Server1 will become http://Server1/MsDeployAgentService. If the
remote service is running with a custom port or URL, you must specify the full URL.
Example:
Use the remote service on Server1 and Server2 to update the contents of a directory on
Server2.
130
msdeploy -verb:sync -
source:contentpath=c:\abc,computerName=Server1,username=admin,password=pass -
dest:contentpath=c:\def,computerName=Server2,username=admin,password=pass
Using the Web Deployment Tool
1. Open IIS Manager and expand the default web site in the left pane and select
SalesSupport application
2. Click "Export Application..." in the right pane
3. Click "Advanced settings"
4. Set the password for security settings to P@ssw0rd
5. Click OK and then Next. Click Next.
6. Enter the path and name for your package. You can store it on your desktop. Click
Next.
7. Verify summary and detailed status and click Finish
8. Remove SalsesSupport App (right click the name in the left pane and select
"Remove")
9. Remove c:\inetpub\wwwroot\salessuport directory from your disk
10. Browse the content of a zip file you created on your desktop and observe how
application data was stored
11. Refresh the view in IIS Manager and verify if application was actually deleted
131
12. In the IIS Manager select the default web site in the left pane
13. Click "Import Application..." in the right pane
14. Enter the package path and click Next
15. Click "Advanced Settings" and enter the decrypt password for secure data
16. Click "OK" and then "Next"
17. Accept the default name and press "Next"
18. Verify summary and detailed status and click Finish
19. Verify if your application opens correctly in the web browser.
132
Lab 34: Configuring Network Load Balancing
Machines used in this Lab: DC, NODE4, WEB2
Create a new Network Load Balancing cluster
1. On NODE4 from Server Manager install Network Load Balancing Feature, after
that open Network Load Balancing Manager.
2. In the console pane, right-click Network Load Balancing Clusters and then click
New Cluster.
3. The New Cluster: Connect dialog box appears. Start the process by connecting to
the Network Load Balance host computer. In the Host field, Type NODE4, and then
click Connect.
4. Make sure the Local Area Connection interface with Interface IP address
192.168.127.107 is highlighted, and then click Next.
5. The New Clusters: Host Parameter page shows the dedicated IP addresses and the
initial host state. Click Next.
6. The New Clusters: Cluster IP Addresses page allows you to add cluster IP addresses
that are shared by every member of the cluster. Click Add.
7. The Add IP Address dialog box appears, allowing you to add IPv4 or IPv6 addresses
to the cluster. In the Add IPv4 address field, type 192.168.127.200.
8. In the Subnet mask field, type 255.255.255.0, and then click OK.
9. Make sure the newly added cluster IP address is highlighted. Click Next.
10. The New Clusters: Cluster Parameters page allows you to modify the operation
mode of the cluster IP addresses. In the Full Internet name field, type
cluster.CQURE.TEC.
11. Click Multicast. Click Next.
12. The New Clusters: Port Rules page allows you to add, edit, and remove cluster IP
address port rules. Click Finish. Wait for the operation to complete before continuing.
133
Add the second host to the Network Load Balancing cluster
1. In the console pane, right-click cluster.CQURE.TEC and then click Add Host to
Cluster.
2. The Add Host to Cluster: Connect dialog box appears. Add the second host
computer. In the Host field, Type WEB2, and then click Connect. Wait for the
operation to complete before continuing.
3. Make sure the Local Area Connection interface with Interface IP address
192.168.127.105 is highlighted, and then click Next.
4. The New Clusters: Host Parameter page shows the dedicated IP addresses and the
initial host state. Make sure that the Priority (unique host identifier) is 2, and then
click Next.
5. The New Clusters: Port Rules page allows you to add, edit, and remove cluster IP
address port rules. Click Finish. Wait for the operation to complete before continuing.
Add the second server to the Network Load Balancing cluster
1. On WEB2, Click Start, click Administrative Tools, and then click Network Load
Balancing Manager.
2. The Network Load Balancing Manager window opens and loads the current cluster.
The Warning dialog box appears, presenting a warning about running NLB in Unicast
mode. Click OK.
Verify Network Load Balancing using NLB commands
1. Open Command Prompt.
2. Type NLB query 192.168.127.200 and then press Enter.
3. Notice that the NLB command indicates that host 2 has entered a converging state
with the cluster.
4. On NODE4, Open Command Prompt.
5. Type NLB query 192.168.127.200 and then press Enter.
6. Notice that the NLB command indicates that host 1 has entered a converging state
with the cluster.
7. Type NLB display and then press Enter.
134
8. The results show very detailed information about the cluster and its current state.
Scroll to the top of the displayed information to examine the Configuration section.
9. Close each of the running virtual machines. Do not save changes so they are reset to
default for the next lab.
135
Lab 35: Troubleshooting IIS
Machines used in this Lab: DC, NODE5
Start the DC virtual machine and log on as CQURE\Administrator
Start the NODE5 virtual machine and log on as CQURE\Administrator
On NODE5, browse to http://localhost/raccoons. Notice the Server Error: 401 –
Unauthorized message.
Examine the log file
1. Open Computer and then browse to C:\inetpub\logs\LogFiles\W3SVC1.
2. Double-click the most recent log file.
3. The Notepad window opens. Scroll to the far right and examine the last entries in the
log file. Notice that the status is 401 and sub status is 2.
4. Close Notepad.
Enable Detailed Error Messages
1. Open Internet Information Services (IIS Manager).
2. In the Connections pane, expand NODE5 | Sites | Default Web Site and then click
Raccoons.
1. In the details pane, in the IIS section, double-click Error Pages.
2. In the Actions pane, click Edit Feature Settings.
3. The Edit Error Pages Settings dialog box appears. Click Detailed errors for local
requests and custom error pages for remote requests, and then click OK.
Reproduce the issue and examine the detailed error
1. In Internet Explorer, browse to http://localhost/raccoons.
2. Notice the detailed error message reports HTTP Error 401.2 – Unauthorized.
3. Scroll down to Most likely causes. Notice the first cause is No authentication
protocol (including anonymous) is selected in IIS.
136
Resolve the issue and test functionality
1. In Internet Information Services (IIS) Manager, click Raccoons.
2. In the details pane, in the IIS section, double-click Authentication.
3. Notice that all authentication methods are Disabled.
4. In the details pane, click Basic Authentication.
5. In the Actions pane, click Enable.
6. In the details pane, notice that Basic Authentication is Enabled, and all other
authentication methods are Disabled.
7. In Internet Explorer, browse to http://localhost/raccoons.
8. Notice that you are prompted for credentials. For User name, type Alisa.
9. For Password type P@ssw0rd and then click OK.
10. Notice that the Raccoons application now loads without error.
11. Close Internet Explorer.
137
Lab 36: Troubleshooting Authorization
Machines used in this Lab: DC, NODE5
Browse to http://localhost/raccoons2
1. On NODE5, in Internet Explorer, browse to http://localhost/raccoons2.
2. Notice that you are not prompted for credentials and the page loads without error.
3. Close Internet Explorer.
Enable Failed Request Tracing and add a rule to trace successful requests
1. In Internet Information Services (IIS) Manager, in the Connections pane, click
Default Web Site.
2. In the Actions pane, click Failed Request Tracing.
3. The Edit Web Site Failed Request Tracing Settings dialog box appears. Select
Enable, and then click OK.
4. In the Connections pane, click Raccons2.
5. In the details pane, in the IIS section, double-click Failed Request Tracing Rules.
6. In the Actions pane, click Add.
7. The Add Failed Request Tracing Rule dialog box appears. Click Next.
8. Under Status code(s), type 200, and then click Next.
Question: Why do we use status code 200 for this issue?
Answer: Status code 200 is used for a successful page load in IIS. Since the page is loading
without error, we must use the status code 200 to trace the issue.
9. Under Providers, clear ASP and ISAPI Extension. Leave ASPNET and WWW Server
checked.
10. Click Finish.
Reproduce the issue and examine the Failed Request Tracing log
1. In Internet Explorer, browse to http://localhost/raccoons2.
138
2. In Windows Explorer, browse to c:\inetpub\logs\FailedReqLogFiles\W3SVC1.
3. Double-click fr000001.xml.
4. If prompted to add the site to the Trusted sites zone, click Add twice and then click
Close.
5. Under Request Summary, notice that Authentication is anonymous.
6. Click the Compact View tab.
7. Scroll down and examine the lines that begin with AUTH_SUCCEEDED and USER_SET.
Notice that the authorized user is “”. Close Internet Explorer.
Question: What did we learn from the Failed Request Tracing log?
Answer: Anonymous users are being allowed to access the site. Since anonymous
authentication
happens successfully, users are not being prompted to enter credentials.
Resolve the issue and verify functionality
1. In Internet Information Services (IIS) Manager, in the Connections pane, click
Raccoons2.
2. In the details pane, double-click Authorization Rules.
3. Notice that Anonymous Users are Allowed.
4. In the details pane, in the IIS section, click Anonymous Users.
5. In the Actions pane, click Remove.
6. The Confirm Remove dialog box appears. Click Yes.
7. In the Connections pane, click Raccoons2.
8. In the details pane, in the IIS section, double-click Authentication.
9. Notice that both Anonymous Authentication and Basic Authentication are
Enabled.
10. Click Anonymous Authentication.
11. In the Actions pane, click Disable.
12. In Internet Explorer, browse to http://localhost/raccoons2.
13. Notice that you are prompted for credentials. For User name, type Alisa.
14. For Password, type P@ssw0rd and then click OK.
139
15. Notice that the Raccoons2 application loads without error.
16. Close Internet Explorer and open it again to create a new session.
17. Browse to http://localhost/raccoons2.
18. When prompted for credentials, leave both fields blank and click OK three times.
19. Notice that you get a 401 – Unauthorized message.
140
Lab 37: Troubleshooting Communication
Machines used in this Lab: DC, NODE5
Reproduce the issue
1. On DC, browse to http://NODE5/netapp/content. Notice the 500 – Internal server
error message.
Verify communication with the Web server
1. Open Command Prompt.
2. Type ping NODE5 and then press Enter.
3. Notice that the ping succeeds indicating that DC and NODE5 are communicating.
4. On NODE5, in Internet Information Services (IIS) Manager, in the Connections
pane, click NODE5.
5. In the details pane, in the IIS section, double-click Error Pages.
6. In the Actions pane, click Edit Feature Settings.
7. The Edit Error Pages Settings dialog box appears. Click Detailed errors, and then
click OK.
8. In Internet Explorer, browse to http://localhost/netapp/content.
9. Notice the 500.19 error.
10. Next to Config Error, notice the message Cannot read configuration file because the
network path is not found.
11. Next to Config File, notice the path for the server name.
Correct the problem and verify functionality
1. Internet Information Services (IIS) Manager, in the Connections pane, expand
NetApp and then click Content.
2. In the Actions pane, click Advanced Settings.
3. The Advanced Settings dialog box appears. In the Physical Path field, modify the
path to read \\NODE5\content, and then click OK.
4. In Internet Explorer, browse to http://localhost/netapp/content.
5. Notice that the IIS Welcome page appears and there is no error message.
141
Lab 38: Troubleshooting Configuration
Machines used in this Lab: DC, NODE5
Reproduce the issue and examine the detailed error message
1. On NODE5, in Internet Explorer, browse to http://localhost/pics/logo.jpg.
2. Notice the HTTP Error 404.4 – Not Found message.
3. In the Most likely causes section, notice that the most likely cause is The file
extension for the requested URL does not have a handler configured to process the
request on the Web server.
Examine and correct the web.config file
1. In Windows Explorer, browse to C:\Pics.
2. Double-click web.config.
3. On the Windows dialog, click Select a Program from a list of installed programs,
and then click OK. Click Notepad, and then click OK.
4. The Notepad window opens. Notice that the <handlers>section contains a line for
handling static files.
5. Notice that the path attribute is set to “*.jgp”. Modify the line so that the path
attribute correctly reads “*.jpg”.
6. On the File menu, click Save.
7. Close Notepad.
8. In Internet Explorer, browse to http://localhost/pics/logo.jpg.
9. Notice that the Raccoons Bank logo now appears successfully.
Close each of the running virtual machines and revert them to default state.
142
Lab 39: Application Initialization (Optional)
Machines used in this Lab: DC, NODE1
The IIS Application Initialization feature enables website Administrators to configure IIS to
proactively perform initialization tasks for one or more web applications. While an application
is being initialized, IIS can also be configured to return static content as a placeholder or
"splash page" until an application has completed its initialization tasks. The Application
Initialization feature is configured through a combination of global and application-specific
rules that tell IIS how and when to initialize web applications. The Application Initialization
feature also supports integration with the IIS Url Rewrite Module to support more complex
handling of placeholder content while an application is still initializing.
1. Log in as Administrator//P@ssw0rd on NODE1.
2. Open Server Manager and run Add Role wizard.
3. From the configuration of the Web Server role, pick Application Initialization:
Note: The Application Initialization feature can be configured in two places: the machine-
wide applicationHost.config file, and the application-level web.config file. Configuration in
143
the applicationHost.config file contains "global" application initialization settings, while an
application-level web.config file contains "local" application initialization settings.
In this walkthrough, you will configure a sample application to always be initialized when
the application pool associated with the application starts up. Since application pool
behaviors can only be configured in applicationHost.config, running application
initialization whenever an application pool starts up is considered part of the "global"
application initialization settings.
Setting up the Sample ASP.NET Application
Note: The following steps assume your server already has both IIS installed and ASP.NET 4.5
enabled for use in IIS.
1. Attach appinit.iso to NODE1. The sample ASP.NET application is contained in the
appinit.zip file.
2. Unzip the file to the wwwroot folder on NODE1, application should be copied to the
following path: "c:\inetpub\wwwroot\appinit".
3. Now it is time to configure the folder as an ASP.NET application in IIS. The screenshot
below shows the appinit sample application configured as an application in IIS. Also
notice that the application is assigned to the ".NET v4.5" application pool.
144
Install the Url Rewrite Module
The sample application makes use of the Url Rewrite module for advanced integration with
the Application Initialization feature. You need to install the Url Rewrite module on your
server; you will find the urlrewrite2.exe in the same ZIP file with application. It can be also
downloaded from: http://www.iis.net/download/URLRewrite.
Configure the Url Rewrite Module
1. Once the Url Rewrite module is installed on your web server, you need to modify the
IIS applicationHost.config file to allow usage of the SKIP_MANAGED_MODULES server
variable supported by the Application Initialization feature.
2. Open up the machine-wide applicationHost.config file in a text editor such as
notepad. The applicationHost.config file is located at
C:\Windows\System32\inetsrv\config.
3. Scroll down the file and locate the security section. This section starts with the Xml
element: <security>.
4. Type in the following Xml elements before the <security> element:
<rewrite>
<allowedServerVariables>
145
<add name="SKIP_MANAGED_MODULES" />
</allowedServerVariables>
</rewrite>
5. Save the changes to the applicationHost.config file.
Modifications in applicationHost.config
1. Open up the applicationHost.config file located at
%WINDIR%\system32\inetsrv\config in Notepad – run the text editor with the "Run
as Administrator" option.
2. Find the <applicationPools> configuration section, and then look for the application
pool entry with a name of ".NET v4.5".
3. Modify the application pool entry so that the application pool is always running. For
applications where you want global application initialization to occur, you normally
want the associated application pool to be started and running. The bolded attribute
in the configuration snippet shows what to add to the configuration entry.
<add name=".NET v4.5" startMode="AlwaysRunning" managedRuntimeVersion="v4.0" />
4. Scroll down a little more in applicationHost.config to the <sites> configuration
element. Within that section there will be an <application> entry for the sample
application you configured earlier. The application is called "appinit", and has a path
attribute value of "/appinit". Modify the <application> entry by adding the bolded
preloadEnabled attribute as shown in the configuration snippet and then save your
changes.
<application path="/appinit" preloadEnabled="true" applicationPool=".NET v4.5">
5. Setting preloadEnabled to "true" tells IIS 8.0 that it sends a "fake" request to the
application when the associated application pool starts up. That is why in the
previous step we set the application pool's startMode to "AlwaysRunning".
Note: With the combination of the application pool always running, and the application
itself being marked to always receive a fake request, whenever the machine restarts and/or
the World Wide Web service is recycled, IIS 8.0 ensures that the application pool instance
is running and that the application "/appinit" is always sent a fake request to trigger the
application to start up.
146
Modifications in the application's web.config
1. Using a second instance of Notepad, open up the application level web.config file
located in the following location – run the text editor with the "Run as
Administrator" option.
C:\inetpub\wwwroot\appinit
2. The web.config file has a few configuration sections already pre-populated, but
commented out. Uncomment the configuration snippet shown that is inside of the
<system.webServer> configuration section. This snippet is just below the comment
"Exercise 1 – Step 1" in the web.config file. Then save your changes.
<applicationInitialization
remapManagedRequestsTo="Startup.htm"
skipManagedModules="true" >
<add initializationPage="/default.aspx" />
</applicationInitialization>
3. The applicationInitialization element tells IIS that it should issue a request to the
application's root Url ("/" in this example) in order to initialize the application. While
IIS waits for the request to "/" to complete, it will serve "Startup.htm" to any active
browser clients. "Startup.htm" is the "splash page" for the application.
Run the application
1. From an elevated command prompt window, recycle the World Wide Web Service
with the command shown below:
net stop w3svc & net start w3svc
2. Using Internet Explorer, navigate to the following Url:
http://localhost/appinit/default.aspx
3. The browser returns the static "Startup.htm" page with a grey background for the first
few seconds because that is the "splash page" that has been configured in
web.config.
Note: You can continue refreshing the page in your web browser and observe that about
eight seconds later (simulated with a thread sleep in the sample application's global.asax)
you receive the "real" content for default.aspx with a white background. This indicates that
application initialization completed.
147
Configuring overlapped process recycling
IIS 8.0 integrates global application initialization with overlapped process recycling by
performing application initialization in an overlapped process in the background. When IIS
detects that an active worker process is being recycled, IIS does not switch active traffic over
to the new recycled worker process until the new worker process finishes running all
application initialization Urls in the new process. This ensures that customers browsing your
website don't see application initialization pages once an application is live and running.
1. Go back to the instance of Notepad that has applicationHost.config. Modify the
application pool entry for ".NET v4.5" to look like the configuration snippet shown
below:
<add name=".NET v4.5"
startMode="AlwaysRunning"
managedRuntimeVersion="v4.0" >
<recycling logEventOnRecycle="Schedule">
<periodicRestart requests="30" />
</recycling>
</add>
2. Save your changes. The <recycling> element tells IIS to recycle the worker process
every 30 HTTP requests.
Run the application a second time
1. From an elevated command prompt window, recycle the World Wide Web Service
with the command: net stop w3svc & net start w3svc
2. Using a new instance of Internet Explorer, once again navigate to:
http://localhost/appinit/default.aspx
3. Note that that the "Startup.htm" splash page with the grey background is showing.
4. Open Task Manager and make sure the Processes tab is showing. Sort the process
list by name until you see one instance of w3wp.exe running. That instance is the
worker process that is currently running the "appinit" ASP.NET application.
148
3. Refresh the browser a few times until the content from the real default.aspx page is
being returned. You know that the application is running the "real" default.aspx page
when the background changes to white.
4. Arrange the windows on your screen so that you can see both Task Manager and the
browser.
5. Switch back to the browser and refresh the page at least 30 times, this causes IIS to
recycle the application pool. You can stop refreshing the page when you see a
second instance of w3wp.exe show up in the Task Manager process list as shown
below:
149
6. The screenshot shows the second instance of w3wp.exe has started due to the
process recycling limit set earlier.
7. You can continue to periodically refresh the browser window for the next ten seconds
or so. Note that default.aspx continues to run. When the overlapped recycling
completes, one w3wp.exe instance disappears from the Task Manager Process
window.
Throughout the duration of the overlapped recycling, you continue to see the content of the
"real" default.aspx served, even though application initialization was configured for the
application and was running the initialization Url in the background in the new instance of
w3wp.exe.
150
Lab 40: Url Rewrite and Application Initialization
(Optional)
Machines used: DC, NODE1
By default, application initialization only enables you to specify a single "splash page" Url to
display while an application is initializing. However the Application Initialization feature
supports a few server variables that can be used to control request processing while an
application initializes. This enables you to create declarative rules using the Url Rewrite
Module containing more complex mappings to pre-generated static content.
In this walkthrough, you replace the remapManagedRequestsTo attribute with a set of Url
Rewrite rules that accomplish the same end result.
Modifications in applicationHost.config
1. Using the instance of Notepad that has applicationHost.config open, revert both the
application pool and the application elements to turn off all global application
initialization processing. The global settings are removed in this step since the
remainder of this walkthrough focuses on the configured Application Initialization
behavior.
2. The applicationHost.config entries for the application pool and the application are as
shown below.
Application pool configuration entry:
<add name=".NET v4.5" managedRuntimeVersion="v4.0" />
Application configuration entry:
<application path="/appinit" applicationPool=".NET v4.5">
3. Save your changes when you are done!
4. From an elevated command prompt window, recycle the World Wide Web Service
with the command: net stop w3svc & net start w3svc
Modifications to application level web.config
1. Using the instance of Notepad that has the application-level web.config open,
remove the remapManagedRequestsTo attribute from the <applicationInitialization>
element. The <applicationInitialization> configuration section should now look like
this configuration snippet.
151
<applicationInitialization skipManagedModules="true" >
<add initializationPage="/default.aspx" />
</applicationInitialization>
2. Because the <applicationInitialization> element no longer defines a Url to remap
requests to, add a set of Url Rewrite rules. Add a rewrite rule that explicitly maps
requests made to "default.aspx", as well as "/" to route to "Startup.htm". Two rules
are needed because the Url Rewrite Module doesn't "know" about how default
documents work. Since "/" equates to "default.aspx" in ASP.NET applications, you
need two Url Rewrite rules – one rule for each Url variation.
The new rules are shown in bold below. Alternatively you can uncomment the pre-populated
Url Rewrite rules under the "Exercise 2 – Step 2 Mapping Requests to the Home Page"
comment in the web.config file.
<rewrite>
<rules>
<rule name="Home Page-Expanded" stopProcessing="true">
<match url="default.aspx" />
<conditions>
<add input="{APP_WARMING_UP}" pattern="1" />
</conditions>
<action type="Rewrite" url="Startup.htm" />
</rule>
<rule name="Home Page-Short" stopProcessing="true">
<match url="^$" />
<conditions>
<add input="{APP_WARMING_UP}" pattern="1" />
</conditions>
<action type="Rewrite" url="Startup.htm" />
</rule>
</rules>
</rewrite>
3. Some items to note about these rules:
a. First, the stopProcessing attribute is set to "true" on the <rule /> elements.
This is necessary to add a catch-all Url Rewrite rule later, and for requests to
default.aspx or "/" that you don't want the catch-all rule to run.
b. Second, note that we have a Url Rewrite condition in the <conditions />
element. This condition effectively says "only apply rule when the application
is in an initializing state". The server variable "APP_WARMING_UP" is set by IIS
152
to a value of "1" when application initialization is active and IIS is still
processing all of the initialization Urls.
c. Third, note that the action has been defined to rewrite the active request to
instead run "Startup.htm". This rule has the effect of telling IIS to pass the
request on to the static file handler which then renders the static page
Startup.htm.
4. Add a catch-all rewrite rule. When using the Url Rewrite Module in conjunction with
application initialization, a catch-all rule that fires if none of the previous rules match
is needed. Add the bolded rule shown below to the rewrite section as the catch-all
rule. Alternatively you can uncomment the pre-populated catch-all rule in web.config
that is located under the "Exercise 2 – Step 2 Setting Up a Catch-All Rule" comment
in the web.config file.
<rewrite>
<rules>
<rule name="Home Page-Expanded" stopProcessing="true">
<match url="default.aspx" />
<conditions>
<add input="{APP_WARMING_UP}" pattern="1" />
</conditions>
<action type="Rewrite" url="Startup.htm" />
</rule>
<rule name="Home Page-Short" stopProcessing="true">
<match url="^$" />
<conditions>
<add input="{APP_WARMING_UP}" pattern="1" />
</conditions>
<action type="Rewrite" url="Startup.htm" />
</rule>
<rule name="All Other Requests">
<match url=".*" />
<conditions>
<add input="{APP_WARMING_UP}" pattern="1" />
</conditions>
<serverVariables>
<set name="SKIP_MANAGED_MODULES" value="0" />
</serverVariables>
<action type="Rewrite" url="{URL}" />
</rule>
153
</rules>
</rewrite>
4. Save your changes.
5. The new rule matches against any Url that reaches it and tells IIS to continue
processing the request that was made to the inbound Url. The rule also sets a server
variable called "SKIP_MANAGED_MODULES" to a value of "0" – which equates to
"false". This setting tells IIS that it should treat the rewritten request from Url Rewrite
the same way as if the request had normally arrived off the wire.
Run the application
1. From an elevated command prompt window, recycle the World Wide Web Service
with the command: net stop w3svc & net start w3svc
2. Using a new instance of Internet Explorer, once again navigate to:
http://localhost/appinit/default.aspx
Note: Even though Url Rewrite rules are now used to define the splash page logic, you still
see the same behavior from the first walkthrough. The Startup.htm page with the grey
background is displayed initially. If you refresh the browser periodically, about eight
seconds later you again see the page background switch to white, indicating that the
"real" default.aspx page is being served now that application initialization is complete.
(Optional) Lab: Complex Splash Page Rules
The previous walkthroughs use application initialization as a straight-forward mapping of Url
"X" to Url "Y". In this walkthrough, you are going to implement a more complex application
initialization scenario.
1. In your browser navigate to both of the following Urls:
a. http://localhost/appinit/ImageHandler.ashx?image=Lighthouse
b. http://localhost/appinit/ImageHandler.ashx?image=Tulips
2. These Urls are examples of dynamically generated static content. For this sample
application, the code inside of ImageHandler.ashx looks at the querystring key
"image". If the value of that querystring is either "Lighthouse" or "Tulips" the ASP.NET
handler transmits the corresponding JPG that is located in the App_Data folder.
Note: Since the image handler is just returning images, you want to be able to continue to
return an appropriate image even during application initialization. Although the mechanics
of serving these images uses managed code, you may want to quickly serve up pre-
154
generated images to customers even if the underlying ASP.NET application is taking a long
time to startup and initialize itself.
Modifications to application level web.config
1. Using the instance of Notepad that has application-level web.config open, add
another Url Rewrite rule before the final catch-all rule. The new snippet to add is
shown below. Alternatively you can uncomment the pre-populated image handler
rule in web.config that is located under the "Exercise 3 – Step 1 Complex Splash Page
Rules" comment in the web.config file.
<rule name="Image Handler Remapping" stopProcessing="true">
<match url="ImageHandler.ashx" />
<conditions>
<add input="{APP_WARMING_UP}" pattern="1" />
<add input="{QUERY_STRING}" pattern="image=([A-Za-z]+)&?" />
</conditions>
<action type="Rewrite" url="Images/{C:1}_static.jpg" appendQueryString="false" />
</rule>
2. Save your changes.
Note: Just as with the rewrite rules for default.aspx and "/", this rule has the
stopProcessing attribute set to "true" to ensure that requests to ImageHandler.ashx don't
accidentally fallthrough to the final catch-all rewrite rule during application initialization.
For requests to "ImageHandler.ashx," the rewrite rule uses a regular expression capture
group to extract the requested image from the query-string. The match pattern definition
pattern="image=([A-Za-z]+)&?" tells IIS to extract the value of the "image" query-
string variable. That value is then used in the url attribute of the action attribute:
url="Images/{C:1}_static.jpg".
The url attribute on the action element tells the Url Rewrite module to rewrite
ImageHandler.ashx requests to instead point at files in the Images subdirectory of the
application. Furthermore the query-string value that was captured by the regular
expression is used to help form the name of the file that will ultimately be served from the
Images subdirectory. For example, a request to ImageHandler.ashx?image=Tulips will be
rewritten to Images/Tulips_static.jpg.
155
3. If you browse to the inetpub\wwwroot\appinit directory using Windows Explorer and
look in the Images subdirectory, you see two files: one representing the "static"
version of Tulips.jpg, and the other representing the "static" version of
Lighthouse.jpg. These static images act as pre-generated content that can be served
while the application initializes.
Run the application
1. From an elevated command prompt window, recycle the World Wide Web Service
with the command: net stop w3svc & net start w3svc
2. Using Internet Explorer navigate to either:
a. http://localhost/appinit/ImageHandler.ashx?image=Lighthouse
b. http://localhost/appinit/ImageHandler.ashx?image=Tulips
3. Notice how the images returned in either case include a watermark indicating these
are the "static" pre-generated versions of the images. The watermark is text in the
upper portion of the image saying "This image is the static version of...."
4. If you refresh your browser about 10 seconds later, you see the returned image
content change to the "real" content being served by the ImageHandler.ashx handler.
The watermark disappears, which indicates that the content is now being dynamically
generated by the ASP.NET handler since the application has completed initialization.
5. Note: If Internet Explorer appears to not be refreshing, click either the "broken
document" icon in the address bar or the refresh icon to force Internet Explorer to
reload the page.
Lab summary
The IIS 8.0 Application Initialization feature gives developers and Administrators the ability
to return static content to browsers while IIS is initializing a "cold" application. Serving static
content immediately to browsers gives customers a better user experience. Instead of cold-
start applications resulting in a blank browser page or a spinning wait icon, the Application
Initialization feature can be used to serve relevant static content while the underlying
application completes expensive initialization processing.
The initialization process can occur automatically whenever a web server is brought online or
recycled. For scenarios where server Administrators don't want to greedily initialize
applications, the initialization process can instead be triggered on-demand when the first
request arrives at a "cold" application.
156
For both global and local application initialization the Url Rewrite module can be integrated
to provide richer and more complex initialization rules. Using Url Rewrite rules integrated with
the Application Initialization feature it is possible to serve different types of pre-generated
static content for different Urls and virtual paths while IIS continues to start-up an application
in the background.
157
Lab 41: IIS Backup – Web Deploy
1. Launch your IIS_WEBB server and verify you have some sites and applications.
2. Install WebDeploy 3.0 package using typical settings (you will find it in the ISO file).
3. Open IIS Management Console and verify if you have "deployment" links in the
action pane when you click on the server, the site or the application.
4. Select your web server name in the left pane.
5. Click on the "Export server package" link in the right pane and save the
"server.zip" package using default settings.
6. Remove some of your websites and then app pools.
7. Select your web server name in the left pane.
8. Click on the "Import server package" link in the right pane and save the
"server.zip" package using default settings. You need to accept a warning message.
Please read it before accepting.
9. Verify if your app pools, sites and applications were restored correctly and can be
open.
10. Launch cmd.exe.
11. Navigate to C:\Program Files\IIS\Microsoft Web Deploy V3
12. Type: msdeploy -verb:sync -source:appHostConfig="Your Site Name" -
dest:archivedir=c:\archive -enableLink:appPool
13. Optionally you can configure https binding and try to backup certificates by adding
"-enableLink:CertificateExtension" to the previous command.
14. Optionally you can replace your destination (type: archivedir, value: c:\archive) with
type "package" and value "c:\archive.zip".
15. Delete your site and associated app pools.
16. Try to restore your backup using command: msdeploy -verb:sync -
source:archivedir=c:\archive -dest:appHostConfig="Restored WebSite" -
enableLink:appPool
17. Go to you App Pools and find a pool associated with more than zero applications
18. Try to delete such pool. Is this possible? Why?
19. Navigate to C:\Program Files\IIS\Microsoft Web Deploy V3
20. Type: msdeploy -verb:delete -dest:appPoolConfig="your pool name"
21. Verify if your poll was actually deleted.
22. Try to launch your web application.
23. Use your backup to re-create your website with linked App Pools.
158
Lab 42: JavaScript Profiling (Optional)
1. On your host machine launch Internet Explorer browser and navigate to
http://ie.microsoft.com/testdrive/Performance/BrickBreaker
2. Click on the first tile in the "Level Selection" window
3. Press F12 to start F12 Developer Tools
4. Switch to "Profiler" tab and click "Start profiling"
5. Return to Internet Explorer window and play a game for some time
6. Switch to F12 console and click "Stop profiling"
7. Switch current view to "Call tree"
8. Expand nodes renderAll – renderAll – next – checkCollision – elementsInRect –
elementsOfClass – hasCssClass
9. Notify the count of hasCssClass function calls. Why it makes sense to start
improvement from this function?
10. Double click hasCssClass function name to switch to the "Script" tab
11. Right click function name and select "Insert breakpoint" from the context menu
12. Click "Start debugging" button on the toolbar
13. Click on the first tile in the Internet Explorer "Level Selection" window and start
playing
14. Wait until execution stops on the breakpoint.
15. Click "Locals" over the right pane and lok inside local objects. Click "Call stack" and
check how function was called.
16. Click "Breakpoints" over the right pane and de-select your breakpoint.
17. Click "Watch" over the right pane and add "Balls" to the watch list. Expand the object
properties and find Balls[0].speed
18. Right click the value and edit it. Change the value to 1.
19. Press F5 to continue. Intentionally miss the first ball and launch another one. Note
the difference.
20. Discuss how F12 may help you in troubleshooting performance problems in modern
web applications.
159
Lab 43: Network traffic monitoring (Optional)
1. Launch IE browser and navigate to http://gizmodo.com/
2. Make sure you have no Tracking Protection enabled – the "no parking" sign next to
the URL must be gray.
3. Press F12.
4. Switch to "Network" tab and press "Start capturing".
5. Return to your browser and open gizmodo.com page again and wait until it fully
loads.
6. Switch to F12 tool and press "Stop capturing"
7. Sort by "URL" column and try to determine an amount of websites used to display
the webpage.
8. Sort by "Result" column and try to find 304 pages. What does it mean? Does it affect
performance?
9. Double click any entry to switch to detailed view.
Lab 44: IIS on Nano Server (Optional)
1. Copy the required Windows PowerShell scripts
Switch to HOST1. Then go to Computer. Mount the ISO for Windows Server 2016 and
verify the DVD media drive letter.
2. Right-click Start, and then click Windows PowerShell (Admin).
3. In the Windows PowerShell window, type cd\, and then press Enter.
4. In the Windows PowerShell window, type md Nano, and then press Enter.
5. In the Windows PowerShell window, type the following command, and then press Enter.
copy d:\NanoServer\NanoServerImageGenerator\*.ps* c:\nano
!To Verify the procedure: Go to C:\Nano and verify that You should have "Convert-
WindowsImage.ps1, NanoServerImageGenerator.psd1 and
NanoServerImageGenerator.psm1" If not copy the missing files from WindowsServer2016
ISO file > NanoServer
Import Windows PowerShell modules
In the Windows PowerShell window, type the following command, and then press
Enter.
Import-Module c:\nano\NanoServerImageGenerator.psm1
Create a virtual hard disk
1. In the Windows PowerShell window, type the following command, and then press Enter.
TP5:
160
new-NanoServerImage -mediapath D:\ -Basepath c:\nano -targetpath
c:\nano\nano-svr1.vhdx -computername NANO-SVR1 -storage -packages
Microsoft-NanoServer-IIS-Package -DeploymentType Guest -Edition Datacenter
2. At the AdministratorPassword prompt, type P@ssw0rd, and then press Enter.
3. When the process is completed, on the taskbar, click File Explorer, navigate to C:\Nano,
and then examine the files listed. Verify that nano-svr1.vhdx exists.
-Storage File Server role and other storage components
-Compute Hyper-V Role
-Clustering Failover Clustering
-OEMDrivers Variety of network and storage controller drivers.
-GuestDrivers Drivers for running Nano Server as a Hyper-V virtual machine.
-
ReverseForwarders
Reverse forwarders allow you to run some software on Nano Server
that is not explicitly made for Nano Server.
Z <https://blogs.technet.microsoft.com/nanoserver/2015/06/15/powershell-script-to-build-your-nano-
server-image/>
4. Create a New VM from the Nano VHDX file . In the Windows PowerShell window, type
the following command, and then press Enter.
new-VM -Name NANO-SVR1 -Generation 2 -VHDPath c:\Nano\Nano-SVR1.vhdx
When the process is completed, go to Hyper-V Manager and verify that nano-svr1 VM
exists. Connect the VM to the same Virtual Switch as the Domain Controler VM is
connected for the next step.
!TIP You Can add Nano Server directly to a domain with a parameter like:
New-NanoServerImage -Edition Standard -DeploymentType Host -MediaPath
\\Path\To\Media\en_us -BasePath .\Base -TargetPath .\JoinDomHarvest.vhdx -
ComputerName JoinDomHarvest -DomainName Contoso
Sign in to the NANO-SVR1 virtual machine
1. On NANO-SVR1, in the User name box, type Administrator, and then press the Tab
key.
2. In the Password box, type P@ssw0rd, and then press Enter.
Completing post-installation tasks on Nano Server
Use the Nano Server Recovery Console to view basic settings
161
1. On NANO-SVR1, in the Nano Server Recovery Console, observe that the computer
name is Nano-Svr1 and that the computer is in a workgroup. Press the Tab key until
Networking is selected, and then press Enter.
2. Press Enter on the Ethernet adapter. In Network Adapter Settings, notice that DHCP is
obtaining the IP configuration.
3. Make a note of the IP address.
4. Press Esc twice.
Add Nano Server to the domain
1. Switch to DC with login as Administrator and password as P@ssw0rd.
2. Switch to the Administrator: Windows PowerShell window.
3. At the command prompt, type the following cmdlet, and then press Enter.
djoin.exe /provision /domain company /machine nano-svr1 /savefile .\odjblob
Note: Replace the IP address 192.168.127.X in the following commands with the IP address
you recorded earlier from your Nano Server installation.
4. At the command prompt, type the following cmdlet, and then press Enter. Your IP
address might be different.
Set-Item WSMan:\localhost\Client\TrustedHosts "192.168.127.X"
5. Type Y, and when prompted, press Enter.
6. At the command prompt, type the following cmdlet, and then press Enter. Your IP
address might be different.
$ip = "192.168.127.X"
7. At the command prompt, type the following cmdlet, and then press Enter.
Enter-PSSession -ComputerName $ip -Credential $ip\Administrator
8. In the Windows PowerShell credential request dialog box, in the Password box, type
P@ssw0rd, and then click OK.
9. At the command prompt, type the following cmdlet, and then press Enter.
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes
10. At the command prompt, type the following cmdlet, and then press Enter.
Exit-PSSession
11. At the command prompt, type the following command, and then press Enter. Your IP
address might be different.
net use z: \\192.168.127.X\c$
12. At the command prompt, type Z:, and then press Enter.
13. At the command prompt, type the following command, and then press Enter.
copy c:\odjblob
14. At the command prompt, type the following cmdlet, and then press Enter.
Enter-PSSession -ComputerName $ip -Credential $ip\Administrator
15. In the Windows PowerShell credential request dialog box, in the Password box, type
P@ssw0rd, and then click OK.
16. At the command prompt, type cd\, and then press Enter.
17. At the command prompt, type the following cmdlet, and then press Enter.
djoin /requestodj /loadfile c:\odjblob /windowspath c:\windows /localos
18. At the command prompt, type the following cmdlet, and then press Enter. Nano Server
restarts.
shutdown /r /t 5
162
19. Switch to NANO-SVR1.
20. In the User name box, type Administrator, and then press the Tab key.
21. In the Password box, type P@ssw0rd and then press Tab.
22. In the Domain box, type Company, and then press Enter.
23. In the Nano Server Recovery Console, observe that the computer is in the adatum.com
domain.
Use Windows PowerShell to configure the settings of Nano Server
1. Switch to DC, and then close Windows PowerShell.
2. Right-click Start, and then click Windows PowerShell (Admin).
3. At the command prompt, type the following cmdlet, and then press Enter.
get-windowsfeature –comp Nano-svr1
4. At the command prompt, type the following cmdlet, and then press Enter.
install-windowsfeature Fs-fileserver –comp Nano-svr1
5. At the command prompt, type the following cmdlet, and then press Enter.
get-windowsfeature –comp Nano-svr1
6. At the command prompt, type the following cmdlet, and then press Enter. Substitute
the X for the last octet of the IP address on the Nano server.
$ip = "192.168.127.X"
7. At the command prompt, type the following cmdlet, and then press Enter.
Enter-PSSession -ComputerName $ip -Credential $ip\Administrator
8. In the Windows PowerShell credential request dialog box, in the Password box, type
P@ssw0rd, and then click OK.
9. At the command prompt, type the following cmdlet, and then press Enter.
get-netipaddress
10. At the command prompt, type the following cmdlet, and then press Enter.
bcdedit /enum
11. At the command prompt, type the following cmdlet, and then press Enter.
net share
12. At the command prompt, type the following cmdlet, and then press Enter.
Exit-PSSession
Enable remote management with Server Manager
1. On DC1, in Server Manager, in the navigation pane, right-click All Servers, and then
click Add Servers.
2. In the Add Servers dialog box, in the Name (CN): box, type Nano-SVR1, and then
click Find Now.
3. In the Name list, click Nano-svr1, and then to add the computer to the Computer list,
click the Right Arrow key.
4. Click OK.
5. In Server Manager, expand File and Storage Services.
6. Click Shares, and then in the TASKS list, click New Share.
7. In the New Share Wizard, click SMB Share – Quick and then click Next.
8. On the Select the server and path for this share page, in the Server list, click nano-
svr1, and then click Next.
9. On the Specify share name page, in the Share name box, type Data, and then click
Next.
163
10. To complete the wizard, click Next twice, and then click Create.
11. Click Close.
Test the file server and web server on Nano Server
1. On DC1, switch to the Administrator: Windows PowerShell window.
2. At the command prompt, type the following command, and then press Enter.
net use z: /d
3. At the command prompt, type the following command, and then press Enter.
net use z: \\Nano-svr1\c$
4. Click Start, type Notepad, and then press Enter.
5. In Notepad, type <H1> Nano Server Website </H1>.
6. Click File and then click Save As.
7. In the Save As dialog box, in the File name box, type z:\Inetpub\wwwroot, and then
press Enter.
8. In the Save as type list, click All Files.
9. In the File name box, type Default.htm, and then click Save.
10. Close Notepad.
11. Click Start, click All apps, click Windows Accessories, and then click Internet
Explorer.
12. Navigate to http://nano-svr1. Does your webpage display?
13. Close Windows Internet Explorer.
14. On DC1, at the command prompt, type the following command, and then press Enter.
net use y: \\nano-svr1\data
15. Type cmd and press Enter.
16. Type write, and then press Enter.
17. In WordPad, type This is my document, click File, and then click Save.
18. In the Save As dialog box, in the File name box, type Y: and then press Enter.
19. In the File name box, type My document, and then click Save.
20. In File Explorer, navigate to data (\\nano-svr1) (Y:). Is your file listed?
164
Lab 45: IIS and HTTP2 (Optional)
Machines used in this Lab: DC, NODE5
On Node5, log in as Cqure\Administrator. Verify HTTP2 settings in the browser
1. Switch to NODE5. Then run Internet Explorer. Go to Tools>Internet
Options>Advanced and make sure that HTTP2 support is enabled.
2. To close the window click OK
3. Click RUN (Win+R) and type certlm.msc and Request New Certificate.
165
6. In the certificate enrollment Wizard click Next two times, on the Request Certificates
select WebServer and click Properties
7. In the General tab in the Friendly Name type : http2.cqure.tec
8. Next switch to Subject tab and in Subject Name section select Common Name and
type : http2.cqure.tec and click Add, in the Alternative Name section select DNS and
type: http2.cqure.tec and click Add
166
9. Click OK to approve the changes and close the window.
10. At the end, the certificate should be successfully enrolled
Optionaly! You may generate a self-signed certificate.
Open Server Manger and in Tools>Internet Information Servicess (IIS) Manager , locate and
open Server Certificates
167
In the right pane in Actions window, choose Create Self-Signed Certificate, and
proceed with the wizard. In the highlighted field specify : http2.cqure.tec as the
name and select Personal as a certificate store.
If You got a certificate generated, proceed to the next steps.
11. Go to course labfiles so in the properties of Node5 VM select Media choose DVD and
mount http2.iso
12. In Windows Explorer, browse to DVD Drive>select IIS10-http2-loader.
13. Then copy the folder to C:\inetpub.
14. Open Server Manager > Dashboard and select Add roles and features, click Next till
Select server roles appears and in the Web Server (IIS) make sure that in
Application Development that Application Initialization, ASP, CGI, ISAPI
Extensions and ISAPI Filters are installed, if not, proceed with the procedure of
adding server roles.
15. Switch to IIS Manager and go to Sites and add a New Site
168
16. Then configure the site typing in Site Name: http2 in the Phisical path:
C:\inetupb\IIS10-http2-loader and in Host Name: http2.cqure.tec and click OK
17. After creating a new site switch to DC and open Server Manager>tools>DNS and in
the Cqure.tec zone add a new host entry. In the name type: http2 and in the IP
address: 192.168.127.109 (which is Your IIS server IP address) then click OK.
169
18. After creating a DNS entry for the new site switch back to NODE5 VM and continue to
configure IIS.
19. In the IIS Manager go to Application Pools and find newly create pool called http2,
right click Advanced Settings and in General select Enable 32-bit Applications and
set it to Ture, click OK to save and close the window.
20. Go to IIS Manager>Sites>http2 and in the IIS section find Default Document then in
the right pane Actions select Add… and type: loader.htm and OK.
21. IIS Manager>Sites>http2 in the IIS section find Handler Mappings and right click on
ISAPI-dll and choose Edit Feature Permissions… in the newly opened window make
sure to check Execute and save settings by clicking OK.
22. On the root node in the central IIS section open ISAPI and CGI restrictions, on the
right in Actions click Edit Feature Settings… enable unspecified CGI and ISAPI
modules and click OK.
170
23. Try to open the browser and in the address type: http://http2.cqure.tec (you should
see a new page is loading a picture, try to resize the window to see the whole picture
and refresh the site once more).
24. Open CMD and type : ipconfig / flushdns
25. Go back to the browser and refresh the site, observe how the picture is being loaded.
26. To add a new SSL binding go to IIS Manager>Sites>http2 right click Edit Bindings
and click Add.
27. Configure the new binding by selecting Type: https, in the Host Name type:
http2.cqure.tec and select in the SSL certificate: http2.cqure.tec as the default
certificate, click OK.
28. Go back to the browser and open a new tab, in the address type :
https://http2.cqure.tec.
29. Observe how the picture loads, test the protocol type and verify the performance.
In Internet Explorer open IE Tools select Developer Tools > Network Tab or use F12 to
run it. Clear the cache using ipconfig /flushdns, then in the browser try to access
http://http2.cqure.tec and observe results in Developer Tools, Network tab. Then try
to access https://http2.cqure.tec, check once again Developer Tools. You will observe
that accessing different sites uses different protocol versions, check the Time, Received
and performance load page . Like in the picture
171
Lab 46: IIS WildCard HostHeader support (Optional)
Machines used in this Lab: DC, NODE1
On NODE1 On the taskbar, click Server Manager, click Tools, and then click Internet
Information Services (IIS) Manager.
1. Go to course labfiles so in the properties of the VM select Media choose DVD and
mount http2.iso.
2. In Windows Explorer, browse to DVD Drive>select WildCard Host Header and copy
the folder to C:\inetpub.
3. From the IIS Manager connections list. Click the "Add Website.." option in the Actions
Pane.
4. Enter configuration of a Cqure WildCard site, in the text box Site Name:
WildCardCqure, in the Physical path point to previously copied folder in:
C:\inetpub\wwwroot\WildCard Host Header.
5. Configure the new binding by typing in the Host Name: *.cqure.tec and click OK.
6. Switch to DC and open DNS in Forward Lookup Zones>Cqure.tec, right click to
create a new Host (A). Type in the name type: WildCard and in the IP: (your IIS server
IP).
7. Open the browser and in the address type : http://wildcard.cqure.tec.
8. Observe the site loads and displays the name.
9. Go back to the DNS Manager console and expand "Forward Lookup Zones" then right-
click and select "New Zone", on the Zone Type make sure Primary zone is selected
and Uncheck “Store the zone in Active Directory” and click next. In the Zone Name
type: intranet.cqure.tec and finish the wizard. After the zone is created open the newly
172
created zone so in our case intranet.cqure.tec and right click to add a new Host (A),
leave the Host name blank and add only the IP address: (your IIS server IP).
10. Repeat the same procedure for private.cqure.tec, extranet.cqure.tec. At the end You
should have 3 new zones intranet, private, extranet.
11. Go back to Your browser and type: intranet.cqure.tec, open another new tab for:
extranet.cqure.tec, observe the results. Try to test private.cqure.tec and
wildcard.cqure.tec also.
173
Lab 47: OneToOne certificate mapping (Optional)
Machines used in this Lab: DC, WEBA
1. Log on to DC as Cqure\Administrator on the taskbar, click RUN (Win+R), and
type MMC, and then add a new snap-in (Ctrl+M) and select Certification Authority
and then Add selecting local computer and click Finish.
2. In the console window expand CA > CQure Root.. and go to Certificate Templates
then click Certificate Template to Issue
3. On the template list find template called User and click OK. Do the same for the
Computer template.
4. Switch to WEBA, log in as Cqure\Administrator and click RUN (Win+R) and type
certmgr.msc and Request New Certificate.
5. In the certificate enrollment Wizard click Next two times, on the Request Certificates
select User and click Enroll
6. At the end, the certificate should be successfully enrolled
174
7. Run one more time RUN (Win+R) and type certlm.msc and Request New Certificate
for the Computer.
8. Run Windows PowerShell as Administrator and type:
Import-module servermanager
Add-windowsfeature web-client-auth, web-cert-auth, web-windows-auth, web-basic-
auth
9. Open ServerManager and go to Tools > Internet Information Services (IIS) Manager >
Sites, right click and edit bindings.
10. Select the https site binding using the computer certificate and click OK.
175
11. Open the browser and type : https://weba.cqure.tec and you will see the default IIS
site.
Change the authentication settings
1. In the Default Web Site pane move to Features View and select Authentication to
change the settings. Enable only Basic Authentication and Windows
Authentication, rest should be disabled.
2. Open the browser and type : https://weba.cqure.tec and in the Windows Security
pop-up type as user name : administrator and password: P@ssw0rd
176
3. After typing the credentials you will be logged to the IIS default site.
Set One To One certificate on IIS server
1. On the WEBA open Certmgr.msc Export the Administrator certificate.
2. Export it wihout the private key and on the Export File Format choose Base-64
encoded X.509 (.CER) and save it as : UserOneToOne.cer on the desktop.
The oneToOneMappings collection item has an attribute called certificate. The
required value for this attribute is not the certificate has but the actual certificate
blob. Here's how you extract it.
3. Right click on your .cer file on the Desktop
4. Select Open With... in the context menu
177
5. Select Notepad from the list of More Apps and click OK. [Note: Notepad may be
hidden beneath a drop down in the list view]
6. This is what should be displayed in notepad:
-----BEGIN CERTIFICATE-----
MIIEfjCCA2agAwIBAgIKFW1IXAAAAAAAAjANBgkqhkiG9w0BAQUFADAbMRkwFwYD
VQQDExBJSVNSZW1vdGVNZ3JUZXN0MB4XDTA4MDIxMTIxNTk1NloXDTA5MDIxMTIy
MDk1NlowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV
BAcTB1JlZG1vbmQxDTALBgNVBAoTBE1TRlQxDDAKBgNVBAsTA0lJUzEVMBMGA1UE
AxMMUkxVQ0VSTzItSUlTMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3611j
34q2qQgHa7ao11TcQMDYlJMrqET05MWFY1/Vso+leujLoIGTfdHOuz4IBVoeUE+y
mlL8r53s2BQeVFROnDtg4Jko1zJsz7AUAnQNBk/GYA1AHYmhY79Z0p1KXW/wSTJB
tdUn732GQOqYf4wY8jOD2zUJDUG4HXm6ib8ajwIDAQABo4IB+TCCAfUwDgYDVR0P
AQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMHgGCSqGSIb3DQEJDwRrMGk
w
DgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJ
YIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYI
KoZIhvcNAwcwHQYDVR0OBBYEFHbHA+HwZcIrslklj1W3O23UFrBgMB8GA1UdIwQY
MBaAFMxzlGbmkp2+phhDg7TPfi83d7UVMHMGA1UdHwRsMGowaKBmoGSGL2h0dHA6
Ly9paXNzYjMwNS9DZXJ0RW5yb2xsL0lJU1JlbW90ZU1nclRlc3QuY3JshjFmaWxl
Oi8vXFxpaXNzYjMwNVxDZXJ0RW5yb2xsXElJU1JlbW90ZU1nclRlc3QuY3JsMIGe
BggrBgEFBQcBAQSBkTCBjjBEBggrBgEFBQcwAoY4aHR0cDovL2lpc3NiMzA1L0Nl
cnRFbnJvbGwvaWlzc2IzMDVfSUlTUmVtb3RlTWdyVGVzdC5jcnQwRgYIKwYBBQUH
MAKGOmZpbGU6Ly9cXGlpc3NiMzA1XENlcnRFbnJvbGxcaWlzc2IzMDVfSUlTUmVt
b3RlTWdyVGVzdC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAEsSkcx0re36IL80UphJ
w/srR3LBsy8sfwqxBMzMTdF7k6jYtUVpn3D2Dd4JXXVOaEVud9YNn9pr6xJL4t79
Zh+hJzIPA5pQLbccx4vjWB4cWEYxzcoKYCuUdZrfPFXO1a5kQAj8IZ0/6bhMceyR
178
Z7dRDoaIuAGQLFAlC/KjIBCemDi54MlWtvATQ8bmiRuEOWeneK2Vd2e0fxyezk05
dRqa8DEC74CQN4rQuz395ECm+M/hQnN+dHOygV8n9swd0bdNq8qypwfVUes5HIpj
LFmKTuGyFSVj7jv+64oTxvxtYX2QFp9q6Bi+qj0uyrX8Xjxy5rPSVPEfnxPCBg58
RCI=
-----END CERTIFICATE-----
7. Remove -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----
8. Format the certificate blob to be a single line.
9. Save this file as UserOneToOneText.txt on the Desktop and copy the converted
certificate blob data.
10. Open the Internet Information Services (IIS) Manager go to Sites > Default Web
Site in the Features View select Configuration Editor. Select in the section address:
"system.webServer/security/authentication/iisClientCertificateMappingAuthent
ication" in the Section drop down box.
179
11. Then in the settings select the enabled field and change the value to true.
12. Select the oneToOneCertificateMappingsEnabled property grid entry and change
the value to true.
13. Select the oneToOneMappings property grid entry and click Edit Items... in the
Actions Task Pane.
14. Click Add in the Collection Editor task list
15. Copy the single string certificate blob from above and paste it into the certificate field
180
16. Set the username: Administrator and password: P@ssw0rd that client will be
authenticated as.
17. Set the enabled field to true
18. Close Collection Editor
19. On the right in the Actions pane click Generate Script and review that you are able
always to deploying the settings using C#, JavaScript, CommandLine and PowerShell
which IIS generates for you.
20. Close the Script Dialog of the generated scripts.
21. Click Apply in the Actions Task Pane
22. Once this is complete the server will be configured to handle IIS Client Certificate
Mapping authentication with a single one to one certificate mapping entry.
23. Internet Information Services (IIS) Manager go to Sites > Default Web Site in the
Features View select SSL Settings and configure to Accept certificates and Apply the
changes.
181
24. Open the browser and type : https://weba.cqure.tec and you will see the certificate
information.
25. Click OK and you will be successfully able to authenticate to the default IIS Web Site
using the OneToOne certificate.
182
CQURE Academy says thank you!
Thank you for attending IIS training. We hope it was useful and that you feel that your IIS
skills are on the higher level!
CQURE Team wish you all the best in your future engagements with IIS.
Please note that this training is a part of CQURE Academy and you are eligible to receive the
certificate of Certified Security Professional.
Do not forget to check our website: http://cqure.pl for new and existing training and
consultancy offers. You will find there useful tools as well.
Your opinion is extremely important for us. Please complete the 1 minute survey on
http://stderr.pl/surveys
183