Advanced Internet Information Services 7.5/8/8stderr.pl/iis8/labs/LABS/IIS_LABS_80_edited_v19.pdf · 18 Lab 2: Installing IIS Using DISM Installation Machines used in this Lab: DC,

1

Advanced Internet

Information Services 7.5/8/8.5

Lab Instr uctions

Version 1.3

Document created: 7th of December 2016

This is an authored content – please respect intellectual property!

Author: CQURE

http://cqure.us

2

Contents

Welcome to IIS training! ........................................................................................................................................ 5

CQURE Academy ...................................................................................................................................................... 7

Note Pages (Page 1)............................................................................................................................................. 10

Note Pages (Page 2)............................................................................................................................................. 11

Lab 1: Installing IIS 10 with the Default Settings ....................................................................................... 12

Lab 2: Installing IIS Using DISM Installation ................................................................................................ 18

Lab 3: IIS Basic configuration steps ................................................................................................................ 19

Lab 4: Websites and Application Pools ......................................................................................................... 24

Lab 5: Creating Web Application .................................................................................................................... 26

Lab 6: Working with Application Pools ......................................................................................................... 28

Lab 7: Configuring Application Settings ....................................................................................................... 32

Lab 8: Running both ASP.NET 3.5 and ASP.NET 4.5 Applications....................................................... 38

Lab 9: Configuring ASP.NET Settings for development .......................................................................... 43

Lab 10: Configuring Multiple Applications .................................................................................................. 45

Lab 11: ASP.NET Security.................................................................................................................................... 50

Lab 12: Tracing and Logging for ASP.NET ................................................................................................... 52

Lab 13: Request Filtering .................................................................................................................................... 54

Lab 14: IIS Modules .............................................................................................................................................. 56

Lab 15: Configuring Managed Modules ....................................................................................................... 60

Lab 16: Securing the IIS Web Server and Web Sites ................................................................................ 63

Lab 17: CPU Throttling: Sand-boxing Sites and Applications .............................................................. 66

Lab 18: Central certificate store ....................................................................................................................... 72

Lab 19: Configuring FTP Protection ............................................................................................................... 77

Lab 20: Authorization, Authentication and Access ................................................................................... 80

3

Lab 21: IIS Hardening .......................................................................................................................................... 85

Lab 22: IIS under attack ...................................................................................................................................... 90

Lab 23: Logging ..................................................................................................................................................... 95

Lab 24: Delegation and Remote Administration ....................................................................................... 96

Lab 25: Configuring Delegated Administration ......................................................................................... 98

Lab 26: Configuring Feature Delegation .................................................................................................... 103

Lab 27: Automating webserver management .......................................................................................... 105

Lab 28: Command-line and Scripting for IIS ............................................................................................. 109

Lab 29: Manage IIS tasks using WMI and AppCmd ............................................................................... 114

Lab 30: Tuning IIS ................................................................................................................................................ 116

Lab 31: Web Farms ............................................................................................................................................. 123

Lab 32: Shared Configuration ......................................................................................................................... 125

Lab 33: Web Deploy ........................................................................................................................................... 128

Lab 34: Configuring Network Load Balancing .......................................................................................... 132

Lab 35: Troubleshooting IIS ............................................................................................................................ 135

Lab 36: Troubleshooting Authorization ...................................................................................................... 137

Lab 37: Troubleshooting Communication ................................................................................................. 140

Lab 38: Troubleshooting Configuration ..................................................................................................... 141

Lab 39: Application Initialization (Optional) .............................................................................................. 142

Lab 40: Url Rewrite and Application Initialization (Optional) ............................................................. 150

Lab 41: IIS Backup – Web Deploy ................................................................................................................. 157

Lab 42: JavaScript Profiling (Optional) ........................................................................................................ 158

Lab 43: Network traffic monitoring (Optional) ........................................................................................ 159

Lab 44: IIS on Nano Server (Optional) ......................................................................................................... 159

Lab 45: IIS and HTTP2 (Optional) .................................................................................................................. 164

Lab 46: IIS WildCard HostHeader support (Optional) ........................................................................... 171

4

Lab 47: OneToOne certificate mapping (Optional) ................................................................................ 173

CQURE Academy says thank you! ................................................................................................................. 182

5

Welcome to IIS training!

Before you start doing exercises, please take a look how classroom environment looks like. In

this course, you will use cloud service to perform the labs. You will connect to the server using

RDP connection. Your instructor will provide you username and password to access the

environment. Virtual machines are based on Hyper-V platform. Your instructor will provide you

the guideline how to start, shutdown, save and create snapshots on virtual machines. Please

read the lab instructions carefully as sometimes it is required to return to the starting point. It

is necessary to follow the instructions, so that labs do not interfere with each other. Each virtual

machine is a member of the domain: cqure.tec. Each machine has Windows Server 2012

installed. Within our training we will use Web Applications that are hosted for company

Raccoons.

At the beginning of usage of each machine you may be requested to configure IP addresses

for them. Our goal was to make such a simple task as fast as possible so we build up the scripts

that you may just run on each machine.

6

The following table shows the role of each virtual machine used in this course:

Virtual Machine Name Hostname Role

IIS8_DC DC Domain Controller

IIS8_WEBA WEBA Primary Web Server

IIS8_WEBB WEBB Primary Web Server

IIS8_NODE1 NODE1 Used for IIS installation – Regular

IIS8_NODE2 NODE2 Used for IIS installation – Core

IIS8_NODE3 NODE3 Used for IIS installation – Unattended

IIS8_NODE4 NODE4 Primary Web Server

IIS8_NODE5 NODE5 Primary Web Server

IIS8_WEB2 WEB2 Secondary Web Server

Please note that:

1. All necessary files are on the ISO image delivered to the course.

2. It may be necessary to configure IP addresses for each VM, please find ipaddress.iso

available and run the appropriate script from it. Verify the configuration.

3. Sometimes it may be necessary to configure during the exercise the firewall rules, so

please be prepared for that.

4. New-WinUserLanguageList en-US, Set-WinUserLanguageList en-US in Powershell will

help you to set your keyboard layout.

5. You may not see the correct error pages if you have option Show friendly errors set.

6. Before You begin with the labs please create snapshots/checkpoints for every VM in

the course!

…enjoy!

7

CQURE Academy

Please note that this training is a part of CQURE Academy and you are eligible to receive the

certificate of Certified Security Professional.

Do not forget to check our website: http://cqure.pl for new and existing training and

consultancy offers. You will find there useful tools as well.

Please have a look at the next two pages for enlargement:

http://cqure.pl/

8

9

10

Note Pages (Page 1)

11

Note Pages (Page 2)

12

Lab 1: Installing IIS 10 with the Default Settings

Machines used in this Lab: NODE1 – please check if there is a VM checkpoint (snapshot)

before Installation!

To install IIS 10 on NODE1, use the following steps:

1. Logon as Administrator // P@ssw0rd

2. Open Server Manager.

3. Under Manage menu, select Add Roles and Features:

4. Select Role-based or Feature-based Installation:

13

5. Select the appropriate server (local is selected by default), as shown below:

6. Select Web Server (IIS):

7. Add Management Tools Feature

14

8. No additional features are needed for IIS to be selected (.net framework 3.5 will be

added automatically in the next step), click Next:

9. Click Next:

15

10. Customize your installation of IIS, or accept the default settings that have already

been selected for you. Make sure that under Application Development section the

ASP, ASP.NET 3.5, ASP.NET 4.6, .Net Extensibility 3.5, .Net Extensibility 4.6,

ISAPI Extensions and ISAPI Filters are checked and then click Next.

11. Click Specify and alternate source path:

16

12. Mount with VM properties Media>DVD the Windows Server 2016 ISO (ask the

Trainer for the location of the ISO file) and in Specify Alternate Source Path window

type Path: D:\Sources\sxs, click OK and Install

13. When the IIS installation completes, the wizard reflects the installation status:

17

14. Click Close to exit the wizard.

15. Open a web browser (Internet Explorer or Edge). If the window opens, browse to

http://localhost.

If You will see an error “This app can’t open, …can’t be opened using the

Build-in Administrator Account. Sign in with a different account and try

again.” Click Win + R type gpedit.msc and click OK, then enable the

following policy go to Computer Configuration>Windows

Settings>Security Settings>Local Policies>Security Options>User

Account Control: Admin approval mode for the built in administrator

account. Restart the computer and repeat the step with running a web

browser and type http://localhost

16. Notice that the IIS Welcome page loads, indicating that IIS is successfully installed

and running.

17. After this exercise you should have successfully verified that the IIS Welcome page

opens.

18. Create a Checkpoint of actual state. In the VM properties select Action>Checkpoint

and in the name add “Node1WithIIS”

http://localhost/

18

Lab 2: Installing IIS Using DISM Installation

Machines used in this Lab: DC, NODE3

Start the NODE3 virtual machine and log on as Administrator with the password of

P@ssw0rd.

Turn on Network Discovery

1. On NODE3, open network settings.

2. Click the information bar with the text Network discovery and file sharing are turned

off. Network computers and devices are not visible. Click to change....

3. Click Turn on network discovery and file sharing.

4. Click Yes, turn on network discovery and file sharing for all public networks.

5. Close Network.

Install IIS using DISM and verify once completed

1. Open PowerShell as Administrator.

DISM.EXE /enable-feature /online /featureName:IIS-WebServerRole /featureName:IIS-WebServer

2. Wait for the feature installation.

3. Notice that Web Server (IIS) is installed. Open Internet Explorer.

4. Browse to http://localhost, notice that the IIS Welcome page appears.

5. Alternatively run the following to fully install IIS and it components:

DISM.EXE /enable-feature /online /featureName:IIS-WebServerRole /featureName:IIS-WebServer

/featureName:IIS-CommonHttpFeatures /featureName:IIS-StaticContent /featureName:IIS-

DefaultDocument /featureName:IIS-DirectoryBrowsing /featureName:IIS-HttpErrors

/featureName:IIS-ApplicationDevelopment /featureName:IIS-ASPNET /featureName:IIS-

NetFxExtensibility /featureName:IIS-ASPNET45 /featureName:IIS-NetFxExtensibility45

/featureName:IIS-ISAPIExtensions /featureName:IIS-ISAPIFilter /featureName:IIS-

ServerSideIncludes /featureName:IIS-HealthAndDiagnostics /featureName:IIS-HttpLogging

/featureName:IIS-LoggingLibraries /featureName:IIS-RequestMonitor /featureName:IIS-HttpTracing

/featureName:IIS-CustomLogging /featureName:IIS-ODBCLogging /featureName:IIS-Security

/featureName:IIS-BasicAuthentication /featureName:IIS-WindowsAuthentication /featureName:IIS-

DigestAuthentication /featureName:IIS-ClientCertificateMappingAuthentication /featureName:IIS-

IISCertificateMappingAuthentication /featureName:IIS-URLAuthorization /featureName:IIS-

RequestFiltering /featureName:IIS-IPSecurity /featureName:IIS-Performance /featureName:IIS-

HttpCompressionStatic /featureName:IIS-HttpCompressionDynamic /featureName:IIS-WebDAV

19

/featureName:IIS-WebServerManagementTools /featureName:IIS-ManagementScriptingTools

/featureName:IIS-ManagementService /featureName:IIS-FTPServer /featureName:IIS-FTPSvc

/featureName:IIS-FTPExtensibility /featureName:NetFx4Extended-ASPNET45 /featureName:IIS-

ApplicationInit /featureName:IIS-WebSockets /featureName:IIS-CertProvider /featureName:IIS-

ManagementConsole

Lab 3: IIS Basic configuration steps

Machines used in this Lab: DC, NODE1, NODE2, NODE3

Configure NODE1 for ASP debugging, detailed error messages, and HTTP compression

1. On NODE1, open Internet Information Services (IIS) Manager.

2. In the Connections pane, expand NODE1 > Sites, and then click Default Web Site.

3. In the details pane, double-click ASP.

4. In the Compilation section, expand Debugging Properties.

5. In the Enable Client-side Debugging list, click True.

6. In the Enable Server-side Debugging list, click True.

7. In the Send Errors to Browser list, click True.

8. In the Actions pane, click Apply.

9. In the Connections pane under NODE1 > Sites, click Default Web Site.

20

10. In the details pane, double-click HTTP Response Headers.

11. In the Actions pane on the right, click Set Common Headers.

12. The Set Common HTTP Response Headers dialog box appears. Select Expire Web

content, and then click OK.


14. In the details pane, double-click Compression.

15. Notice that Enable static content compression is checked.


17. In the Details pane, double-click Error Pages.

18. In the Actions pane on the right, click Edit Feature Settings

19. The Edit Error Pages Settings dialog box appears. Click Detailed errors, and then

click OK.

20. On NODE3, in the Internet Explorer, browse to http://NODE1/default.asp.

21. Notice that you get a detailed HTTP Error 404 page, indicating that the NODE1 web

server has been configured properly.

Configure NODE3 to:

trace server errors

enable directory browsing

enable windows authentication and impersonation

enable dynamic output compression and SMTP

1. On NODE3 in Server Manager, make sure Tracing, Windows Authentication,

Directory Browsing and ASP.NET 4.6 role features are checked:

21

2. Proceed with the installation of the selected options. Next open Internet

Information Services (IIS) Manager.

3. In the Connections pane, expand NODE3 | Sites, and then click Default Web Site.

4. In the Actions pane on the right, under Manager Website section click Failed

Request Tracing Rules.

5. The Edit Web Site Failed Request Tracing Settings dialog box appears. Select

Enable, and then click OK.

6. In the details pane, in the IIS section, double-click Failed Request Tracing Rules.

7. In the Actions pane, click Add.

8. The Add Failed Request Tracing Rule dialog box appears. Click Next.

9. In the Status code(s) field, type 500.

10. Select Trace Providers, and then in the Provider Properties list under Verbosity for

ASP, select Critical Error and repeat the same for ASPNET,ISAPI,WWW.

11. Click Next and then click Finish.

12. In the Connections pane, click Node3>Sites>Default Web Site.

13. In the details pane, in the IIS section, double-click Directory Browsing.

14. In the Actions pane, click Enable.

15. In the Connections pane, click Default Web Site.

16. In the Details pane, in the IIS section, double-click Authentication.

17. In the Details pane, click Windows Authentication.


19. In the same window, click ASP.NET Impersonation.

22


21. In Internet Information Services (IIS) Manager, in the Connections pane, click

Default Web Site.

22. In the Details pane, in the IIS section, double-click Output Caching.


24. The Add Cache Rule dialog box appears. In the File name extension field, type .aspx.

25. Select User-mode caching and then click OK.


27. In the Details pane, in the ASP.NET section, double-click SMTP E-mail.

28. In the E-mail address field, type [email protected].

29. In SMTP Server field, type SMTP.CQURE.TEC.


31. Browse to http://localhost/aspnet_client.

32. Notice that there is a detailed HTTP Error 500.24.

33. Under Detailed Error Information, right-click C:\inetpub\logs\FailedReqLogFiles, and

then click

34. Copy.

35. Open Run. Right-click the Open field and then click Paste.

36. Click OK.

37. Double-click W3SVC1.

38. Notice that there is a failed request log for the server error: fr00001.xml.

Configure NODE2 to have no default documents, and redirect requests to NODE1

1. On NODE2, in the Windows Powershell window, type:

import-module servermanager

add-windowsfeature Web-Server, Web-WebServer, Web-Security, Web-Filtering,

Web-Mgmt-Tools, Web-Mgmt-Console, Web-ASP, Web-Http-Redirect

and then press Enter.

2. In the command prompt window, type cd \windows\system32\inetsrv\config and

then press Enter.

23

1. Open the applicationHost.config file with notepad.

2. Scroll down to <defaultDocument enabled="true"> (approximately line 169), and

change "true" to "false".

3. Scroll down to <httpRedirect enabled="false" /> (approximately line 246), and

modify this line to read:

<httpRedirect enabled="true" exactDestination="false" childOnly="false"

destination="http://192.168.127.101/" />

4. On the File menu, click Save.

5. On the File menu, click Exit.

6. On NODE3, in Internet Explorer, browse to http://NODE2 or You Can use the IP

address of the NODE2 server (e.g. http://192.168.127.106)

7. Notice that the IIS Welcome page loads and the address field has changed to

http://192.168.127.101.

When you finish the lab, revert the virtual machines to their initial state. To do this, from

NODE3 Virtual Machine window click “Action” in Menu and choose “Revert”.

http://node2/

24

Lab 4: Websites and Application Pools

Machines used in this Lab: DC, WEBA

1. Start the DC virtual machine.

2. Start the WEBA virtual machine and log on as CQURE\Administrator.

Add Basic, Windows Integrated and Digest Security features to the IIS Role

1. On WEBA, in Server Manager, in the console pane, Add Roles and then from Roles

check if Web Server (IIS) is installed, if not add IIS Role.

2. In the same window under Security, select Basic Authentication, Windows

Authentication, and Digest Authentication.

3. Click Next and then click Install.

4. When the installation is complete, verify the details pane, in the summary section,

notice that IIS and Basic Authentication, Windows Authentication, and Digest

Authentication are listed as Installed.

Create a virtual directory

1. Open Internet Information Services (IIS) Manager.

2. In the Connections pane, expand WEBA | Sites and then click Default Web Site.

3. In the Actions pane, click View Virtual Directories.

4. Click Add Virtual Directory.

5. The Add Virtual Directory dialog box appears. In the Alias field, type Public.

6. Next to the Physical path field, click the Browse (...)button.

7. The Browse For Folder dialog box appears. Browse to C:\inetpub, and then click Make

New Folder.

8. Type Public, and then click OK.

9. Click OK.

10. Open Computer and then browse to C:\inetpub\wwwroot.

11. Select all, then right-click and then click Copy.

12. Browse to C:\inetpub\public, right-click, and then click Paste.

25

Configure the public virtual directory for anonymous authentication

1. In Internet Information Services (IIS) Manager, in the Connections pane, expand

Default Web Site and then click Public.

2. In the Details pane, double-click Authentication.

3. Click Anonymous Authentication. Make sure that it is enabled if not Enable.

4. In the Actions pane, click Edit.

5. The Edit Anonymous Authentication Credentials dialog appears. Notice that

Specific user is selected and set to IUSR.

6. Click Cancel.

7. Open Local Users and Groups MMC and then click Users.

8. In the details pane, right-click Guest, and then click Properties.

9. The Guest Properties dialog box appears. Clear Account is disabled, and then click

OK.

10. Open Local Security Policy e.g. in cmd type secpol.msc

11. The Local Security Policy window opens. In the console pane, expand Local Policies

and then click User Rights Assignment.

12. In the details pane, right-click Allow log on locally, and then click Properties.

13. The Allow log on locally Properties dialog appears. Click Add User or Group.

14. The Select Users, Computers, or Groups dialog box appears. Click Locations.

15. The Locations dialog box appears. Click WEBA, and then click OK.

16. In the Enter the object names to select field, type Guest, and then click OK twice.

17. Close Local Security Policy.

18. From the Menu Start: Switch User.

19. Logon as WEBA\Guest with no password.

20. Open Internet Explorer.

21. Internet Explorer window opens. Browse to http://localhost. Note that we’ve set the

default site to the Public virtual directory so there’s no need to use localhost/public.

22. Notice that the IIS Welcome page loads.

22. Go to: Switch User.

23. Log on as CQURE\Administrator with the password of P@ssw0rd.

26

Lab 5: Creating Web Application


1. Start the DC virtual machine.

2. Start the WEBA virtual machine and log on as CQURE\Administrator.

Create a site named Raccoons

1. On WEBA, in Internet Information Services (IIS) Manager, in the Connections

pane, click Sites.

2. In the Actions pane, click Add Web Site.

3. The Add Web Site dialog box appears. In the Site name field, type Raccoons.

4. In Physical path, click the Browse (...) button.

5. The Browse For Folder dialog box appears. Browse to C:\inetpub, and then click

Make New Folder.

6. Type Raccoons, and then click OK.

7. In the Port field, type 88, and then click OK.

Copy the Raccoons Application to the Appropriate Directory

1. In the properties of WEBA VM select Media choose DVD and mount

ISO_IIS8_Labfiles.iso

2. In Windows Explorer, browse to DVD Drive>AllFiles>Step2>Raccoons.

3. Select all, then right-click, and then click Copy.

4. Browse to C:\inetpub\Raccoons, right-click, and then click Paste.

Add the .NET 3.5 Feature and ASP.NET to the server (it may have been added for you)

1. In Server Manager, in the console pane, go to Server Roles and under Web Server

IIS>Web Server>Application Development select ASP and add features.

2. Then in the Features add .NET Framework 3.5 Features.

3. Click Next twice.

27

4. Click Next, till the confirmation summary will appear and then click “Specify an

alternate source path” and type “D:\sources\sxs” to point Mounted Windows Server

2016 ISO binaries, select OK and Install.

5. When the installation is complete, click Close.

Delegate administrative access

1. Internet Information Services (IIS) Manager, in the Connections pane, expand

Sites and then click Raccoons.

1. In the Actions pane, click Edit Permissions.

2. The Raccoons Properties dialog box appears. Click the Security tab.

3. Click Edit.

4. The Permissions for Raccoons dialog box appears. Click Add.

5. The Select, Users, Computers, or Groups dialog box appears. In the Enter the object

names to select field, type ITAdminsGG, and then click Check Names.

6. Click OK.

7. Next to Full control, select Allow and then click OK twice.

In order to proceed to the next Lab don't revert machines.

28

Lab 6: Working with Application Pools

Machines used in this Lab: DC, WEBA, NODE1

Create an application pool named TempPool

1. On WEBA, in Internet Information Services (IIS) Manager, expand WEBA and then

click Application Pools.

2. In the Actions pane, click Add Application Pool.

3. The Add Application Pool dialog box appears. In the Name field, type TempPool.

4. Click OK.

5. In the details pane, notice that TempPool appears in the list of application pools.

Rename Raccoons to RaccoonsPool

1. On WEBA, in Internet Information Services (IIS) Manager, expand Sites and then

click Raccoons.

2. In the Actions pane, click Basic Settings.

3. The Edit Site dialog box appears. Click Select.

4. The Select Application Pool dialog box appears. In the Application pool list, click

TempPool, and then click OK twice.

5. In the Connections pane, click Application Pools.

6. In the Details pane, click Raccoons.

7. In the Actions pane, click Rename.

8. Type RaccoonsPool, and then press Enter.

9. In the Connections pane, under WEBA>Sites click Raccoons.


11. The Edit Site dialog box appears. Click Select.


RaccoonsPool, and then click OK twice.

Configure Windows Integrated authentication

1. In the Connections pane, expand Sites and then click Raccoons.

29


3. Click Windows Authentication. In the Actions pane, click Enable.

4. In the Details pane, click Anonymous Authentication.

5. In the Actions pane, click Disable.

6. Start NODE1.

7. Log on to NODE1 as Local Admin with the password of P@ssw0rd. Note that this

account is not a domain one.


9. The Windows Internet Explorer window opens. Browse to http://WEBA.CQURE.TEC.

10. IIS Welcome page appears indicating that the previous anonymous public site

configuration is correct.

11. Browse to http://WEBA.CQURE.TEC:88.

12. Notice that there is an error message and the page will not load. Windows

authentication has failed for this user/machine.

13. Question: Why does Windows authentication fail?

14. Answer: Because account you used is not the domain account so user account

cannot be authenticated.

13. On WEBA, Open Internet Explorer.

14. The Windows Internet Explorer window opens. Browse to http://localhost:88.

15. If you have problems with accessing port 88, for a moment you may disable firewall

on the Web server hosting the website. We all know that it is a bad practice, right?

15. Notice that the Raccoons Bank page appears. Windows authentication is successful.

Configure TempPool to use LocalSystem as worker process identity

1. On WEBA in Internet Information Services (IIS) Manager, in the Connections

pane, click Application Pools.

2. In the Details pane, click TempPool.

3. In the Actions pane, click Advanced Settings.

4. The Advanced Settings dialog box appears. Under the Process Model section, click

Identity.

5. Next to Identity, click the Browse (...) button.

30

6. The Application Pool Identity dialog box appears. In the Built-in account list, click

LocalSystem.

7. Click OK twice.

Stop, start and recycle RaccoonsPool


2. In the Details pane, click RaccoonsPool.

3. In the Actions pane, click Stop.

4. In the Details pane, notice that the status of RaccoonsPoolchanges to Stopped.

5. In the Actions pane, click Start.

6. In the Details pane, notice that the status of RaccoonsPoolchanges to Started.

7. In the Actions pane, click Recycle.

Configure TempPool for Classic Pipeline Mode




4. The Edit Application Pool dialog box appears. In the Managed pipeline mode list,

click Classic.

5. Click OK.

Remove TempPool



3. In the Actions pane, click Remove.

4. The Confirm Remove dialog box appears. Click Yes.

Configure Health and Recycling settings for RaccoonsPool


2. In the Details pane, click RaccoonsPool.

3. In the Actions pane, click Recycling.

31

4. The Edit Application Pool Recycling Settings dialog box appears. Select Fixed

number of requests.

5. In the Fixed Number of requests field, type 1000.

6. Click Next.

7. On the Recycling Events to Log page, select Number of requests.

8. Click Finish.


10. The Advanced Settings dialog box appears. In the Rapid-Fail Protection section,

click Failure Interval (minutes).

11. In the value column, type 10 and then click OK.


WEBA Virtual Machine window click “Action” Menu and choose “Revert”. Repeat this step on

NODE1.

32

Lab 7: Configuring Application Settings


Start the DC virtual machine

Start the WEBA virtual machine and log on as CQURE\Administrator

Install IIS ,ASP.NET and Basic Security features to the IIS Role

1. On WEBA, in Server Manager, in the console pane, Add Roles and then click Web

Server (IIS).

2. Right-click Web Server (IIS), and then click Add Role Services.

3. The Add Role Services dialog box appears. In the Role services box, under

Application Development, select ASP.NET, ASP, ASP.NET 3.5, ASP .NET 4.6,

4. The Add Role Services box appears. Click Add Required Role Services.

5. In the Role services box, under Security, select Basic Authentication.

6. Click Next, till the confirmation summary will appear and then click “Specify an

alternate source path” and type “D:\sources\sxs” to point Mounted Windows Server

2016 ISO binaries, select OK and Install.

7. When the installation is complete, click Close.

8. In the details pane, in the Role Services section, notice that ASP.NET and Basic

Authentication are listed as Installed.

Create the application and copy the ASP.NET application files



3. In the Actions pane on the right, click View Applications. Click Add Application.

4. The Add Application dialog box appears. In the Alias field, type SalesSupport.

5. Next to the Physical path field, click the Browse (...) button.

6. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and

then click Make New Folder.

7. Type SalesSupport and then click OK.

33

8. Click OK.

9. In the properties of WEBA VM select Media choose DVD and mount

ISO_IIS8_Labfiles.iso

10. In Windows Explorer, browse to DVD Drive>AllFiles>Step3>Labfiles>SalesSupport.


12. Browse to C:\inetpub\wwwroot\SalesSupport, right-click, and then click Paste.

Configure Basic Security


Default Web Site and then click Sales Support.


3. Click Anonymous Authentication.


5. In the Details pane, click Basic Authentication.


7. Click Edit.

8. The Edit Basic Authentication Settings dialog appears. In the Default domain and

Realm fields, type CQURE.

9. Click OK.


11. Internet Explorer window opens. Browse to http://localhost/salessupport.

12. The Connect to localhost dialog box appears. Notice that there is a warning about

basic authentication and insecure credentials.

13. In the User name field, type Alisa. Note that Alisa is a marketing account manager

with a domain account in the CQURE domain.

13. In the Password field, type P@ssw0rd and then click OK.

14. Notice that the Sales Support Resources page loads successfully.

14. Close Internet Explorer. Note that you must close the browser to reset the session

so you can try logging in as a different user.


34

16. The Windows Internet Explorer window opens. Browse to

http://localhost/salessupport.

17. The Connect to localhost dialog box appears. In the User name field, type bob. Note

that Bob does not have a domain account in the CQURE domain.

15. Leave the Password field blank and then click OK.

16. Click OK two more times.

17. Notice that you get an HTTP 401.1 Unauthorized error. Note that detailed error

messages show up locally by default.

18. Close Internet Explorer.

Configure custom error pages

1. In Windows Explorer, browse to the course labfiles DVD

Drive>AllFiles>Step3\WBErrors.

2. Select all, right-click and then click Copy.

3. Browse to C:\inetpub\custerr\, right-click, and then click Paste.

4. In Internet Information Services (IIS) Manager, in the Connections pane under

Default Web Site, click SalesSupport.

5. In the Details pane, double-click Error Pages.

6. In the Actions pane, click Edit Feature Settings.

7. The Edit Error Pages Settings box appears. Click Custom error pages.

8. Click OK.

9. In the Details pane, under the Status Code column, click 401.


11. The Edit Custom Error Page dialog box appears. Click Set.

12. The Set Localized Custom Error Path dialog box appears. In the Relative file path

field, delete the existing text and then type 401.aspx. Click OK twice.

13. In the Details pane, under the Status Code column click 404 and in the Actions

pane, click Edit.

14. The Edit Custom Error Page dialog box appears. Click Set.

15. The Set Localized Custom Error Path dialog box appears. In the Relative file path

field, delete the existing text and then type Other_Errors.aspx.

35

16. Click OK twice. Note that in a real world situation, you would repeat these steps for

each error that you wanted to assign to a custom error message.

17. Open Internet Explorer. Browse to http://localhost/salessupport.

18. The Connect to localhost dialog box appears. In the User name field, type bob.

19. Leave the Password field blank and then click OK three times. Do you see the custom

error page as expected?

Note: You are not seeing custom error properly as system.webServer/httpErrors

section is made delegation safe!

In IIS 7.0, httpErrors section was not delegated by default which means custom errors were

not available to site owners for customization. Reason why the section was not delegated is

because once the section is delegated, site owners are free to return any file they can read

as a custom errors response which wasn’t secure. Server Administrators can delegate the

section securely using custom application pool identities and file ACLs which require lot of

work.

Since IIS 7.5, if system.webServer/httpErrors@allowAbsolutePathsWhenDelegated property

is set to false custom errors module will only allow paths relative to site root folder (not

absolute paths) when the section is delegated. If server Administrators want to allow

absolute paths in web.config files even when section is delegated, they can set

allowAbsolutePathsWhenDelegated property to true. Error 500.19 (configuration error)

with detailed error description “Absolute physical path <folder> is not allowed in

system.webServer/httpErrors section in web.config file. Use relative path instead.” will be

generated if allowAbsolutePathsWhenDelegated is set to false and an absolute path is

detected in web.config. This restriction is applied to properties path and

prefixLanguageFilePath but not defaultPath. Here is how httpErrors section will look like if a

site owner wants to configure localized custom errors when only relative paths are allowed:

<httpErrors>

<clear/>



<error statusCode="401" prefixLanguageFilePath="myerrorsfolder"

path="401.htm" />

<error ...

36

</httpErrors>

With this feature, hosters can now easily delegate custom errors section to site owners.

With httpErrors section now made delegation safe, the section is delegated in a fresh

install. Because the behavior is controlled by

system.webServer/httpErrors@allowAbsolutePathsWhenDelegated property, this attribute

is locked in the default configuration. This ensures that this property cannot be overridden

by site owners to enable absolute file paths. As relative path restriction is not applied to

defaultPath property, system.webServer/httpErrors@defaultPath is locked as well and

cannot be used in web.config files.

Additionally – in this scenario try to use absolute URL to the error page. Note the

difference!

20. Notice that there is now a custom error message directing you to contact your

district sales manager.




http://localhost/salessupport/brokenlink.

24. The Connect to localhost dialog box appears. In the User name field, type Alisa.


26. If you are prompted, add the site to the allowed list.

27. Notice that you get a custom error that is slightly different. Since the path

“brokenlink” doesn’t exist, this is a custom 404 error. Try to use custom error page in

many variants – absolute path, or absolute URL.

28. Close Internet Explorer

Below you can find print screens from the configuration details to support the challenge

a little bit:

37

Absolute path:

Absolute URL:


38

Lab 8: Running both ASP.NET 3.5 and ASP.NET 4.5

Applications

Machines used in this Lab: NODE1

Now that you have explored the setup state of IIS, try running some sample ASP.NET code to

confirm that both ASP.NET 3.5 and ASP.NET 4.6 applications can run simultaneously on a

single IIS installation.

First, set up a simple ASP.NET 3.5 application on IIS:

1. Open the D:\>Tools> examples.zip file from provided ISO image

2. In Windows Explorer on NODE1, navigate to the "wwwroot" directory for your IIS

installation, the "wwwroot" directory will be at "c:\inetpub\wwwroot".

3. Copy the folder "example35" from "examples.zip", and paste it into the directory

"c:\inetpub\wwwroot". When you are done the directory structure should look like

the following:

4. The newly created "example35" folder needs to be configured as an ASP.NET 3.5

application in the IIS Manager. Go back to the IIS Manager window, click on the

Default Web Site node, and select Refresh. The treeview of child nodes under the

Default Web Site now shows the "example35" folder:

http://i1.iis.net/media/7186760/iis-80-using-aspnet-35-and-aspnet-45-1097-image037.png?cdn_id=2012-12-10-010

39

5. Right-click the example35 folder and select Convert to Application:

6. The Add Application dialog will pop up. By default all directories within Default

Web Site are part of the application pool called DefaultAppPool. This means that

newly created folders containing ASP.NET run as ASP.NET 4.5 applications by default.

40

7. Since we want to run the example35 folder as an ASP.NET 3.5 application, the

application pool needs to be changed. Click Select, and the Select Application Pool

dialog that pops up. Change the application pool to .NET v2.0 as shown below:

8. Click OK button to accept the application pool change, and then click OK again to

commit the changes to IIS. The IIS Manager window appears again. In the treeview

showing "Default Web Site", the icon for "example35" is changed to indicate it is now

a separate ASP.NET application.

41

9. At this point start an instance of Internet Explorer and navigate to the following Url:

http://localhost/example35

After a short pause the application displays a list of .NET Framework features supported in

this application.

10. In Windows Explorer, if you navigate to the "c:\inetpub\wwwroot\example35"

directory, you can use notepad to look at the code for "default.aspx" and the

information in "web.config". For example, the contents of web.config include

directives that configure the .NET Framework compilers to run in "3.5" mode. The

.NET Framework code in "default.aspx" demonstrates some C# constructs that were

introduced in .NET 3.5 – specifically LINQ-to-Object queries.

Configure it to use .NET 4.5

1. Go back to the Windows Explorer window that has the .zip file "examples.zip" open.

2. Open up the contents of the "example45" folder.

3. In the second Windows Explorer window that you have open, navigate to

"c:\inetpub\wwwroot".

4. Copy the "default.aspx" file from the .zip file and paste it directly into

"c:\inetpub\wwwroot". The folder contents for "c:\inetpub\wwwroot" should now look

like:

42

5. Now go back to Internet Explorer and navigate to the following Url:

http://localhost/default.aspx

After a short pause a second application pool will start running an ASP.NET 4.5 application

for the "Default Web Site". The browser once again displays a list of .NET Framework features

supported in this application with a new entry at the end of the list for dynamically typed

variables (i.e. the dynamic keyword introduced in .NET 4.0/4.5). Notice that unlike the

"example35" application that required special web.config entries, no web.config file was

required to configure and run the "default.aspx" page in the "Default Web Site". This is

because .NET Framework 4.5 is the default .NET Framework used by ASP.NET applications in

IIS 8.0, and as a result no extra configuration is required.

6. If you use Notepad to open the "default.aspx" page that you just copied, you will also

see a few changes compared to the version in the "example35" directory. There are

no namespace directives at the top of the page since the .NET Framework 4.5 is the

default on IIS 8.0. The code on the page demonstrates using a dynamic variable,

which is a compiler concept introduced in .NET 4.0/4.5.

http://i1.iis.net/media/7186724/iis-80-using-aspnet-35-and-aspnet-45-1097-image049.png?cdn_id=2012-12-10-010

43

Lab 9: Configuring ASP.NET Settings for development


ASP.NET Connection Strings


pane, expand Sites | Default Web Site and then click SalesSupport.

2. In the Details pane, double-click Connection Strings.


4. The Add Connection String dialog box appears. In the Name field, type Local

Resources.

5. Click Custom.

6. In the Custom field delete the existing text and then type data and click OK.

source=.\SQLEXPRESS;AttachDbFileName=d:\resources.mdf;IntegratedSecurity=True

Configure ASP.NET Session State settings to rename the cookie to SalesSupport

1. In the Connections pane, click SalesSupport.

2. In the Details pane, double-click Session State.

3. In the Cookie Settings section, in the Name field, delete the existing text and then

type SalesSupport_SessionID.


Add a custom control: CQURE. TestControls Version=1.0.0.0


2. In the Details pane, double-click Pages and Controls.

3. In the Action pane, click Register Controls.

4. Click Add Custom Control.

5. The Add Custom Control dialog box appears. In the Tag prefix field type CQURE.

6. In the Namespace field, type TestControls.

7. In the Assembly field, type Version=1.0.0.0.

8. Click OK.

Add application settings at site and application levels

44


2. Internet Explorer window opens. Browse to

http://localhost/salessupport/test.aspx.



5. Notice that the Raccoons Bank Sales Application Settings Test Page opens. It should

report “No Application Settings defined.”


Default Web Site.

7. In the Details pane, double-click Application Settings.


9. The Add Application Setting dialog box appears. In the Name field, type

DefaultLocation.

10. In the Value field, type New York. Click OK.

11. In Internet Explorer, click the Refresh button. Notice that it now reports

“DefaultLocation = New York”.


SalesSupport.

13. In the Details pane, double-click Application Settings. Notice in the details pane

that DefaultLocationis inherited.


15. The Add Application Setting dialog appears. In the Name field, type debug_mode.

16. In the Value field, type true. Click OK.

12. In Internet Explorer, click the Refresh button. Notice that it now reports

“DefaultLocation = New York” and “debug_mode = true”.

Question: How might the application settings be used in real world Web applications?

Answer: The application can customize content or actions based on the settings. This

gives flexibility to the Administrator to customize the application at deployment time.


45

Lab 10: Configuring Multiple Applications


Create three application pools named SalesSupport, SalesSupport_De, and

SalesSupport_Test


pane, click Application Pools.


3. The Add Application Pool dialog box appears. In the Name field, type

SalesSupport. Click OK.



SalesSupport_De. Click OK.



SalesSupport_Test. Click OK.

8. In the Details pane, notice that SalesSupport, SalesSupport_DE, and

SalesSupport_Test appear in the list of application pools.

Create the applications SalesSupport_De and SalesSupport_Test


2. In the Actions pane, click View Applications.

3. Click Add Application.

4. The Add Application dialog box appears. In the Alias field, type SalesSupport_De.

5. Next to the Physical path field, click the Browse (…)button.



7. Type SalesSupport_De and then click OK twice.


9. The Add Application dialog box appears. In the Alias field, type SalesSupport_Test.

10. Next to the Physical path field, click the Browse (…)button.

46



12. Type SalesSupport_Test and then click OK twice.

13. In the Details pane, notice that SalesSupport, SalesSupport_DE, and

SalesSupport_Test appear in the list of applications.

Use XCopy to deploy the files

1. Open Command Prompt.

2. Type cd c:\inetpub\wwwroot and then press Enter.

3. Type xcopy /e SalesSupport\*.* SalesSupport_De and then press Enter.

4. Type dir SalesSupport_De and then press Enter to confirm that the files were copied.

5. Type xcopy /e SalesSupport\*.* SalesSupport_Test and then press Enter. Shortcut:

Press Up Arrow twice, and then Backspace and change the last few characters of the

previous command line to _Test, and then press Enter.

6. Type dir SalesSupport_Test and then press Enter to confirm that the files were

copied.

Assign the applications to the appropriate application pools


Default Web Site.


3. In the Details pane, click SalesSupport.

4. In the Actions pane on the right, click Basic Settings.

5. The Edit Application dialog box appears. Click Select.


SalesSupport, and then click OK twice.

7. In the Details pane, click SalesSupport_De.




SalesSupport_De, and then click OK twice.

11. In the Details pane, click SalesSupport_Test.

47




SalesSupport_Test, and then click OK twice.

15. In the Connections pane, click SalesSupport_De.






21. Click Edit.



23. Click OK.

24. In the Connections pane, click SalesSupport_Test.






30. Click Edit.



32. Click OK.

Configure production application pool recycling for unlimited requests


2. In the Details pane, click SalesSupport.


4. The Edit Application Pool Recycling Settings dialog box appears. Clear the Regular

time intervals check box, and then click Next.

5. Click Finish.

48

6. In the Details pane, click SalesSupport_De.


8. The Edit Application Pool Recycling Settings dialog box appears. Clear Regular

time intervals check box, and then click Next. Click Finish.

Configure the application pool to record recycled events

1. In the Details pane, click SalesSupport_Test.


3. The Edit Application Pool Recycling Settings dialog box appears. Select Fixed

number of requests.

4. In the Fixed number of requests field, type 1024 and then click Next.

5. On the Recycling Events to Log page, select Number of requests, On-demand,

and Configuration changes.

6. Click Finish.

Configure.NET compilation debug setting to False


2. In the Details pane, double-click .NET Compilation.

3. Under Behavior, in the Debug list, click False.


Question: What is the advantage of disabling the debug setting in .NET compilation?

Answer: The compiled code will be smaller and faster without debug code. It is a good idea

to use this setting when an application is fully tested and deployed to final production.

Configure application globalization settings for Germany

1. In the Connections pane, click SalesSupport_De.

2. In the Details pane, double-click .NET Globalization.

3. In the Culture list, click German (Germany) (de-DE).

4. In the UI Culture list, click German (Germany) (de-DE).



49





10. Open a second tab in Internet Explorer and then browse to

http://localhost/salessupport_test.

11. Open a third tab and then browse to http://localhost/salessupport_de.

12. Right-click the notification area and then click Task Manager.

13. The Task Manager window opens. Click the Processes tab.

14. Under the Image Name column, notice that there are at least three instances of

w3wp.exe running, indicating at least three separate application pools. Close Task

Manager.

15. In Internet Explorer, browse to http://localhost/salessupport_de/test.aspx. Notice

that the date is now in dd.mm.yyyy format, the cultural default for Germany.


50

Lab 11: ASP.NET Security


Set the machine key


pane, click SalesSupport_De.

2. In the Details pane, double-click Machine Key.

3. In the Actions pane, click Generate Keys.

4. Click Apply.

Configure the SalesSupport_Test site for medium trust level

1. In the Connections pane, click SalesSupport_Test.

2. In the Details pane, double-click .NET Trust Levels.

3. In the Trust level list, click Medium (web_mediumtrust.config).


Configure File and Folder security


2. In the Details pane, click the Content View tab at the bottom of the window. Click

test.aspx.

3. In the Actions pane, click Edit Permissions.

4. The test.aspx Properties dialog box appears. Click the Security tab.

5. Click Advanced.

6. The Advanced Security Settings for test.aspx dialog box appears. Click Edit.

7. Disable inheritance..

8. The Windows Security dialog box appears asking if you want to copy the inherited

permissions. Use the ones that you had but remote Users.

9. Click Users (WEBA\Users), and then click Remove.

10. Click Add.

11. The Select User, Computer, or Group dialog box appears. In the Enter the object

name to select field, type Network Service. Note that since we have removed Users,

51

we need to specifically allow the Network Service account. Note that SalesSupport

application pool must be running under the Network Service account with pass-

through authentication as well!

12. Click Check Names, and then click OK.

13. The Permission Entry for test.aspx dialog box appears. In the Permissions section,

next to Full control, select Allow. Click OK. Click Add.

14. The Select User, Computer, or Group dialog box appears. In the Enter the object

name to select field, type ITAdminsGG.

15. Click Check Names, and then click OK.

16. The Permission Entry for test.aspx dialog box appears. In the Permissions section,

next to Full control, select Allow.

17. Click OK four times.

18. In Internet Explorer, browse to http://localhost/salessupport/test.aspx.


20. In the Password field, type P@ssw0rdand then click OK.

21. Click OK two more times. Notice that Alisa no longer has access to test.aspx.

22. Click the Refresh button.

23. The Connect to localhostdialog box appears. In the User name field, type Gina. Note

that Gina is a member of the ITAdminsGG security group.


25. Notice that Gina has access to the page.



52

Lab 12: Tracing and Logging for ASP.NET

1. On WEBA in Server Manager, in the console pane, expand Roles and then click Web

Server (IIS).

2. Right click Web Server (IIS), and then click Add Role Services.

3. The Add Role Services dialog box appears. Select Health and Diagnostics to select

all of the Health and Diagnostics services.

4. Click Next, and then click Install.

5. When the installation completes, click Close.

6. Open Notepad and then press Enter.

7. The Notepad window opens. On the File menu, click Open.

8. The Open dialog box appears. In the Text Documents list, click All Files.

9. Browse to C:\inetpub\wwwroot\SalesSupport_Test.

10. Click test.aspx, and then click Open.

11. In the first line of the file, modify the trace=”false”attribute to read trace=”true” so

that the line reads:

<@ Page Language=”C#” trace=”true” %>

12. On the fifth line of the file, type This message should appear between the double

quotes, so that the line reads:

Response.Write(“This message should appear”);

Question: How would an application use tracing?

Answer: A developer can add trace commands to the Web application code to record

information that can be used for debugging and monitoring. The Administrator has the

ability to enable or disable tracing as needed.


14. Close Notepad.

15. In Internet Explorer, browse to http://localhost/salessupport_test/test.aspx.

16. If the Connect to localhost dialog box appears, in the User name field, type Gina.


53

18. Notice that This message should appear at the top of the page.

19. Scroll down and notice that the trace information appears at the bottom of the page.

20. In the Trace Information section, the next to last lines contain the trace messages

from the test.aspx file. Notice that the warning message is red.



Default Web Site.

21. In the Actions pane, click Failed Request Tracing. If Failed Request Tracing does not

appear, close and reopen IIS Manager for the added Health and Diagnostics features

to appear.



22. In the Details pane, double-click Failed Request Tracing Rules.


24. The Add Failed Request Tracing Rule wizard appears. On the Specify Content to

Trace page, click ASP.NET (*.aspx), and then click Next.

25. On the Define Trace Conditions page, in the Status code(s)field, type 200 and then

click Next.

26. On the Select Trace Providers page, under Providers, clear all check boxes except

ASPNET.

27. Click ASPNET.

28. Under Areas, clear all check boxes except Page.

29. Under Verbosity, notice that it is set to Verbose.

30. Click Finish.

31. In Internet Explorer, browse to http://localhost/salessupport_test/test.aspx.

32. If the Connect to localhost dialog box appears, in the User name field, type Gina.

33. In the Password field, type P@ssw0rdand then click OK.

34. Press CTRL + O.

35. The Open dialog box appears. Click Browse.

36. Browse to C:\inetpub\logs\FailedReqLogFiles\W3SVC1.

37. In the HTML Files list, click All Files.

54

38. If there is more than one, click the most recent fr######.xmlfile, and then click Open.

Click OK.

39. The failed request log opens. Notice in the Request Summary section the details of

the request: AppPool is SalesSupport_Test, Authentication is Basic, User from token is

CQURE\Gina.

40. In the Errors and Warnings section, click Expand All.

41. Notice that the warning “This is a warning.” appears.


Lab 13: Request Filtering

1. On WEBA in Internet Explorer, browse to http://localhost/. Notice that the IIS

graphics appear and IIS Welcome page appears.



4. The Notepad window opens. On the File menu click Open.


6. Browse to C:\inetpub\wwwroot.

7. Click web.config, and then click Open.

8. After the sixth line, <system.webServer>, press Enter and then add the following

security section:

<security>

<requestFiltering>

<fileExtensions allowUnlisted="false" >

<add fileExtension=".aspx" allowed="true"/>

</fileExtensions>

</requestFiltering>

</security>

Question: How could you disable only certain extensions, such as .MP3 and .WMA?

Answer: Set the allowUnlisted property to “true”. Add the unallowed file extensions and set

their allowed properties to “false”.

9. On the File menu, click Save. Close Notepad.

55


11. Internet Explorer window opens. Browse to http://localhost/iis-8.png.

12. Notice that HTTP Error 404.7 appears. Detailed error messaging states that “The

request filtering module is configured to deny the file extension”.

13. Browse to http://localhost/iisstart.htm.

14. Notice the same error.


16. Type cd \inetpub\wwwroot and then press Enter.

17. Type copy iisstart.htm *.aspx and then press Enter.

18. Type dir, and then press Enter and notice that the file was copied to iisstart.aspx.

19. In Internet Explorer, browse to http://localhost/iisstart.aspx.

20. Notice that the page with the aspx extension loads without error but the image still

does not display.

In order to proceed to the next Lab revert WEBA to default state.

56

Lab 14: IIS Modules

Machines used in this Lab: DC, WEBB

Start the WEBB virtual machine and log on as CQURE\Administrator

Backup the current Web server configuration.

1. On WEBB, if Server Manager opens, Close the Server Manager and open Command

Prompt.

2. Type cd c:\windows\system32\inetsrv\and then press Enter.

3. Type appcmd add backup original and then press Enter.

4. Notice that the AppCmd completes the backup and reports BACKUP object "original"

added.

Question: When using the appcmd add backup command, where are the backup

configuration file placed?

Answer: In a new folder, in the C:\Windows\System32\inetserv\backup\ folder.

Examine the modules currently installed on the Web server


2. In the Connections pane, click WEBB.

3. In the Details pane, in the Group by list, click Category.

4. In the Details pane, in the Server Components section, double-click Modules.

5. In the Group by list, click Module Type.

6. Notice that the DefaultDocumentModule and the DirectoryListingModule entries

are listed in the Native Modules section.

Question: What do the DefaultDocumentModule and DirectoryListingModules do?

Answer: The DefaultDocumentModule offers the functionality of offering the Web browser a

default file when a specified folder or directory is specified by the URL. The

57

DirectoryListingModule will supply the Web client with a list of the folder contents, when a

folder or directory is specified by the URL.

Remove the Default Document Module and the Directory Listing Module

1. In the Connections pane, expand WEBB | Sites, and then click Default Web Site.

2. In the Actions pane, click Browse *:80(http).

3. Internet Explorer window opens. Notice that the page opens as expected.

4. Open | Computer and then browse to C:\windows\system32\inetsrv\config\.

5. In the Details pane, double-click applicationHost.config.

6. The Notepad window opens. Find the <globalModules> section.

7. Delete the DefaultDocumentModule and the DirectoryListingModule entries from

within the <globalModules> tag by deleting these two lines:

<add name="DefaultDocumentModule" image=

"%windir%\System32\inetsrv\defdoc.dll" />

<add name="DirectoryListingModule" image=

"%windir%\System32\inetsrv\dirlist.dll" />

8. Scroll down to the bottom of the file and find the <system.webServer> section.

9. Delete the references to the DefaultDocumentModule and the

DirectoryListingModule from within the <handlers accessPolicy="Read, Script">tag

by replacing:

<add name="StaticFile" path="*" verb="*"

modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule"

resourceType="Either" requireAccess="Read" />

With the line:

<add name="StaticFile" path="*" verb="*" modules="StaticFileModule"

resourceType="Either" requireAccess="Read" />

10. Delete the DefaultDocumentModuleand the DirectoryListingModuleentries from

within the <modules> tag. Delete the two lines:

58

<add name="DefaultDocumentModule" lockItem="true" />

<add name="DirectoryListingModule" lockItem="true" />


12. Close Notepad.

Validate that the modules have been removed


WEBB.

2. In the Details pane, in the Server Components section, double-click Modules.

3. In the Native Modules section, notice that the DefaultDocumentModule and the

DirectoryListingModule entries are gone.

4. In Internet Explorer, click the Refresh button. Notice that the Web page is now blank,

even though Internet Explorer indicates that it is done loading.

5. In Internet Explorer, browse to http://localhost/default.aspx. Notice that the Web

page loads after you specify the default document.

Question: Why did the Web page get restored after the file name, default.aspx was added to

the URL?

Answer: The Web server is still completely operational, but no longer offers default

documents or directory browsing. So if a full URL is specified, complete with a file name, then

the Web server will return that file to the Web client, if available.

Restore the modules to the Web server configuration

1. In the Command Prompt, type appcmd restore backup original and then press

Enter.

2. Notice that the AppCmd completes the restore and reports that the original

configuration has been restored.

Question: After the AppCmd completes the restore, where does it restore the configure files

to?

59

Answer: The files are restored to the C:\Windows\System32\inetsrv\config folder.

Validate that the modules have been restored

1. Use IE to browse to http://localhost/, and then click Refresh.

2. Notice that the page once again loads properly from the default document. Close

Internet Explorer.

In order to proceed to the next Lab don’t revert machines.

60

Lab 15: Configuring Managed Modules


Install the logging managed module on WEBB

1. In Windows Explorer, browse to C:\inetpub\.

2. Right-click inetpub, and then click New | Folder.

3. Type logging_module and then press Enter.

4. Browse to the course labfiles. In the properties of WEBB VM select Media choose

DVD and mount ISO_IIS8_Labfiles.iso

5. In Windows Explorer, browse to DVD

Drive>AllFiles>Step4\Labfiles>logging_module.


7. Browse to C:\inetpub\logging_module, right-click, and then click Paste.

8. Browse to C:\inetpub\logging_module\logs\.

9. Right-click logs, and then click Properties.

10. The logs Properties dialog box appears. Click the Security tab. Click Edit.

11. The Permissions for logs dialog box appears. In the Group or user names section,

click Users (WEBB\Users).

12. In the Permissions for Users box, next to Modify, select Allow. Click OK twice.


Sites.

14. In the Actions pane, click Add Web Site.

15. The Add Web Site dialog box appears. In the Site name field, type logging_module.

16. In the Physical path field, type C:\inetpub\logging_module.

17. In the Port field, type 8181. Click OK.

Confirm the installation of the logging managed module

1. In the Actions pane, click Browse *:8181 (http).

2. Internet Explorer window opens. Click Go on to Second Page.

3. Notice that the second page loads. Close Internet Explorer.

61


logging_module.

5. In the details pane, in the Server Components section, double-click Modules.

6. In the Managed Modules section, click Logger.


8. The Edit Managed Module dialog box appears. Notice that the type is listed as

HttpLogger.

9. Click Cancel.

10. In Windows Explorer, browse to C:\inetpub\logging_module\logs.

11. Double-click [yyyymmdd].txt.

12. The Notepad window opens. Notice the log entries for

http://localhost:8181/default.aspx and http://localhost:8181/second_page.htm.

13. Close Notepad.

Question: Why do the log file entries have the numbers 8181 listed?

Answer: The logging module records the complete URL of the requested Web site files. The

logging_module web site was configured to use port number 8181, which is a secondary

Web site port.

Test the Web site forms authentication functionality


Default Web Site.


3. Internet Explorer window opens. Click Shared Documents.

4. In the Email field, type [email protected].

5. In the Password field, type P@ssw0rd.

6. Click Login.

7. If you get the AutoComplete Passwords dialog box, click No.

8. Click Confidential Memo. Notice that the image representing the Confidential

Memo appears.

9. Click the Back button. Click Signout. Click Home.

62

Examine the modules currently running on the Web server

1. In the Internet Information Services (IIS) Manager window, in the Connections

pane, click WEBB.


3. In the Managed Modules section, click OutputCache.


5. The Edit Managed Module dialog box appears. Notice that the module is configured

properly and is set to run normally. Click Cancel.

Remove the forms authentication managed module



3. In the Managed Modules section, click Forms Authentication.



Test the new configuration

1. In the Internet Explorer window, click Shared Documents. Notice that you now get

Access is denied error message, indicating that the logon failed because the forms

authentication module has been removed.

Question: Why is the Access denied error message displayed at this point?

Answer: The Access is denied error message indicates that the logon failed because the

forms authentication module has been removed.

In order to proceed to the next Lab revert WEBB to default state.

63

Lab 16: Securing the IIS Web Server and Web Sites


Start the WEBB virtual machine and log on as CQURE\Administrator.

Create a self-signed server certificate for the Web server

1. On WEBB, Open | Administrative Tools | Internet Information Services (IIS)

Manager.


3. In the details pane, in the Group by list, click Category.

4. In the details pane, in the Security section, double-click Server Certificates.

5. In the Actions pane, click Create Self-Signed Certificate.

6. The Create Self-Signed Certificate dialog box appears.

7. In the Specify a friendly name for the certificate field, type WEBB.CQURE.TEC.

8. Click OK. Notice that the new self-signed certificate has been added to the certificate

list.

Question: What are the advantages and disadvantages of using self-signed certificates?

Block IP addresses as specified in the service request


64

2. In the details pane, in the IIS section, double-click IP Address and Domain

Restrictions.

3. In the Actions pane, click Add Deny Entry.

4. The Add Deny Restrictions Rule dialog box appears. In the Specific IPv4 address field,

type 192.168.128.1

5. Click OK.

6. In the Actions pane, click Add Deny Entry.

7. The Add Deny Restrictions Rule dialog box appears.

8. Click IP address range.

9. In the IP address range field, type 192.168.130.0.

10. In the Mask field, type 255.255.255.0.

11. Click OK. Notice that the new IP restrictions have been added to the list.

Question: When would you want to use this feature to block IP addresses?

Answer: An organization may want to block malicious users or restrict access from a certain

domain or location.

Configure ISAPI and CGI Restrictions


2. In the details pane, in the IIS section, double-click ISAPI and CGI Restrictions.

Notice that ASP.NET, WebDAV are currently listed.

3. In the Action pane, click Edit Feature Settings.

65

4. The Edit ISAPI or CGI Restrictions Settings dialog box appears. While it’s not a

recommended practice, you can easily allow unspecified CGI and ISAPI modules. Click

Cancel.

Set the rights and permissions for Active Directory users

1. In Windows Explorer, browse to C:\inetpub\.

2. Right-click wwwroot and then click Properties.

3. The wwwroot Properties dialog box appears. Click the Security tab.

4. Click Edit.

5. The Permissions for wwwroot dialog box appears. Click Add.

6. The Select Users, Computers, or Groups dialog box appears. Click Locations.

7. The Locations dialog box appears. If CQURE.TEC is not already highlighted, then in

the Location tree, click CQURE.TEC.

8. Click OK.

9. In the Enter the object names to select field, type ITAdminsGG and then click Check

Names.

10. Click OK. Notice that the Read & execute, List folder contents, and Read options

are allowed.

11. Click Add.

12. The Select Users, Computers, or Groups dialog box appears. In the Enter the object

names to select field, type Hugo and then click Check Names. Click OK.

13. Next to Full control, select Allow. Click OK.

Test and validate the new configuration

1. In the Group or user names field click ITAdminsGG. Notice that the Read & execute,

List folder contents, and Read options are allowed.

2. In the Group or user names field click Hugo Garcia. Notice that the all the options

are allowed.

3. Click OK.

In order to proceed to the next Lab don't revert WEBB.

66

Lab 17: CPU Throttling: Sand-boxing Sites and

Applications


Problem: In a multi-tenanted deployment, such as a shared hosting environment, it is

important to create a sand-box for each tenant. Without the sand-box, a tenant could

intentionally or unintentionally impact other tenants negatively by accessing other tenants'

contents or by monopolizing resources, such as memory, CPU, and bandwidth.

Solution: On Internet Information Services (IIS) on Windows Server 2012, the sand-box is

scoped to an IIS application pool. It offers both security boundaries at the Windows process

level by running each tenant in separate user identity and the resource limitations are also

enforced at the process.

On Windows Server 2012, IIS CPU Throttling feature enables customers to truly limit how

much CPU each tenant can consume as a percentage of CPU. Furthermore, this feature is

configurable per IIS application pool, which means each tenant could have different limits,

which can lead to a new business model in which tenants can pay more for higher limits.

It is important to clarify that IIS CPU Throttling is not a reservation of a CPU resource. Rather

it is a way to limit the maximum usage.

Step by Step Instructions:

Prerequisites:

IIS is installed on Windows Server.

o IIS CPU Throttling is part of IIS application pool configuration. Therefore,

a default install of IIS will have this feature installed. There is no specific IIS

feature that needs to be installed from Server Manager.

There is at least one site with a corresponding IIS application pool.

o Default Web Site and DefaultAppPool can be used for this exercise.

67

o Copy from the labfiles DVD Drive>Tools>CPUThrottlingTest to

inetpub/wwwroot/CPUThrottlingTest

o Create Application CPUThrottlingTest with application pool (might be

DefaultAppPool) using NET 4.5

o ASP.NET must be installed, default.aspx must be on the list with Default

Documents.

Configure CPU Throttling

1. On WEBB Open IIS Manager.

2. Select Application Pools in the left navigation window:

3. Select DefaultAppPool:

4. In the Action pane, select Advanced Settings:

68

5. Under CPU group, locate the following configurations:

o Limit: Indicates the maximum CPU usage (in 1000th of a percent) for this

application pool. If there are multiple processes associated to this application

69

pool, the limit is applied to the total sum of all processes under this

application pool.

o LimitAction: Indicates what action to take when the limit value is met above.

For Windows Server 8, new actions, Throttle and ThrottleUnderLoad

have been added:

Throttle: The feature will throttle the CPU consumption to the value

set for Limit.

ThrottleUnderLoad: The feature will throttle the CPU consumption to

the value set for Limit, but only if there is a contention on the CPU.

This means that the application pool may consume more CPU activity

when the CPU is idle.

o LimitInterval: Not used for both Throttle and ThrottleUnderLoad. This

configuration attribute is carried over from previous versions of Windows for

backward compatibility.

6. Run application in the web browser (localhost/CPUThrottlingTest). Open Task

Manager or Process Monitor and verify the CPU load based on w3wp.exe

7. In the Application Pool properties Set the maximum limit of 20%, enter:

a. Limit: 20000 (20% in 1000th of a percent)

b. LimitAction: Throttle

70

8. Verify the dependency of Limit setting and the CPU usage for w3wp.exe process.

9. Note that the configuration settings in question can be set as default values so that

they don't have to be configured individually per application pool. To configure the

application pool defaults, select Set Application Pool Defaults under Actions pane:

10. The same settings are exposed there to configure the application pool defaults:

71

11. Remove the application so that it does not disturb other exercises.

Usage Scenarios

IIS CPU Throttling feature is designed for a multi-tenanted environment. Try these

settings in an environment where there are thousands of sites and applications, like a

shared hosting deployment.

Set different limits for different "groups" of tenants to simulate those customers who

are allowed to consume more CPU resources than others.

Set ThrottleUnderLoad as LimitAction to observe the behavior. It functions like

Throttle, if there are contentions on the CPU. If there aren't any contentions on the

CPU, the application pool is allowed to use more CPU resources than the value set for

Limit.

Create a sand-box with memory and bandwidth limits, along with IIS CPU Throttling

feature on Windows Server 2012. Memory and bandwidth limits are not discussed

specifically in this documentation because these features exist on Windows Server

2008 and Windows Server 2008 R2.

Summary

You have successfully explored IIS CPU Throttling feature in Windows Server.

72

Lab 18: Central certificate store


Preparing file server

1. Switch to DC machine

2. Log on as Administrator

3. Launch cmd.exe

4. Type "md c:\certstore" and press Enter

5. Launch server manager

6. On the upper toolbar click "Manage" and then "Add Roles and Features"

7. Click "Next"

8. Leave the default (Role-based) installation type and click "Next"

9. Leave local server selected and click "Next"

10. Expand "File and Storage Services" then "File and iSCSI Services" and select "File

Server"

11. Click "Next"

12. On the "Features" screen click "Next"

13. Click "Install" and wait until installation finishes and click "Close"

14. In the left pane of the Server Manager click "File and Storage Service" and then

"Shares"

15. Expand the "Tasks..." button and select "New Share..."

16. Select "SMB Share – Quick" and click "Next"

17. Select "Type a custom path"

18. Click "Browse" and select c:\certstore folder

19. Click "Next"

20. Leave default values for share name and click "Next"

21. Leave default share settings and click "Next"

22. Leave default permissions (readonly share permissions) and click "Next"

23. Click "Create" and then "Close"

73

Copying certificates to central store

1. On DC attach the ISO file provided by going to the properties of VM select Media

choose DVD and mount ISO_IIS8_Labfiles.iso

2. In Windows Explorer, browse to DVD Drive>Certs

3. Launch cmd.exe.

4. Go to the Certs folder on the mounted ISO.

5. Type "copy *.pfx \certstore" and press Enter. Verify if files was actually copied.

6. Type "exit" and press Enter to close cmd.exe window.

Trusting your certificates

1. These steps are necessary only if you plan to browse your website from machine

other than DC.

2. Remember that following steps are necessary because you use self-signed certificates

for the lab. In real life scenarios certificates are signed by one of TRCA configured on

your machine.

3. Log on as Administrator, launch mmc.exe.

4. Press Ctrl+M and select "Certificates". Click "Add".

5. Select "Computer account". Click "Next" and then "Finish". Click "OK"

6. Navigate to Trusted Root Certificate Authorities\Certificates.

7. From the menu select Action -> All Tasks -> Import. Click "Next".

8. Select your certificate from \\dc\certstore and import it. Note that you should change

filetype to "*.pfx" to see your files.

9. Specify P@ssw0rd as certificate password. Note that there is "@" sign in the

password string.

10. Repeat steps 7-9 for all your certificates.

Verifying address resolution

1. Open cmd.exe and try to ping www.cqure.tec

2. If the name is not recognized:

a. Open DNS Management Console and expand "Forward Lookup Zones" and

then "cqure.tec".

74

b. Right-click the zone and select "New Alias (CNAME)".

c. Type "www" as alias name and "webb.cqure.tec" as FQDN for target host.

d. Click OK.

e. Return to the cmd.exe window and type "ipconfig /flushdns" to clean the

name resolution cache.

f. Ping www.cqure.tec and verify if name is resolved correctly.

3. Ping test123.acme.net


a. Open DNS Management Console and on "Forward Lookup Zones" right click

then “New zone”, proceed clicking Next, on zone type leave defaults (primary

zone stored in AD), then Next, in the Zone name type: "acme.net", then Next

and Finish zone creation.

5. Right-click the Acme.net zone and select "New Alias (CNAME)".

a. Type "*" as alias name and "webb.cqure.tec" as FQDN for target host.

b. Click OK

c. Return to the cmd.exe window and type "ipconfig /flushdns" to clean the


d. Ping test123.acme.net and verify if name is resolved correctly.

Installing CCS support

1. Switch to WEBB machine and log on as Administrator

2. Launch Server Manager and on the upper toolbar click "Manage" and then "Add

Roles and Features"

3. Click "Next"



6. Expand the "Web Server (IIS)" then "Web Server" and "Security"

7. Select "Centralized SSL Certificate Support". Click "Next"



75

Configuring CCS

1. Stay on WEBB machine and launch IIS Manager.

2. In the left pane select your server name.

3. If asked about to Web Platform Components press "No".

4. Double click "Centralized Certificates" under the "Management" in the central pane.

5. Click "Edit Feature Settings" in the right pane.

6. Click "Enable Centralized Certificates".

7. Type the UNC path to a share you created previously – \\dc\certstore.

8. Type username and password. Administrator credentials will work properly but

using dedicated user account is more secure.

9. In the "Certificate Private Key Password" type P@ssw0rd twice. Note that there is "@"

sign in the password string. Click "OK"

10. Verify if certificates from your share appeared in the central pane.

Creating new website

1. Stay on WEBB machine and launch IIS Manager.

2. In the left pane expand your server name and right click "Sites".

3. Select "Add Website" and fill out the dialog box with values:

a. Site name – www.cqure.tec

b. Physical path – c:\inetpub\wwwroot\cqure

c. Type – https

d. Host name – www.cqure.tec

e. Require Server Name Identification – true

f. Use Centralized Certificate Store – true

4. If asked about duplicate :80 binding – click "No"

5. Note that you cannot select certificate and click OK

6. Repeat above steps and create virtual site for www.acme.net

a. Site name – www.acme.net

b. Physical path – c:\inetpub\wwwroot\acme

c. Type – https

d. Host name – www.acme.net

76

e. Require Server Name Identification – true

f. Use Centralized Certificate Store – true

Testing new website



3. Launch cmd.exe

4. Type "ping www.cqure.tec" and verify if the IP address was resolved correctly

5. Launch Internet Explorer and navigate to https://www.Cqure.tec

6. If asked – accept the warning caused by self-signed certificate by clicking on

"Continue to this website"

7. Click on the certificate icon and select "View certificates"

8. Verify properties of the certificate used for encrypting data transmission

a. Verify if dates are OK

b. Verify if subject equals to server name (www.Cqure .tec)

c. Verify if certificate is trusted

9. Repeat above steps for https://www.acme.net.

a. What do you observe for certificate subject?

77

Lab 19: Configuring FTP Protection


FTP Server installation

10. Switch to WEBB machine


12. Launch server manager

13. On the upper toolbar click "Manage" and then "Add Role"

14. Click "Next"



17. Expand the "Web Server (IIS)" then "FTP Server"

18. Select "FTP Service"

19. Click "Next"



FTP Server configuration

1. Launch IIS Manager

2. In the left pane right click your server name and select "Add FTP Site"

3. Fill the dialog box with values:

a. FTP Site Name – FTP1

b. Physical Path – c:\inetpub\ftproot

4. Press "Next"

5. Switch SSL option to "No SSL" and click "Next"

6. Configure options:

a. Authentication – Basic

b. Allow Access to – All Users

c. Permissions – Read

7. Click "Finish"

78

8. Verify your FTP server by launching cmd.exe and typing ftp 127.0.0.1. If it asks for

username it means that server works properly.

Attacking unprotected FTP server

1. Create a local copy of Brutus utility from ISO

2. Launch BrutusA2.exe utility

3. Set your attack parameters:

a. Target – 127.0.0.1

b. Type – FTP

4. Press "Start"

5. If attack finishes note elapsed time and attempts count.

6. Navigate to c:\inetpub\logs\logfiles\ftpsvc and open the logfile. Try to identify attack

evidence. Note that IIS log files use UTC time not local one.

Protecting your FTP Server

1. Launch IIS Manager

2. In the left pane select your server name

3. Double click "FTP Logon Attempt Restrictions" in the central pane

4. Select "Enable FTP Logon Attempt Restrictions" and change the time period to 120

seconds

5. Leave default values and press "Apply" in the right pane

Attacking protected FTP server

6. Launch BrutusA2.exe utility

7. Set your attack parameters:

a. Target – 127.0.0.1

b. Type – FTP

8. Press "Start"

9. Observe the result of an attack

10. Try to repeat steps you used to verify FTP configuration:

a. Launch cmd.exe

79

b. Type "ftp 127.0.0.1" and press Enter

c. Could you see the difference?

80

Lab 20: Authorization, Authentication and Access


Disable IE ESC mode

1. On WEBB, log on as CQURE\Administrator // P@ssw0rd

2. launch Server Manager and select Local Server in the left pane.

3. Find the IE Enhanced Security Configuration entry in the main pane and switch it to

disabled for admins and users.

Turn off the Web site cache for the shared documents folder

1. On WEBB, in Internet Information Services (IIS) Manager, in the Connections

pane, ensure WEBB > Sites > HR > docs is expanded, and then click shared.

2. In the details pane, in the HTTP Features section, double-click HTTP Response

Headers.


4. The Add Custom HTTP Response Header dialog box appears. In the Name field, type

Cache-Control.

5. In the Value field, type no-cache and then click OK.

Sign into the Raccoons Bank Web site and retrieve the confidential memo

1. In Internet Information Services (IIS) Manager, in the Connections pane, click HR.


3. The Windows Internet Explorer window opens. Click Shared Documents.

4. In the Email field, type [email protected].


6. Click Login.

7. If you get the AutoComplete Passwords dialog box, click No.

8. Click Confidential Memo. Notice that the image representing the Confidential

Memo appears.

9. Click the Back button.

81

10. Click Signout.

Bypass the Web site forms authentication

1. In Internet Explorer, browse to

http://hr.cqure.tec/docs/shared/Raccoons_memo.jpg. Notice that the image

representing the Confidential Memo appears.

Question: Why is the confidential memo being displayed even after the user logs out?

Answer: The Web site and directory are not fully protected by forms authentication.


Modify the applicationHost.config to unlock the URL Authorization <configSections>

section by changing the override mode default to allow

1. On WEBB in Windows Explorer, browse to C:\windows\system32\inetsrv\config.

2. In the details pane, double-click applicationHost.config. Unlock the URL

Authorization section by changing the override mode default to 'allow'. Do this by

modifying the authorization section indicated on the next step.

3. Find the <configSections>section. Find: <section name="authorization"

overrideModeDefault="Allow" /> And replace it with:

<section name="authorization"

type="System.WebServer.Configuration.UrlAuthorizationSection,

System.ApplicationHost, Version=7.0.0.0, culture=neutral,

PublicKeyToken=31bf3856ad364e35" overrideModeDefault="Allow" />

Modify the applicationHost.config <applicationPools> section to change the Classic

.NET application pool to Integrated mode

1. Change the Classic .NET application pool to Integrated mode by finding the

<applicationPools>

section and replacing:

82

<add name="Classic .NET AppPool" managedPipelineMode="Classic" />

With:

<add name="Classic .NET AppPool" managedPipelineMode="Integrated" />

Modify the applicationHost.config file to disable all other authentication types except

for anonymous

1. Find the <authentication>section.

2. Append:

enabled="false"

To:

clientCertificateMappingAuthentication, digestAuthentication,

iisClientCertificateMappingAuthentication, and windowsAuthentication

Modify the applicationHost.config file to protect all content by removing the

managedHandler precondition from the <system.webServer> section

1. Remove the preconditions for Forms Authentication and Default Authentication

from the modules section. Do this by finding the <system.webServer> section, and

then modifying the lines indicated on the next steps.

2. Replace:

<add name="FormsAuthentication"

type="System.Web.Security.FormsAuthenticationModule"

preCondition="managedHandler" />

With:

<add name="Forms Authentication"

type="System.Web.Security.FormsAuthenticationModule" />

3. Replace

83

<add name="Default Authentication"

type="System.Web.Security.DefaultAuthenticationModule"

preCondition="managedHandler" />

With:

<add name="Default Authentication"

type="System.Web.Security.DefaultAuthenticationModule" />


5. Close Notepad.

Reconfigure the authorization and authentication so that the protected content uses

forms authentication

1. In Windows Explorer, browse to D:\AllFiles\Step6\Labfiles\RaccoonsHRSite.

2. In the details pane, double-click Web.Config.

3. The Notepad window opens. Find the line <authorization>section.

4. Add the line <allow users="[email protected]" />, above the line .

5. Remove the commenting brackets from the line ,

changing it to<deny users="?" />.


7. Close Notepad.


shared.

9. In the details pane, in the Security section, double-click Authentication.



Test and validate the new Web site configuration

1. In Internet Explorer, in the Email field, type [email protected].


3. Click Login.

84

4. Click Confidential Memo.


6. Click Signout.

7. In Internet Explorer, browse to

http://hr.cqure.tec/docs/shared/Raccoons_memo.jpg. Notice that you are

redirected to the login page and that proper authentication is now required to access

the Raccoons Memo file.

85

Lab 21: IIS Hardening


IIS platform is much bigger than it looks. It has many security features implemented on the

platform basics and many features to be configured when configuring the Web Site settings.

In the lab you will configure the security settings for the platform and for the Web Site.

Starting your lab environment

1. Launch DC and wait until it starts, logon as CQURE\Administrator with password

P@ssw0rd

2. Launch NODE1 machine and logon as CQURE\Administrator with password

P@ssw0rd

Verifying existing configuration


2. Start Internet Explorer

3. Type http://NODE1.CQURE.TEC in the address field and verify if web server on node

1 is working correctly

4. Type https://NODE1.CQURE.TEC in the address field and verify if web server on

node 1 is working correctly with SSL (or maybe not )

5. Install the NMAP application and then start NMAP Zenmap GUI from the lab files

ISO>Tools (To mount the ISO go to DC VM properties

Media>DVD>ISO_IIS8_Labfiles.iso).

6. Type NODE1.CQURE.TEC in the target field

7. Select Quick scan as a profile

8. Click Scan

9. Verify open ports

Remove IPv6 bindings

If your server will not serve content to IPv6 clients (which is the most common scenario) you

should remove binding to this protocol.

86

1. Switch to NODE1

2. Start cmd.exe

3. Type ipconfig and try to identify IPv6 addresses.

4. Type ncpa.cpl

5. Right click Ethernet and select properties

6. Uncheck checkbox next to Internet Protocol Version 6 (TCP/IPv6)

7. Click OK

8. Right click Ethernet and select Disable and then Enable it.

9. Close Network Connections window

10. In the cmd.exe console type ipconfig to verify there's no IPv6 addresses

Configuring firewall

1. Stay on NODE1

2. Start cmd.exe

3. Type wf.msc to launch firewall management console

4. Select Inbound rules from the left pane

5. You may sort rules list by Enabled column for easier identification of enabled rules

6. Disable IPv6 Rule

a. Find Core Networking – IPv6 (IPv6-In) rule

b. Right click it

c. Select Disable from context menu

7. Disable all other rules, leaving only those two enabled:

a. World Wide Web Services (HTTP Traffic-In)

b. World Wide Web Services (HTTPS Traffic-In)


9. Start NMAP Zenmap GUI from desktop

10. Type NODE1.CQURE.TEC in the target field

11. Select Quick scan as a profile

12. Click Scan

13. Verify open ports

87

Encrypting traffic with https

1. Switch to NODE1

2. Launch Internet Information Services (IIS) Manager

3. Select NODE1 from the left pane

4. Double click on Server Certificates

5. Click Create Self-Signed Certificate from the right pane

6. Type NODE1.CQURE.TEC as a friendly name and click OK

7. Expand Sites in the left pane and select Default Web Site

8. Click Bindings… in the right pane. Click Add…

9. Create new binding

a. Type: https

b. IP Address: All Unassigned

c. Port: 443

d. SSL Certificate: NODE1.CQURE.TEC

10. Close site bindings window



13. Type https://NODE1.CQURE.TEC in the address field and verify if web server on

node 1 is working correctly with SSL

14. Click Continue to this website

15. Click on the red icon next to the address bar in Internet Explorer

16. Click View certificates

17. Switch to Details tab

a. Is the Subject field valid for this website?

b. Are Valid from and Valid to fields correct?

18. Switch to Certification Path tab

a. Is this certificate trusted?

19. Click OK to close certificate properties window

20. What should change before you use such configuration in production environment?

88

Removing features

1. Switch to NODE1

2. Close all open windows and applications

3. Start Server Manager

4. Add Roles.

5. Click Remove Role Services in the Web Server (IIS) section

6. Uncheck Directory Browsing – it allows you to browse website directories when you

do not specify document name in the URI and usually is not necessary.

7. Click Next then Remove and Close

Adding features

1. Switch to NODE1


3. Start Server Manager

4. Add Role.

5. Click Add Role Services in the Web Server (IIS) section

6. Check following options under Security section:

a. Windows Authentication

b. URL Authorization

c. IP and Domain Restrictions

7. Click Next then Install and Close

Configuring IP restrictions

1. Switch to NODE1


3. Expand NODE1 and Default Web Site in the left pane right click > Add Virtual

directory, Alias: test1 and declare a virtual directory. The path to the resource is not

important. So in c:\inetpub\wwwroot you can create a new folder “test1” and point it

as a target path.

4. Double click IP Address and Domain Restrictions icon

5. Click Add Deny Entry from the right pane

89

6. Enter domain controllers IP Address (double check the DC IP address it should

be like 192.168.127.2) as a value to deny



9. Type http://NODE1.CQURE.TEC and then http://NODE1.CQURE.TEC/test1

a. What happens? What is verified first: IP restrictions or user account? Does it

make sense?

Adding other security modules

1. Switch to NODE1



4. Select Default Web Site from the left pane

5. Open IP and Domain Restrictions module

6. Click Edit Dynamic Restriction Settings in right pane

7. Check Deny IP addresses based on the number of requests over a period of time

option

8. Type 10 as a number of requests and 10000 as time period

9. Click Apply on the right pane

10. Click Default Web Site from the left pane



13. Type http://NODE1.CQURE.TEC in the address field and verify if page opens

14. Click refresh button (next to address field) several times and count refreshes until it

stops working. Is the count what you expected? Why?

90

Lab 22: IIS under attack

Machines used in this Lab: DC, NODE1,WEBA,WEBB

Internet Information Services is a great web platform that can host websites created with many

different technologies. IIS have been improved year by year ending up with the great

functionality with good performance and well-designed security concepts. IIS when being

under attack monitors traffic in a very efficient way – the goal of this exercise is to understand

how to get access to this information and how to test platform performing several

performance attacks.

We will be attacking every server which hosts IIS so that is important to turn on all VMs

!

Starting your lab environment

1. Launch DC VM and wait until it starts

2. Logon as CQURE\Administrator with password P@ssw0rd

3. Launch NODE1 machine

4. Logon as CQURE\Administrator with password P@ssw0rd

Preparing stress tool


2. Mount provided ISO file and find the document named scenario1.txt Copy it to the

desktop.

3. Review scenario1.txt file. It contains data used to generate http traffic.

4. Install WCAT

a. Launch wcat.amd64.msi

b. Press Next

c. Accept license agreement and press Next

d. Click Complete

e. Click Install

91

f. Click Continue and Finish

g. Review instructions and close notepad window

5. Launch cmd.exe

6. Change working directory – type: cd "C:\Program Files\wcat"

7. Copy scenario file – type: copy "%userprofile%\desktop\scenario1.txt"

"C:\Program Files\wcat"

8. Set cscript as default script host- type: cscript //H:Cscript

9. Install wcat client – type: wcat.wsf -terminate -update -clients localhost

10. Launch wcat – type: wcat -run -s NODE1.CQURE.TEC -v 1 -t scenario1.txt

a. If you think that generated traffic is too low you can increase the value

specified after –v parameter

11. Do not close command prompt window. It allows you to easily re-launch wcat

utility

Using logparser

1. Switch to NODE1 machine

2. Log on as CQURE\Administrator // P@ssw0rd

3. Install IIS Server Role

4. Mount provided ISO file and find the file named LogParser.msi.

5. Launch LogParser.msi

6. Click Next

7. Accept license terms and click Next

8. Click Complete

9. Click Install

10. Wait until installation finishes and click Finish

11. To launch Log Parser 2.2 run CMD and type cd c:\Program Files (x86)\Log Parser

2.2\ and then LogParser.exe, hit enter to execute.

Review LogParser help displayed on the screen and try to create some queries:

a. Count entries in logs: logparser –i:IISW3C "SELECT count(*) FROM

C:\inetpub\logs\LogFiles\W3SVC1\*.log"

92

b. Count http errors: logparser -i:IISW3C "SELECT count(*) FROM

C:\inetpub\logs\LogFiles\W3SVC1\*.log WHERE sc-status<>200"

c. Details of http errors: logparser -i:IISW3C "SELECT top 10 sc-status, date,

time, cs-uri-stem FROM C:\inetpub\logs\LogFiles\W3SVC1\*.log WHERE

sc-status<>200"

d. Processing times: logparser -i:iisw3c "SELECT TOP 10 cs-uri-stem AS Url,

MIN(time-taken) as [Min], AVG(time-taken) AS [Avg], max(time-taken)

AS [Max], count(time-taken) AS Hits FROM

C:\inetpub\logs\LogFiles\W3SVC1\*.log GROUP BY Url ORDER BY [Avg]

DESC"

e. List top 20 longest requests: logparser -i:IISW3C "SELECT top 20 cs-uri-

stem,date,time,time-taken FROM

C:\inetpub\logs\LogFiles\W3SVC1\*.log ORDER BY time-taken DESC"

12. Remember that IIS stores time in UTC time zone so it may be different than your time

Using performance monitor

1. Switch to NODE1

2. Launch cmd.exe and type: perfmon

3. Select Performance Monitor entry in the left pane

4. Click on the green plus sign on the toolbar and add counters:

a. Web Service\Anonymous Users/sec

b. Web Service\Bytes Total/sec\_Total

c. Web Service\Current Connections\_Total

d. Web Service\Not Found Errors/sec\_Total – this counter is useful if you'd

like to detect automated scanning scripts.

e. Network interface\Bytes Received/sec\<All Instances> – you can delete

unused network interface cards later

f. Network interface\Bytes Sent/sec\<All Instances> – you can delete

unused network interface cards later

5. Look if perfmon notifies anything other than zero

6. Switch to DC

93

7. Launch Internet Explorer, open NODE1.CQURE.TEC website and press Ctrl+F5

several times

8. Switch to NODE1

9. Freeze perfmon using Pause button on the toolbar

10. Observe performance counter values. They are important because they should be a

baseline for admin. It is easier to detect attacks if Administrator knows everyday

behavior of his server

11. Un-freeze perfmon

12. Switch to DC and re-launch wcat

13. Switch to NODE1 and observe perfmon counters

14. Remember about these tips:

a. You can highlight perfmon graphs using Ctrl+H shortcut. It is extremely

useful if you have more than 5 counters active

b. Suggested set of counters is optimized for attacks detection. Perfmon is also

very useful for everyday performance monitoring of web applications.

c. If some counters are useless – just delete them. You can also add new

counters any time.

d. You can double click any counter and change his scale. It allows you to

monitor values that are constantly below or above display scale like Bytes

Total/sec

e. Look at IIS hardening lab and consider using Dynamic IP Restrictions for

preventing some types of attacks.

Using traces

1. Switch to NODE1

2. Launch Server Manager

3. Add Role.

4. Right click Add Role Services in the Web Server (IIS) section in the right pane

5. Check Tracing option in the Health and Diagnostics section

6. Click Next

7. Click Install and then Close

8. Launch Internet Information Services (IIS) Management

94

9. Expand Sites in the left pane and select Default Web Site entry

10. Double click Failed Request Tracing Rules in the central pane

11. Click Add in the right pane

12. Leave default All content (*) entry selected and click Next

13. Clear all checkboxes except Status code and enter 404 then press Next. This error

code means “page not found”

14. Leave default providers selected and press Finish

15. Click Failed Request Tracing in the right pane

16. Select Enable and remember location for traces. Then press OK


18. Open Internet Explorer and enter URL: NODE1.CQURE.TEC/fakepath

19. Look if new files appeared in C:\inetpub\logs\FailedReqLogFiles\W3SVC1

20. Double click last one of XML files created

21. Click Add and add about:blank if asked about security settings by Internet Explorer

22. Review trace data using Request Summary, Request Details (with sub-tabs) and

Compact View tab. Remember that trace for non-existing URL is very simple. It gives

some idea about level of details but in real life scenarios may be more complicated.

Logging for IIS can provide a lot of information about how website behaves under certain

conditions. Logs can be converted to many formats, including output from the Performance

Monitor that shows you for example, network bandwidth usage graph.


NODE1 Virtual Machine window click Actions Menu and choose “Revert”.

95

Lab 23: Logging


Examine and configure logging options

1. On WEBB, in Internet Information Services (IIS) Manager, in the Connections

pane, click WEBB.

2. In the details pane, in the Health and Diagnostics section, double-click Logging.

3. Notice that the Log File Rollover Schedule is set for Daily.

4. Select Use local time for file naming and rollover.


Test the logging operations

1. In Internet Explorer, click the Refresh button.

2. In Windows Explorer, browse to C:\ inetpub\logs\LogFiles\W3SVC1.

3. In the details pane, double-click the newest log file. Notice the most recent log

entries at the bottom of the log. Notice that the log entries include a number of lines

with the word “GET.”

Question: What does the word “GET” mean in this log file?

Answer: The GET commands indicate requests from the client to the Web server to retrieve

the Web pages and images.

96

Lab 24: Delegation and Remote Administration


Start the DC virtual machine and log on as CQURE\Administrator


Configure WEBB for remote administration

1. On WEBB, Open | Administrative Tools | Internet Information Services (IIS)

Manager.

2. In the Internet Information Services (IIS) Manager connections pane, click

WEBB(CQURE\Administrator).

3. In the details pane, in the Management section, double-click Management Service.

4. Select Enable remote connections.

5. Click Windows credentials or IIS Manager credentials.


7. Click Start.

Test WEBB remote administration

1. On DC, Open and click Server Manager. In the Server Manager console pane, click

Roles.

2. Right-click Roles, and then click Add Roles.

3. The Add Roles Wizard appears. Click Next.

4. In the Roles box, select Web Server (IIS).

5. The Add Roles Wizard dialog box appears. Click Add Required Features.

6. Click Next twice.

7. In the Role services box, clear all check boxes except for IIS Management Console.

8. Click Next, and then click Install.


10. Open | Administrative Tools| Internet Information Services (IIS) Manager.

97

11. In the details pane, click Connect to a server like:

12. The Connect to Server wizard appears. In the Server name field, type WEBB, and

then click Next.

13. On the Provide Credentials page, in the User name field, type

[email protected].

14. In the Password field, type P@ssw0rd, and then click Next.

15. The Server Certificate Alert dialog box appears. Click Connect.

16. The Specify a Connection Name dialog box appears. Click Finish.

17. In the Connections pane, expand WEBB | Sites and then click Default Web Site.

Question: Is the IIS Management Service available for configuration remotely?

Answer: No, this service can only be configured locally

18. In the details pane, in the IIS section, double-click Default Document.

19. Click index.htm.

20. In the Actions pane, click Move Up.

21. The Default Document dialog box appears. Click Yes.

22. In the Actions pane, click Move Up.


98

Lab 25: Configuring Delegated Administration

Machines used in this Lab: DC, WEBB, WEBA

Configure delegated administration for the Human Resources site

1. On WEBB, Open | Computer and then browse to DVD drive>AllFiles>Step6>Labfiles

(if you are missing the ISO mounted then in the properties of VM select Media

choose DVD and mount ISO_IIS8_Labfiles.iso).

2. Right-click RaccoonsHRSite folder and copy it to c:\inetpub, then click Properties,

Sharing and then Advanced Sharing.

3. Check Share this folder checkbox and then click Permissions

4. Allow everyone full control and click OK twice

5. Click Close

6. Open Internet Information Services (IIS) Manger. Go to Management Service

feature and verify if management service is running and remote connections are

enabled.

7. In the Internet Information Services (IIS) Manger Connections pane, expand

Sites, and then click HR.

8. In the details pane, in the Management section, double-click IIS Manager

Permissions.

9. In the Actions pane, click Allow User.

10. The Allow User dialog box appears. In the Windows field, type Cqure\Hugog and

then click OK.

11. Add Hugo Garcia as a user that can Modify the content of the HR application folder.

To do it go to HR application folder and in properties go to security to add Hugo

appropriate permissions.

Share the Raccoons Sales Web Site

1. In Windows Explorer, browse to Step6 LabFiles on the DVD

Media>AllFiles>Step6>Labfiles

99

2. Right-click RaccoonsSalesSite, and copy to c:\inetpub\ then click Properties,

Sharing and then Advanced Sharing

3. Check Share this folder checkbox and then click Permissions

4. Allow everyone full control and click OK twice

5. Click Close

6. Open Internet Information Services (IIS) Manger in the Connections pane, then

select Sites and right click to Add Website. In site name type: Sales, point the path

to c:\inetpub\RaccoonsSalesSite and in Host name: sales.cqure.tec and clik OK

7. Switch to DC and open DNS in Forward Lookup Zones>Cqure.tec, then right click

to create a new Alias (Cname). Type in the alias name : Sales and in the FQDN:

WEBB.cqure.tec.

8. Switch back to WEBB open a web browser (e.g. Internet Explorer) and go to :

hr.cqure.tec, then open a second tab and type: sales.cqure.tec. If everything is

properly configured, you should see a working site for HR and Sales.

(Steps 1-20 described below are optional. You got the experience with the delegation based

on the steps above. Part below is just the extension for another approach based on file

editing and using shares.)

Configure delegated administration for the Sales site

1. Open, and click Run, then type Notepad, and then press ENTER.

2. The Notepad window opens. On the File menu, click Open.


4. Browse to C:\windows\system32\intesrv\config.

5. Click applicationHost.config, and then click Open.

6. Scroll down to the <authentication>tag in the <security> section and delete the

following text for the Sales site:

<anonymousAuthentication enabled="true" userName="IUSR" />

<basicAuthentication enabled="false" />

<clientCertificateMappingAuthentication />

<digestAuthentication />

<iisClientCertificateMappingAuthentication />

<windowsAuthentication />

100


8. On the File menu, click Open.

9. The Open dialog box appears. Browse to Labfiles (Step 6).

10. Click EnableAnonymousAuthentication.txt, and then click Open.

11. On the Edit menu, click Select All.

12. On the Edit menu, click Copy.



15. Browse to C:\windows\system32\intesrv\config.

16. Click applicationHost.config, and then click Open.

17. Scroll to the end of the applicationhost.config file and put the cursor on the line

before </configuration>.

18. On the Edit menu, click Paste.


20. Close Notepad.

Test delegated administration for the Human Resources and Sales sites

1. Switch to WEBA VM.

2. Log on as CQURE\hugog with a password of P@ssw0rd.


4. In the details pane, click Connect to a site.

5. The Connect to Site dialog box appears. In the Server name field, type

WEBB.cqure.tec.

6. In the Site name field, type HR, and then click Next.

7. The Provide Credentials page appears. In the User name field, type

[email protected].

8. In the Password field, type P@ssw0rd and then click Next.


10. The Specify a Connection Name dialog box appears. In the Connection Name field,

type Human Resources Site and then click Finish.

101

11. In the Connections pane, click Start Page.


13. The Connect to Site dialog box appears. In the Server name field, type

WEBB.cqure.tec.

14. In the Site Name dialog box, type Sales, and then click Next.

15. The Provide Credentials page appears. In the User name field, type

[email protected].


17. The Connect to Site dialog box appears with an error stating that the user is not

authorized to connect to the specified computer.

Question: Why does this error occur?

Answer: This error occurs because Hugo was not granted IIS Manager permission on the

Sales site.

18. Click OK.

19. Click Cancel.

20. Close Internet Information Service (IIS) Manager.

21. The Internet Information Service (IIS) Manager dialog box appears, asking if you

want to save changes. Click No.

(Steps 22-45 are optional. You got the experience with the delegation based on the steps

above. Steps is just the extension for another approach based on file editing and using

shares.)

22. Switch User.

23. Log on as CQURE\Gina with a password of P@ssw0rd.

24. Click Start, and click Run, then type Notepad, and then press Enter.

25. The Notepad window opens.


27. The Open dialog box appears. Browse to Step6

28. Click Disable Authentications, and then click Open.

29. On the Edit menu, click Select All.

102

30. On the Edit menu, click Copy.


32. The Open dialog box appears. In the File name field, type

\\WEBB\RaccoonsSalesSite\Web.Config and then click Open.

33. Scroll to the end of the Web.Config file and put the cursor on the line before

</configuration>.

34. On the Edit menu, click Paste.


36. Close Notepad.


38. The Windows Internet Explorer window opens. Browse to http://sales.CQURE.TEC.

39. Notice error 401 indicating that the user does not have permission to view this page.

Question: Why does the server report this error?

Answer: The server reports a 401 error because both Anonymous Authentication and

Windows Authentication have been disabled. The web server is unable to service a request

for a web page if no means for authentication are configured.

40. Click Start, and click Run, then type Notepad, and then press Enter.

41. The Notepad window opens.


43. The Open dialog box appears. In the File name field, type

\\WEBB\RaccoonsHRSite\Web.Config and then click Open.

44. The Network Error dialog box appears. Click See details and note the resulting error

and notice that it says access is denied.

45. Click Cancel twice and then close Notepad.


103

Lab 26: Configuring Feature Delegation


Configure feature delegation for the Human Resources and Sales sites

1. On WEBB, in the Internet Information Services (IIS) Manger Connections pane,

click WEBB.

2. In the details pane, in the Management section, double-click Feature Delegation.

3. Click Error Pages.

4. In the Actions pane, click Read/Write.

Test feature delegation for the Human Resources site

1. On DC Switch User,

2. Log on as CQURE\hugog with a password of P@ssw0rd.

3. Open Administrative Tools| Internet Information Services (IIS) Manager.

4. The User Account Control dialog box appears. In the Password field, type P@ssw0rd,

and then click OK.


6. The Connect to Site dialog box appears. In the Server name field, type WEBB.

7. In the Site Name dialog box, type HR, and then click Next.

8. The Provide Credentials page appears. In the User name file, type

[email protected].



11. The Specify a Connection Name dialog box appears. In the Connection Name field,

type Human Resources Site and then click Finish.

12. In the Connections pane, click Human Resources Site.

13. In the details pane, in the IIS section, double-click Error Pages.

14. Right-click the line beginning with 404, and then click Edit.

15. The Edit Custom Error Page dialog box appears. Click Execute a URL on this site.

104

16. In the URL (relative to site root) field, type /ErrorPages/custom404.htm and then

click OK.


18. The Internet Explorer window opens. Browse to

http://hr.CQURE.TEC/missingpage.htm.

19. Note that the custom error page is displayed.

In order to proceed to the next Lab revert WEBB to default state.

105

Lab 27: Automating webserver management


Verifying address resolution

1. On the DC machine open cmd.exe and try to ping www.contoso.com



verify if "contoso.com" zone exists. If not, right click on the new Forward

Lookup Zones, then click Next in the Zone Type leave everything default, click

Next two times, in the Zone Name enter “contoso.com”, then Next and Finish.


c. Type "www" as alias name and "webb.cqure.tec" as FQDN for target host.

d. Click OK



f. Ping www.contoso.com and verify if name is resolved correctly.

3. Ping test123.acme.net



verify if "acme.net" zone exists. If not, right click on the new Forward Lookup

Zones, then Next in the Zone Type leave everything default, click Next two

times, in the Zone Name enter “acme.net”, then Next and Finish.


c. Type "*" as alias name and "webb.cqure.tec" as FQDN for target host.

d. Click OK



f. Ping test123.acme.net and verify if name is resolved correctly.

106

PowerShell loop

1. Switch to WEBB machine


3. Launch PowerShell ISE

4. Create a new script by pressing Ctrl+N

5. Test simple loop by typing in the upper pane:

for ($i=10001; $i -le 10100; $i++) {Write-Host ("app{0}" -f $i)}

and press F5

6. Does it work as expected?

Creating website

1. In the PowerShell ISE create new script by pressing Ctrl+N

2. Type in the PowerShell pane:

cd c:\inetpub\wwwroot\

3. Then type dir to check the folder structure and if You are missing “acme” folder.

Type in PowerShell:

md c:\inetpub\wwwroot\acme

4. Type this in the upper pane of PowerShell ISE:

New-Website -Name "pstest" -HostHeader "pstest.acme.net" -PhysicalPath

"$env:systemdrive\inetpub\wwwroot\acme"

and press F5

5. Do you know why "$env:systemdrive" syntax was used?


7. Verify if "pstest" site was created correctly

8. Do you expect that typing http://pstest.acme.net in your web browser will work OK?

Adding the new binding to a website


2. Type in the upper pane:

New-Webbinding -Name "pstest" -Protocol "https" -Port 443 -HostHeader

107

"pstest.acme.net" -SslFlags 3

and press F5

3. Switch to Internet Information Services (IIS) Manager

4. Verify if "pstest" site has two bindings – one for http and one for https with SNI and

CCS options enabled

5. Do you expect that typing https://pstest.acme.net in your web browser will work OK?

Removing website



Remove-Website -Name "pstest"

and press F5

3. Switch to Internet Information Services (IIS) Manager

4. Verify if "pstest" site was deleted.

Combining scripts together



for ($i=10001; $i -le 10100; $i++)

{

New-Website -Name ("app{0}" -f $i) -HostHeader ("app{0}.acme.net" -f $i) -

PhysicalPath "$env:systemdrive\inetpub\wwwroot\acme"

New-Webbinding -Name ("app{0}" -f $i) -Protocol "https" -Port 443 -HostHeader

("app{0}.acme.net" -f $i) -SslFlags 3

}

and press F5

3. Switch to Internet Information Services (IIS) Manager and verify if sites are created

properly

4. You can browse any of your new websites by selecting website name in the left pane

and then clicking on the "Browse..." icon in the right pane

108

Cleaning app* sites



Remove-Website –Name "app10*"

and press F5

Generating scripts


2. Select any of websites in the left pane

3. Double click "Directory Browsing" icon in the central pane and verify (in the right

pane) if it is disabled

4. Click on the website name again

5. Double click "Configuration editor" in the central pane

6. In the "Section" listbox select the system.webServer/directoryBrowse entry

7. Look at two settings available: enabled and showFlags

8. Change the value for "enabled" to "True"

9. Click "Generate Script" in the right pane

10. Switch to "PowerShell" tab

11. Copy all text and paste it into a new tab in PowerShell ISE. Do not press F5 yet.

12. Switch to Internet Information Services (IIS) Manager and click "Close" and then

"Cancel" in the right pane

13. Verify if directory browsing is still disabled

14. Start the script in the PowerShell ISE by pressing F5

15. Verify directory browsing configuration in Internet Information Services (IIS) Manager

109

Lab 28: Command-line and Scripting for IIS



Use PowerShell to identify all services

1. On WEBB, open Windows PowerShell.

2. At the Windows PowerShell prompt, type get-service and then press Enter. Notice

the status, name, and display name of each service.

Use PowerShell to identify running services that start with a “w”

1. Type get-service -include w* | sort-object -property status and then press Enter.

2. Notice the list of services that begin with a “w” with the “stopped” services listed first.

3. Type stop-service -service name w3svc and then press Enter.

4. Type get-service -service name w3svc and then press Enter

5. Start the w3svc service using PowerShell.

6. Type start-service -service name w3svc and then press Enter.

7. Type get-service -service name w3svc and then press Enter.

List PowerShell.exe process using the get-wmiobject cmdlet

1. Type Get-WmiObject -query "Select * From Win32_Process Where Name =

'powershell.exe'"and then press Enter.

2. Notice the detailed information for the powershell.exe process.

Question: What operating system is listed in the details?

Answer: Microsoft Windows Server 2016.

110

Load Microsoft.Web.Administration.dll

1. On WEBB, in PowerShell, type

[System.Reflection.Assembly]::LoadFrom("C:\windows\system32\inetsrv\Micros

oft.Web.Administration.dll") and then press Enter.

2. Notice the GAC, version and location for the Microsoft.Web.Administration.dll, which

signifies the DLL file was loaded.

3. Type

[System.Reflection.Assembly]::LoadFrom("C:\windows\system32\inetsrv\Micros

oft.Web.Administration.dll") and then press Enter.

4. Notice the detailed information for the sites on the server.

5. Type (New-Object Microsoft.Web.Administration.ServerManager).Sites |

ForEach-Object {$_.Name} and then press Enter.

6. Notice the names of the Websites on the server.

7. Type function findsite {$name=$args[0]; ((New-Object

Microsoft.Web.Administration.ServerManager).Sites | Where-Object {$_.Name -

match $name}); } and then press Enter.

Question: This command line didn't return any values. What did it do?

Answer: This command line created the command findsite, which integrates the

Microsoft.Web.Administration module into an easy-to-use single command.

1. Type findsite default* and then press Enter.

2. Notice the detailed information for the default Website.

3. Type (findsite default*).ID and then press Enter.

4. Notice the ID for the default Website: 1.

5. Type (findsite default*).Stop() and then press Enter.

6. Notice the status for the default Website is now “stopped”.

7. Type (findsite default*).Start() and then press Enter.

8. Notice the output is “unknown”.

111

Question: Why does the command return an output value of “unknown”?

Answer: Because it attempted to start the default Web site without first checking to see if it

was stopped or checking the result.

9. Type (findsite default*).State and then press Enter.

10. Notice the status for the default Website is now “started”.

Results: After this exercise, you should have successfully used Microsoft.Web.Administration

to gather Website information and created a function to start and stop the default Website.

Create Microsoft.PowerShell profile script to automatically load assemblies

1. On WEBB, in PowerShell, type if (test-path $profile) {echo "Path exists."} else

{new-item -path $profile –itemtype file-force}; notepad $profile and then press

Enter.

2. The Notepad window opens. Type the following:

echo "Microsoft IIS Environment Loader"

echo "Copyright 2006 Microsoft Corporation. All rights reserved."

echo "Loading IIS Managed Assemblies"

$inetsrvDir = (join-path -path $env:windir -childPath "\system32\inetsrv\")

Get-ChildItem -Path (join-path -path $inetsrvDir -childPath "Microsoft*.dll") |

For Each-Object {[System.Reflection.Assembly]::LoadFrom((join-path -path

$inetsrvDir -childPath $_.Name))}

echo "Assemblies loaded."


4. Minimize but do not close Notepad.

5. In Windows PowerShell, type get-executionpolicy and then press Enter.

6. Notice the execution policy is set to “restricted”.

7. Type set-ExecutionPolicy Unrestricted and then press Enter.

8. In Notepad, at the end of the script, type, new-variable iismgr -value (New-Object

Microsoft.Web.Administration.ServerManager) -scope "global".


10. Minimize but do not close Notepad.

112

11. Close Windows PowerShell and then reopen it.

12. Notice the script information that now executes when you open PowerShell.

13. Type $iismgr.Sites and then press Enter.

14. Notice the site information that is displayed.

15. Close Windows PowerShell.

16. Browse VM properties Media>DVD>ISO_IIS8_Labfiles.iso, then DVD Drive>

AllFiles>Step7\Labfiles>Scripts.

17. Right-click iis.type.ps1xml, and then click Edit.

18. The Notepad window opens. Review the code.

19. On the File menu, click Save As.

20. The Save As dialog box appears. In the Save as type list, click All Files.

21. Browse to C:\windows\System32\WindowsPowerShell\v1.0 and then click Save.

22. Close Notepad.

23. Restore Notepad, at the end of the script, type the following:

new-variable iissites -value (New-Object

Microsoft.Web.Administration.ServerManager).Sites -scope "global" new-variable

iisapppools -value (New-Object

Microsoft.Web.Administration.ServerManager).ApplicationPools -scope "global"

update-typedata -append (join-path -path $PSHome -childPath "iis.types.ps1xml")


25. Close Notepad.

26. Open Windows PowerShell 1.0 | Windows PowerShell.

27. The Windows PowerShell window opens. Type $iissites.Find("^Default*")and then

press Enter.

28. Notice the details for the default Website are listed.

29. In Windows Explorer, browse to mouted labfiles ISO DVD

Drive>AllFiles>Step7>Labfiles>Scripts>CreateWebsite>CreateWebsite>Create

Website.

30. Double-click CreateWebsite.cs.

31. The Notepad window opens. Review the code, and then close Notepad.

113

32. In Windows Explorer, browse to Step

7\Scripts\CreateWebsite\CreateWebsite\CreateWebsite \bin\Debug.

33. Right-click CreateWebsite.exe, and then click Copy.

34. Browse to C:\and then click Paste.

35. In Windows PowerShell, type c:\CreateWebsite.exe and then press Enter.

36. Type $iissites.Find("^NewSite*") and then press Enter.

37. Notice the details for the new Website are listed.

114

Lab 29: Manage IIS tasks using WMI and AppCmd


Use AppCmd to identify tasks running on the Web server

1. On WEBA, Open Command Prompt.

2. Type cd c:\windows\system32\inetsrv and then press Enter.

3. Type appcmd list wp and then press Enter.

4. Notice this command lists the current running worker processes. If the command

doesn’t list any results, there aren’t any worker processes running.

5. Type appcmd list apppool and then press Enter.

6. Notice the currently running application pools are listed.

7. Type appcmd list apppool /xml | appcmd recycle apppool /in and then press

Enter.

8. Notice the message is displayed ““DefaultAppPool” successfully recycled”.

9. Type appcmd list app /site.name:"NewSite" /xml | appcmd set app /in

/applicationPool:NewAppPool and then press Enter

10. Notice the following is displayed “APP object “NewSite/” changed”.

Store configuration information to file, and then restore the configuration information

1. Type appcmd list config "Default Web Site/" /section:caching /xml /config >

config.xml and then press Enter.

2. Type appcmd set config "Default Web Site/" /in < config.xml and then press

Enter.

3. Notice the configuration changes were applied to the Default Web Site.

Use WMI to list the Default Web Site on the Web server


2. The Notepad window opens. Type:

Set oIIS = GetObject("winmgmts:root\WebAdministration")

Set oSite = oIIS.Get("Site.Name='Default Web Site'")

115

WScript.Echo "Retrieved an instance of Site"

WScript.Echo "Name: " & oSite.Name

WScript.Echo "ID: " & oSite.ID


4. The Save As dialog box appears. In the File name field, type C:\GetSite.vbs.

5. In the Save as type list, click All Files, and then click Save.

6. Close Notepad.

7. From the command prompt, type cd \, and then press Enter.

8. Type cscript //h:cscript, and then press Enter.

9. Notice the default script has been set to “cscript.exe”.

10. Type getsite.vbs, and then press Enter.

11. Notice the Web site name and ID are displayed.

116

Lab 30: Tuning IIS



Start the WEBA virtual machine and log on as CQURE\Administrator

ASP.NET and Dynamic Content Compression features

1. On WEBA, go to roles management, right-click Web Server (IIS), and then click Add

Role Services. Verify if ASP.NET 4.6 is installed if not add it.

2. In the Performance section, select Dynamic Content Compression.

3. Click Next and then click Install.


5. In the details pane, in the Role Services section, notice that ASP.NET and Dynamic

Content Compression is listed as Installed.





10. The Add Application dialog box appears. In the Alias field, type SalesSupport.




13. Type SalesSupport and then click OK.

14. Click OK.

15. Open Computer and then browse to SalesSupport folder which is on DVD

drive>AllFiles>Step10>Labfiles (if you are missing the ISO mounted then in the

properties of VM select Media choose DVD and mount ISO_IIS8_Labfiles.iso).

16. Select all files from SalesSupport, then right-click and click Copy.

17. Browse to C:\inetpub\wwwroot\SalesSupport, right-click, and then click Paste.

117

Deploy a second copy of the SalesSupport application named SalesSupport2 using

Xcopy


2. Type cd \inetpub\wwwroot and then press Enter.

3. Type md SalesSupport2 and then press Enter.

4. Type xcopy /e SalesSupport\*.* SalesSupport2.

5. Notice that 36 files are copied.

6. At the command prompt locate the labfiles location.

7. Enter the following path DVD drive D:\AllFiles\Step10\Labfiles\SalesSupport2 and

then press Enter.

8. Type xcopy /e *.* c:\inetpub\wwwroot\salessupport2 and then press Enter.

9. When prompted to overwrite files, press A for all.


Default Web Site.

11. In the Actions pane, click View Applications. Click Add Application.

12. The Add Application dialog box appears. In the Alias field, type SalesSupport2.


14. The Browse For Folder dialog box appears. Browse to

C:\inetput\wwwroot\SalesSupport2, and then click OK twice.

Create and assign an application pool for SalesSupport2 and test functionality




SalesSupport2 and then click OK.

3. In the Connections pane, expand Default Web Site and then click SalesSupport2.




SalesSupport2, and then click OK twice.


118



8. Notice that the Raccoons Bank Sales Support page loads successfully.

9. In Internet Explorer, browse to http://localhost/salessupport2.

10. Notice that the Raccoons Bank Sales Support page version 2.0 loads successfully.

Use Performance Monitor to measure performance

1. On WEBA, open CMD.

2. In the console pane, type perfmon and click Enter to run Performance Monitor.

3. In the details pane, right-click the graph, and then click Remove All Counters.

4. The Performance Monitor Control dialog box appears. Click OK.

5. Above the graph, click the Add button (green plus).

6. The Add Counters dialog box appears. In the Available counters list, scroll down, and

then expand Web Service.

7. Click Bytes Sent/sec.

8. In the Instances of selected object field, click <All instances>.

9. Click Add, and then click OK.

10. With Reliability and Performance monitor running, in Internet Explorer, browse to

http://localhost/salessupport/test.aspx.

11. After the page loads, click Refresh several times rapidly. Notice that the dynamically

generated time updates each time you refresh.


13. In Reliability and Performance Monitor, notice that the graph reflects the throughput.

Note that you can right-click the graph and then click Scale Selected Counters to get

a better representation. You may need to do this a couple of times to get a zoomed

in view of the data.

Configure Output Caching


WEBA(CQURE)| Sites | Default Web Site and then click SalesSupport.

2. In the details pane, in the IIS section, double-click Output Caching.


119

4. The Add Cache Rule dialog box appears. In the File name extension field, type

.aspx.

5. Select Kernel-mode caching.

6. Click At time intervals, and then delete the existing text and type 00:00:10.

7. Click OK.

8. Open Internet Explorer, and browse to http://localhost/salessupport/test.aspx.

9. Click Refresh several times rapidly for at least 30 seconds.

10. Notice that the time updates only every 10 seconds after the first couple of loads and

that the subsequent loads are much faster.

11. In Internet Explorer, browse to http://localhost/salessupport2/test.aspx.

12. Click Refresh several times rapidly.

13. Notice that the time updates with each load.

14. In Performance monitor, compare the two peaks for throughput on the graph.

Notice that the first peak has higher throughput than the second.

Configure Compression

1. In Internet Explorer, browse to http://localhost.


3. In Reliability and Performance Monitor, note the throughput on the graph.


Default Web Site.

5. In the details pane, in the IIS section, double-click Compression.

6. Clear the Enable static content compression check box.


8. In Internet Explorer, browse to http://localhost.


10. In Performance Monitor, note the throughput on the graph. There should not be

much change for static compression.

Question: Why does the graph show little or no change?

120

Answer: Static compression is cached. Only the first page load requires processing the

compression.

1. In Internet Explorer, browse to http://localhost/SalesSupport/test.aspx.


3. In Reliability and Performance Monitor, note the throughput on the graph.

4. In Internet Information Services (IIS) Manager, in the details pane, select Enable

dynamic content compression.


6. In Internet Explorer, browse to http://localhost/SalesSupport/test.aspx.



9. In Reliability and Performance Monitor, note the throughput on the graph. The

throughput has decreased because dynamic compression negates dynamic output

caching.

Configure connection limit throttling

1. Open Internet Explorer, and browse to http://localhost.

2. Right click the IIS tab, and then click New Tab.

3. In the new tab, browse to http://localhost.

4. Repeat to create another new tab, and then browse to http://localhost.

5. You should have three tabs open. Right-click one of the tabs, and then click Refresh

All.

6. Notice that all of the tabs refresh successfully.

7. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs.


Default Web Site.

9. In the Actions pane, click Limits.

10. The Edit Web Site Limits dialog box appears. Select Limit number of connections.

11. In the Limit number of connections field, type 1.

12. Click OK.

121

13. Open Internet Explorer, and browse to http://localhost in three tabs.

14. In Internet Explorer, right-click one of the tabs, and then click Refresh All.

15. Notice that at least one of the tabs now reports Service Unavailable.


Use Performance Monitor to measure resource usage

1. On WEBA, open Internet Explorer, and browse to http://localhost/salessupport.

2. Open a second tab and browse to http://localhost/salessupport2.

3. In CMD run perfmon/res and click Enter, in the console pane, click Resource

Monitor.

4. In the details pane, expand Memory tab.

5. Click the Image column heading to sort by image name, and then scroll down to

w3wp.exe.

6. Notice that there are two instances running. Note the amount of memory being used

by each in the Commit (KB) and Working Set (KB) columns.


Application Pools.

8. In the details pane, click SalesSupport2.

9. In the Actions pane, click Recycle.

10. In Reliability and Performance Monitor, notice that one of the w3wp.exe

processes consumes less memory.


Assign SalesSupport and SalesSupport2 to the same application pool


SalesSupport2.




DefaultAppPool.

5. Click OK twice.

122


7. In the details pane, click SalesSupport2.



10. Open Internet Explorer, and browse to http://localhost/salessupport.

11. Open a second tab and browse to http://localhost/salessupport2.

12. In Reliability and Performance Monitor, notice that is now only one w3wp.exe

process and less total memory consumed.

In order to proceed to the next Lab don’t revert WEBA.

123

Lab 31: Web Farms

Machines used in this Lab: DC, WEB2, NODE4


Start the NODE4 virtual machine and log on as CQURE\Administrator

Start the WEB2 virtual machine and log on as CQURE\Administrator

Backup the Web site, Web application, and config files to the D: drive

1. On NODE4, Open Computer, and then browse to C

2. In the File menu, click New | Folder.

3. Type WebSiteBackup, and then press Enter.

4. Right click the new folder and share it by selecting Properties, Sharing, Advanced

Sharing. Configure Share rights to allow write by clicking on Permissions button and

selecting "Full Control".

5. Browse to\\NODE4\WebSiteBackup.

6. Browse to C:\inetpub\wwwroot.

7. In the details pane, select all, right-click, and then click Copy.

8. Browse to \\NODE4\WebSiteBackup, right-click and then click Paste.

9. Notice that the Web site files are now backed up to this shared folder.

Restore the Web site, Web application, and config files from the shared drive

1. On WEB2, open Internet Information Services (IIS) Manager.

2. In the Connections pane, expand WEB2 | Sites, and then click Default Web Site.


4. The Microsoft Internet Explorer window opens. Notice that the IIS default page is

displayed.

5. Open Computer, and then browse to C:\inetpub\wwwroot.

6. Notice that the folder contains the IIS default Web site files, iisstart.htm, png files, and

the aspnet_client folder.

7. Browse to the networked computer NODE4.

124

8. If the NODE4 computer is not displayed in the details pane, network discovery may

be turned off. Click the notice bar, and then click Turn on network discovery and file

sharing.

9. Browse to\\NODE4\WebSiteBackup.

10. In the details pane, select all, right-click and then click Copy.

11. Browse to C:\inetpub\wwwroot, right-click and then click Paste.

12. If a Copy File dialog box appears, indicating that you are about to overwrite any files

or folders, click Copy and Replace.

13. If a Confirm Folder Replace dialog box appears, indicating that you are about to

overwrite a folder, click Yes.

14. Notice that the new Web site files are now copied to this location.

15. In Internet Explorer, click the Refresh button.

16. Notice that the Raccoons Bank Web site has been deployed on the second Web

server.

Question: What process on the Web server led to the Raccoons Bank Web site being

displayed instead of the IIS default Web site?

Answer: After the Raccoons Bank Web site files were copied to the second Web server, the

default file default.aspx superseded the file iisstart.htm.

125

Lab 32: Shared Configuration

Machines used in this Lab: DC, NODE4, WEB2

Export and Enable Shared Configuration

1. On NODE4, Open Computer, and then browse to C

2. In the File menu, click New | Folder.

3. Type Export, and then press Enter.

4. Right click the new folder and share it by selecting Properties, Sharing, Advanced

Sharing. Configure Share rights to allow write by clicking on Permissions button and

selecting "Full Control".


6. In the Connections pane, click NODE4.

7. In the details pane, in the Management section, double-click Shared

Configuration.

8. In the Actions pane, click Export Configuration.

9. The Export Configuration dialog box appears, allowing you to export the local

configuration files, settings, and encryption keys. In the Physical path field, type

\\NODE4\Export.

10. In the Encryption keys password and Confirm Password fields, type P@ssw0rd.

11. Click OK.

12. The Export Configuration dialog box appears indicating that the files were exported

successfully. Click OK.

13. In the details pane, select Enable shared configuration.

14. In the Physical Path field, type \\NODE4\Export.

15. In the User name field, type CQURE\Administrator.

16. In the Password and Confirm Password fields, type P@ssw0rd.


18. The Encryption Keys Password dialog box appears for you to enter the encryption

key. In the Enter encryption key Password field, type P@ssw0rd.

19. Click OK.

126

20. The Shared Configuration dialog box appears, indicating that the current encryption

keys were backed up. Click OK.

21. The Shared Configuration dialog box appears, indicating that IIS Manager and

Management service must be restarted for these changes to be completed. Click OK.

22. Close Internet Information Services (IIS) Manager.


24. In the Connections pane, click NODE4.



Add the second Web server to use the Shared Configuration

1. On WEB2, in Internet Information Services (IIS) Manager, in the Connections

pane, click WEB2.

2. In the details pane, in the Management section, double-click Shared

Configuration.

3. Select Enable shared configuration.

4. In the Physical Path field, type \\NODE4\Export.

5. In the User name field, type CQURE\Administrator.

6. In the Password and Confirm Password fields, type P@ssw0rd.


8. The Encryption Keys Password dialog box appears. In the Enter encryption key

Password field, type P@ssw0rd. Click OK.

9. The Shared Configuration dialog box appears, indicating that the current encryption

keys were backed up. Click OK.

10. The Shared Configuration dialog box appears, indicating that IIS Manager and

Management service must be restarted for these changes to be completed. Click OK.

11. Close Internet Information Services (IIS) Manager.

12. Open| Internet Information Services (IIS) Manager.

13. In the Connections pane, click WEB2.



127

Test the Shared Configuration

1. On NODE4, in Internet Information Services (IIS) Manager, in the Connections

pane, click NODE4.



4. The Add Default Document dialog box appears to allow us to add a default

document to test the shared configuration. In the Name field, type test.html and

then click OK.

5. On WEB2, in Internet Information Services (IIS) Manager, in the Connections

pane, click WEB2.


7. Notice that the default document test.html has been added to the top of the list for

the second Web server as well,

Question: Why has the default document test.html has been added to the top of the list for

the

second Web server as well?

Answer: The default document test.html has been added to the top of the list for the second

Web

because both servers are using shared configuration.

128

Lab 33: Web Deploy


Installing the remote service during the installation of Web Deploy on WEBA.

If you have not yet downloaded the Windows Installer file for Web Deploy, see ISO image

delivered by trainer and follow the next steps. After you start the installation, return to this

topic and follow these steps. In the WEBA VM select Media choose DVD and mount

ISO_IIS8_Labfiles.iso. In Windows Explorer, browse to DVD

Drive>AllFiles>Tools>WebDeploy_amd64_en-US.msi

1. Run the installation file and on the Welcome to the Microsoft Web Deployment

Tool Setup Wizard page, click Next.

2. On the End-User License Agreement page, select the I accept the terms in the

license agreement box, and then click Next.

3. On the Choose Setup Type page, click Custom.

4. On the Custom Setup page, click the Remote Agent Service down arrow, select

Will be installed on local hard drive, and then click Next.

5. Click Install.

6. Click Finish.

7. After you install the remote service, make sure that service is started, if necessary

type: net start msdepsvc.

8. By default, the remote service uses port 80. If necessary, you can enable this port

through the firewall by running netsh firewall add portopening TCP 80

WdeployAgent at an administrative command prompt.

To use the Web Deployment Agent Service remotely

(also called the Remote Agent Service), the following conditions must be true.

1. You have installed the Web Deployment Tool on the remote computer.

129

2. You have enabled port 80 through the firewall on the remote computer. By default,

the remote agent listens on port 80. If you are using a custom port setting, you

must enable the custom port through the firewall instead.

3. You have started the Web Deployment Agent Service (MsDepSvc) on the remote

computer..

4. You are a member of the administrator’s group on the remote computer, or you

specify administrator credentials in the Web Deploy command by using the

computerName=<serverName>,

userName=<username>,password=<password> syntax described in the Usage

section.

5. You use an elevated command prompt to run the Web Deploy command.

Note: To use the remote service at the Web Deploy command line, add the

computerName provider setting to the source or destination provider by using the syntax:

,computerName=<host>. <host> is the name of the remote server. Only one destination

computer can be specified in a Web Deploy command.

The following example shows how you can use the computerName provider setting to

return metabase information from a remote computer named Server1. Notice that there is

no space after the comma.

msdeploy -verb:dump -source:metakey=lm/w3svc/1,computerName=Server1

Web Deploy converts the computer name into the default Web Deploy URL. For example,

computerName=Server1 will become http://Server1/MsDeployAgentService. If the

remote service is running with a custom port or URL, you must specify the full URL.

Example:

Use the remote service on Server1 and Server2 to update the contents of a directory on

Server2.

130

msdeploy -verb:sync -

source:contentpath=c:\abc,computerName=Server1,username=admin,password=pass -

dest:contentpath=c:\def,computerName=Server2,username=admin,password=pass

Using the Web Deployment Tool

1. Open IIS Manager and expand the default web site in the left pane and select

SalesSupport application

2. Click "Export Application..." in the right pane

3. Click "Advanced settings"

4. Set the password for security settings to P@ssw0rd

5. Click OK and then Next. Click Next.

6. Enter the path and name for your package. You can store it on your desktop. Click

Next.

7. Verify summary and detailed status and click Finish

8. Remove SalsesSupport App (right click the name in the left pane and select

"Remove")

9. Remove c:\inetpub\wwwroot\salessuport directory from your disk

10. Browse the content of a zip file you created on your desktop and observe how

application data was stored

11. Refresh the view in IIS Manager and verify if application was actually deleted

131

12. In the IIS Manager select the default web site in the left pane

13. Click "Import Application..." in the right pane

14. Enter the package path and click Next

15. Click "Advanced Settings" and enter the decrypt password for secure data

16. Click "OK" and then "Next"

17. Accept the default name and press "Next"

18. Verify summary and detailed status and click Finish

19. Verify if your application opens correctly in the web browser.

132

Lab 34: Configuring Network Load Balancing

Machines used in this Lab: DC, NODE4, WEB2

Create a new Network Load Balancing cluster

1. On NODE4 from Server Manager install Network Load Balancing Feature, after

that open Network Load Balancing Manager.

2. In the console pane, right-click Network Load Balancing Clusters and then click

New Cluster.

3. The New Cluster: Connect dialog box appears. Start the process by connecting to

the Network Load Balance host computer. In the Host field, Type NODE4, and then

click Connect.

4. Make sure the Local Area Connection interface with Interface IP address

192.168.127.107 is highlighted, and then click Next.

5. The New Clusters: Host Parameter page shows the dedicated IP addresses and the

initial host state. Click Next.

6. The New Clusters: Cluster IP Addresses page allows you to add cluster IP addresses

that are shared by every member of the cluster. Click Add.

7. The Add IP Address dialog box appears, allowing you to add IPv4 or IPv6 addresses

to the cluster. In the Add IPv4 address field, type 192.168.127.200.

8. In the Subnet mask field, type 255.255.255.0, and then click OK.

9. Make sure the newly added cluster IP address is highlighted. Click Next.

10. The New Clusters: Cluster Parameters page allows you to modify the operation

mode of the cluster IP addresses. In the Full Internet name field, type

cluster.CQURE.TEC.

11. Click Multicast. Click Next.

12. The New Clusters: Port Rules page allows you to add, edit, and remove cluster IP

address port rules. Click Finish. Wait for the operation to complete before continuing.

133

Add the second host to the Network Load Balancing cluster

1. In the console pane, right-click cluster.CQURE.TEC and then click Add Host to

Cluster.

2. The Add Host to Cluster: Connect dialog box appears. Add the second host

computer. In the Host field, Type WEB2, and then click Connect. Wait for the

operation to complete before continuing.

3. Make sure the Local Area Connection interface with Interface IP address

192.168.127.105 is highlighted, and then click Next.

4. The New Clusters: Host Parameter page shows the dedicated IP addresses and the

initial host state. Make sure that the Priority (unique host identifier) is 2, and then

click Next.

5. The New Clusters: Port Rules page allows you to add, edit, and remove cluster IP

address port rules. Click Finish. Wait for the operation to complete before continuing.

Add the second server to the Network Load Balancing cluster

1. On WEB2, Click Start, click Administrative Tools, and then click Network Load

Balancing Manager.

2. The Network Load Balancing Manager window opens and loads the current cluster.

The Warning dialog box appears, presenting a warning about running NLB in Unicast

mode. Click OK.

Verify Network Load Balancing using NLB commands


2. Type NLB query 192.168.127.200 and then press Enter.

3. Notice that the NLB command indicates that host 2 has entered a converging state

with the cluster.

4. On NODE4, Open Command Prompt.

5. Type NLB query 192.168.127.200 and then press Enter.

6. Notice that the NLB command indicates that host 1 has entered a converging state

with the cluster.

7. Type NLB display and then press Enter.

134

8. The results show very detailed information about the cluster and its current state.

Scroll to the top of the displayed information to examine the Configuration section.

9. Close each of the running virtual machines. Do not save changes so they are reset to

default for the next lab.

135

Lab 35: Troubleshooting IIS


Start the DC virtual machine and log on as CQURE\Administrator

Start the NODE5 virtual machine and log on as CQURE\Administrator

On NODE5, browse to http://localhost/raccoons. Notice the Server Error: 401 –

Unauthorized message.

Examine the log file

1. Open Computer and then browse to C:\inetpub\logs\LogFiles\W3SVC1.

2. Double-click the most recent log file.

3. The Notepad window opens. Scroll to the far right and examine the last entries in the

log file. Notice that the status is 401 and sub status is 2.

4. Close Notepad.

Enable Detailed Error Messages

1. Open Internet Information Services (IIS Manager).

2. In the Connections pane, expand NODE5 | Sites | Default Web Site and then click

Raccoons.



3. The Edit Error Pages Settings dialog box appears. Click Detailed errors for local

requests and custom error pages for remote requests, and then click OK.

Reproduce the issue and examine the detailed error

1. In Internet Explorer, browse to http://localhost/raccoons.

2. Notice the detailed error message reports HTTP Error 401.2 – Unauthorized.

3. Scroll down to Most likely causes. Notice the first cause is No authentication

protocol (including anonymous) is selected in IIS.

136

Resolve the issue and test functionality

1. In Internet Information Services (IIS) Manager, click Raccoons.

2. In the details pane, in the IIS section, double-click Authentication.

3. Notice that all authentication methods are Disabled.

4. In the details pane, click Basic Authentication.


6. In the details pane, notice that Basic Authentication is Enabled, and all other

authentication methods are Disabled.

7. In Internet Explorer, browse to http://localhost/raccoons.

8. Notice that you are prompted for credentials. For User name, type Alisa.

9. For Password type P@ssw0rd and then click OK.

10. Notice that the Raccoons application now loads without error.


137

Lab 36: Troubleshooting Authorization


Browse to http://localhost/raccoons2

1. On NODE5, in Internet Explorer, browse to http://localhost/raccoons2.

2. Notice that you are not prompted for credentials and the page loads without error.


Enable Failed Request Tracing and add a rule to trace successful requests


Default Web Site.

2. In the Actions pane, click Failed Request Tracing.



4. In the Connections pane, click Raccons2.

5. In the details pane, in the IIS section, double-click Failed Request Tracing Rules.


7. The Add Failed Request Tracing Rule dialog box appears. Click Next.

8. Under Status code(s), type 200, and then click Next.

Question: Why do we use status code 200 for this issue?

Answer: Status code 200 is used for a successful page load in IIS. Since the page is loading

without error, we must use the status code 200 to trace the issue.

9. Under Providers, clear ASP and ISAPI Extension. Leave ASPNET and WWW Server

checked.

10. Click Finish.

Reproduce the issue and examine the Failed Request Tracing log

1. In Internet Explorer, browse to http://localhost/raccoons2.

138

2. In Windows Explorer, browse to c:\inetpub\logs\FailedReqLogFiles\W3SVC1.

3. Double-click fr000001.xml.

4. If prompted to add the site to the Trusted sites zone, click Add twice and then click

Close.

5. Under Request Summary, notice that Authentication is anonymous.

6. Click the Compact View tab.

7. Scroll down and examine the lines that begin with AUTH_SUCCEEDED and USER_SET.

Notice that the authorized user is “”. Close Internet Explorer.

Question: What did we learn from the Failed Request Tracing log?

Answer: Anonymous users are being allowed to access the site. Since anonymous

authentication

happens successfully, users are not being prompted to enter credentials.

Resolve the issue and verify functionality


Raccoons2.

2. In the details pane, double-click Authorization Rules.

3. Notice that Anonymous Users are Allowed.

4. In the details pane, in the IIS section, click Anonymous Users.



7. In the Connections pane, click Raccoons2.

8. In the details pane, in the IIS section, double-click Authentication.

9. Notice that both Anonymous Authentication and Basic Authentication are

Enabled.



12. In Internet Explorer, browse to http://localhost/raccoons2.

13. Notice that you are prompted for credentials. For User name, type Alisa.

14. For Password, type P@ssw0rd and then click OK.

139

15. Notice that the Raccoons2 application loads without error.

16. Close Internet Explorer and open it again to create a new session.

17. Browse to http://localhost/raccoons2.

18. When prompted for credentials, leave both fields blank and click OK three times.

19. Notice that you get a 401 – Unauthorized message.

140

Lab 37: Troubleshooting Communication


Reproduce the issue

1. On DC, browse to http://NODE5/netapp/content. Notice the 500 – Internal server

error message.

Verify communication with the Web server


2. Type ping NODE5 and then press Enter.

3. Notice that the ping succeeds indicating that DC and NODE5 are communicating.

4. On NODE5, in Internet Information Services (IIS) Manager, in the Connections

pane, click NODE5.



7. The Edit Error Pages Settings dialog box appears. Click Detailed errors, and then

click OK.

8. In Internet Explorer, browse to http://localhost/netapp/content.

9. Notice the 500.19 error.

10. Next to Config Error, notice the message Cannot read configuration file because the

network path is not found.

11. Next to Config File, notice the path for the server name.

Correct the problem and verify functionality

1. Internet Information Services (IIS) Manager, in the Connections pane, expand

NetApp and then click Content.


3. The Advanced Settings dialog box appears. In the Physical Path field, modify the

path to read \\NODE5\content, and then click OK.

4. In Internet Explorer, browse to http://localhost/netapp/content.

5. Notice that the IIS Welcome page appears and there is no error message.

141

Lab 38: Troubleshooting Configuration


Reproduce the issue and examine the detailed error message

1. On NODE5, in Internet Explorer, browse to http://localhost/pics/logo.jpg.

2. Notice the HTTP Error 404.4 – Not Found message.

3. In the Most likely causes section, notice that the most likely cause is The file

extension for the requested URL does not have a handler configured to process the

request on the Web server.

Examine and correct the web.config file

1. In Windows Explorer, browse to C:\Pics.

2. Double-click web.config.

3. On the Windows dialog, click Select a Program from a list of installed programs,

and then click OK. Click Notepad, and then click OK.

4. The Notepad window opens. Notice that the <handlers>section contains a line for

handling static files.

5. Notice that the path attribute is set to “*.jgp”. Modify the line so that the path

attribute correctly reads “*.jpg”.


7. Close Notepad.

8. In Internet Explorer, browse to http://localhost/pics/logo.jpg.

9. Notice that the Raccoons Bank logo now appears successfully.

Close each of the running virtual machines and revert them to default state.

142

Lab 39: Application Initialization (Optional)


The IIS Application Initialization feature enables website Administrators to configure IIS to

proactively perform initialization tasks for one or more web applications. While an application

is being initialized, IIS can also be configured to return static content as a placeholder or

"splash page" until an application has completed its initialization tasks. The Application

Initialization feature is configured through a combination of global and application-specific

rules that tell IIS how and when to initialize web applications. The Application Initialization

feature also supports integration with the IIS Url Rewrite Module to support more complex

handling of placeholder content while an application is still initializing.

1. Log in as Administrator//P@ssw0rd on NODE1.

2. Open Server Manager and run Add Role wizard.

3. From the configuration of the Web Server role, pick Application Initialization:

Note: The Application Initialization feature can be configured in two places: the machine-

wide applicationHost.config file, and the application-level web.config file. Configuration in

143

the applicationHost.config file contains "global" application initialization settings, while an

application-level web.config file contains "local" application initialization settings.

In this walkthrough, you will configure a sample application to always be initialized when

the application pool associated with the application starts up. Since application pool

behaviors can only be configured in applicationHost.config, running application

initialization whenever an application pool starts up is considered part of the "global"

application initialization settings.

Setting up the Sample ASP.NET Application

Note: The following steps assume your server already has both IIS installed and ASP.NET 4.5

enabled for use in IIS.

1. Attach appinit.iso to NODE1. The sample ASP.NET application is contained in the

appinit.zip file.

2. Unzip the file to the wwwroot folder on NODE1, application should be copied to the

following path: "c:\inetpub\wwwroot\appinit".

3. Now it is time to configure the folder as an ASP.NET application in IIS. The screenshot

below shows the appinit sample application configured as an application in IIS. Also

notice that the application is assigned to the ".NET v4.5" application pool.

144

Install the Url Rewrite Module

The sample application makes use of the Url Rewrite module for advanced integration with

the Application Initialization feature. You need to install the Url Rewrite module on your

server; you will find the urlrewrite2.exe in the same ZIP file with application. It can be also

downloaded from: http://www.iis.net/download/URLRewrite.

Configure the Url Rewrite Module

1. Once the Url Rewrite module is installed on your web server, you need to modify the

IIS applicationHost.config file to allow usage of the SKIP_MANAGED_MODULES server

variable supported by the Application Initialization feature.

2. Open up the machine-wide applicationHost.config file in a text editor such as

notepad. The applicationHost.config file is located at

C:\Windows\System32\inetsrv\config.

3. Scroll down the file and locate the security section. This section starts with the Xml

element: <security>.

4. Type in the following Xml elements before the <security> element:

<rewrite>

<allowedServerVariables>

http://www.iis.net/download/URLRewrite

http://i1.iis.net/media/7186368/iis-80-application-initialization-1089-image009.png?cdn_id=2012-12-10-010

145

<add name="SKIP_MANAGED_MODULES" />

</allowedServerVariables>

</rewrite>

5. Save the changes to the applicationHost.config file.

Modifications in applicationHost.config

1. Open up the applicationHost.config file located at

%WINDIR%\system32\inetsrv\config in Notepad – run the text editor with the "Run

as Administrator" option.

2. Find the <applicationPools> configuration section, and then look for the application

pool entry with a name of ".NET v4.5".

3. Modify the application pool entry so that the application pool is always running. For

applications where you want global application initialization to occur, you normally

want the associated application pool to be started and running. The bolded attribute

in the configuration snippet shows what to add to the configuration entry.

<add name=".NET v4.5" startMode="AlwaysRunning" managedRuntimeVersion="v4.0" />

4. Scroll down a little more in applicationHost.config to the <sites> configuration

element. Within that section there will be an <application> entry for the sample

application you configured earlier. The application is called "appinit", and has a path

attribute value of "/appinit". Modify the <application> entry by adding the bolded

preloadEnabled attribute as shown in the configuration snippet and then save your

changes.

<application path="/appinit" preloadEnabled="true" applicationPool=".NET v4.5">

5. Setting preloadEnabled to "true" tells IIS 8.0 that it sends a "fake" request to the

application when the associated application pool starts up. That is why in the

previous step we set the application pool's startMode to "AlwaysRunning".

Note: With the combination of the application pool always running, and the application

itself being marked to always receive a fake request, whenever the machine restarts and/or

the World Wide Web service is recycled, IIS 8.0 ensures that the application pool instance

is running and that the application "/appinit" is always sent a fake request to trigger the

application to start up.

146

Modifications in the application's web.config

1. Using a second instance of Notepad, open up the application level web.config file

located in the following location – run the text editor with the "Run as

Administrator" option.

C:\inetpub\wwwroot\appinit

2. The web.config file has a few configuration sections already pre-populated, but

commented out. Uncomment the configuration snippet shown that is inside of the

<system.webServer> configuration section. This snippet is just below the comment

"Exercise 1 – Step 1" in the web.config file. Then save your changes.

<applicationInitialization

remapManagedRequestsTo="Startup.htm"

skipManagedModules="true" >

<add initializationPage="/default.aspx" />

</applicationInitialization>

3. The applicationInitialization element tells IIS that it should issue a request to the

application's root Url ("/" in this example) in order to initialize the application. While

IIS waits for the request to "/" to complete, it will serve "Startup.htm" to any active

browser clients. "Startup.htm" is the "splash page" for the application.

Run the application

1. From an elevated command prompt window, recycle the World Wide Web Service

with the command shown below:

net stop w3svc & net start w3svc

2. Using Internet Explorer, navigate to the following Url:

http://localhost/appinit/default.aspx

3. The browser returns the static "Startup.htm" page with a grey background for the first

few seconds because that is the "splash page" that has been configured in

web.config.

Note: You can continue refreshing the page in your web browser and observe that about

eight seconds later (simulated with a thread sleep in the sample application's global.asax)

you receive the "real" content for default.aspx with a white background. This indicates that

application initialization completed.


147

Configuring overlapped process recycling

IIS 8.0 integrates global application initialization with overlapped process recycling by

performing application initialization in an overlapped process in the background. When IIS

detects that an active worker process is being recycled, IIS does not switch active traffic over

to the new recycled worker process until the new worker process finishes running all

application initialization Urls in the new process. This ensures that customers browsing your

website don't see application initialization pages once an application is live and running.

1. Go back to the instance of Notepad that has applicationHost.config. Modify the

application pool entry for ".NET v4.5" to look like the configuration snippet shown

below:

<add name=".NET v4.5"

startMode="AlwaysRunning"

managedRuntimeVersion="v4.0" >

<recycling logEventOnRecycle="Schedule">

<periodicRestart requests="30" />

</recycling>

</add>

2. Save your changes. The <recycling> element tells IIS to recycle the worker process

every 30 HTTP requests.

Run the application a second time


with the command: net stop w3svc & net start w3svc

2. Using a new instance of Internet Explorer, once again navigate to:


3. Note that that the "Startup.htm" splash page with the grey background is showing.

4. Open Task Manager and make sure the Processes tab is showing. Sort the process

list by name until you see one instance of w3wp.exe running. That instance is the

worker process that is currently running the "appinit" ASP.NET application.


148

3. Refresh the browser a few times until the content from the real default.aspx page is

being returned. You know that the application is running the "real" default.aspx page

when the background changes to white.

4. Arrange the windows on your screen so that you can see both Task Manager and the

browser.

5. Switch back to the browser and refresh the page at least 30 times, this causes IIS to

recycle the application pool. You can stop refreshing the page when you see a

second instance of w3wp.exe show up in the Task Manager process list as shown

below:

http://i2.iis.net/media/7186350/iis-80-application-initialization-1089-AppInit_TM1.jpg?cdn_id=2012-12-10-010

http://i2.iis.net/media/7186344/iis-80-application-initialization-1089-AppInit_TM2.jpg?cdn_id=2012-12-10-010

149

6. The screenshot shows the second instance of w3wp.exe has started due to the

process recycling limit set earlier.

7. You can continue to periodically refresh the browser window for the next ten seconds

or so. Note that default.aspx continues to run. When the overlapped recycling

completes, one w3wp.exe instance disappears from the Task Manager Process

window.

Throughout the duration of the overlapped recycling, you continue to see the content of the

"real" default.aspx served, even though application initialization was configured for the

application and was running the initialization Url in the background in the new instance of

w3wp.exe.

150

Lab 40: Url Rewrite and Application Initialization

(Optional)

Machines used: DC, NODE1

By default, application initialization only enables you to specify a single "splash page" Url to

display while an application is initializing. However the Application Initialization feature

supports a few server variables that can be used to control request processing while an

application initializes. This enables you to create declarative rules using the Url Rewrite

Module containing more complex mappings to pre-generated static content.

In this walkthrough, you replace the remapManagedRequestsTo attribute with a set of Url

Rewrite rules that accomplish the same end result.

Modifications in applicationHost.config

1. Using the instance of Notepad that has applicationHost.config open, revert both the

application pool and the application elements to turn off all global application

initialization processing. The global settings are removed in this step since the

remainder of this walkthrough focuses on the configured Application Initialization

behavior.

2. The applicationHost.config entries for the application pool and the application are as

shown below.

Application pool configuration entry:

<add name=".NET v4.5" managedRuntimeVersion="v4.0" />

Application configuration entry:

<application path="/appinit" applicationPool=".NET v4.5">

3. Save your changes when you are done!



Modifications to application level web.config

1. Using the instance of Notepad that has the application-level web.config open,

remove the remapManagedRequestsTo attribute from the <applicationInitialization>

element. The <applicationInitialization> configuration section should now look like

this configuration snippet.

151

<applicationInitialization skipManagedModules="true" >

<add initializationPage="/default.aspx" />

</applicationInitialization>

2. Because the <applicationInitialization> element no longer defines a Url to remap

requests to, add a set of Url Rewrite rules. Add a rewrite rule that explicitly maps

requests made to "default.aspx", as well as "/" to route to "Startup.htm". Two rules

are needed because the Url Rewrite Module doesn't "know" about how default

documents work. Since "/" equates to "default.aspx" in ASP.NET applications, you

need two Url Rewrite rules – one rule for each Url variation.

The new rules are shown in bold below. Alternatively you can uncomment the pre-populated

Url Rewrite rules under the "Exercise 2 – Step 2 Mapping Requests to the Home Page"

comment in the web.config file.

<rewrite>

<rules>

<rule name="Home Page-Expanded" stopProcessing="true">

<match url="default.aspx" />

<conditions>

<add input="{APP_WARMING_UP}" pattern="1" />

</conditions>

<action type="Rewrite" url="Startup.htm" />

</rule>

<rule name="Home Page-Short" stopProcessing="true">

<match url="^$" />

<conditions>


</conditions>


</rule>

</rules>

</rewrite>

3. Some items to note about these rules:

a. First, the stopProcessing attribute is set to "true" on the <rule /> elements.

This is necessary to add a catch-all Url Rewrite rule later, and for requests to

default.aspx or "/" that you don't want the catch-all rule to run.

b. Second, note that we have a Url Rewrite condition in the <conditions />

element. This condition effectively says "only apply rule when the application

is in an initializing state". The server variable "APP_WARMING_UP" is set by IIS

152

to a value of "1" when application initialization is active and IIS is still

processing all of the initialization Urls.

c. Third, note that the action has been defined to rewrite the active request to

instead run "Startup.htm". This rule has the effect of telling IIS to pass the

request on to the static file handler which then renders the static page

Startup.htm.

4. Add a catch-all rewrite rule. When using the Url Rewrite Module in conjunction with

application initialization, a catch-all rule that fires if none of the previous rules match

is needed. Add the bolded rule shown below to the rewrite section as the catch-all

rule. Alternatively you can uncomment the pre-populated catch-all rule in web.config

that is located under the "Exercise 2 – Step 2 Setting Up a Catch-All Rule" comment

in the web.config file.

<rewrite>

<rules>

<rule name="Home Page-Expanded" stopProcessing="true">

<match url="default.aspx" />

<conditions>


</conditions>


</rule>

<rule name="Home Page-Short" stopProcessing="true">

<match url="^$" />

<conditions>


</conditions>


</rule>

<rule name="All Other Requests">

<match url=".*" />

<conditions>


</conditions>

<serverVariables>

<set name="SKIP_MANAGED_MODULES" value="0" />

</serverVariables>

<action type="Rewrite" url="{URL}" />

</rule>

153

</rules>

</rewrite>

4. Save your changes.

5. The new rule matches against any Url that reaches it and tells IIS to continue

processing the request that was made to the inbound Url. The rule also sets a server

variable called "SKIP_MANAGED_MODULES" to a value of "0" – which equates to

"false". This setting tells IIS that it should treat the rewritten request from Url Rewrite

the same way as if the request had normally arrived off the wire.

Run the application



2. Using a new instance of Internet Explorer, once again navigate to:


Note: Even though Url Rewrite rules are now used to define the splash page logic, you still

see the same behavior from the first walkthrough. The Startup.htm page with the grey

background is displayed initially. If you refresh the browser periodically, about eight

seconds later you again see the page background switch to white, indicating that the

"real" default.aspx page is being served now that application initialization is complete.

(Optional) Lab: Complex Splash Page Rules

The previous walkthroughs use application initialization as a straight-forward mapping of Url

"X" to Url "Y". In this walkthrough, you are going to implement a more complex application

initialization scenario.

1. In your browser navigate to both of the following Urls:

a. http://localhost/appinit/ImageHandler.ashx?image=Lighthouse

b. http://localhost/appinit/ImageHandler.ashx?image=Tulips

2. These Urls are examples of dynamically generated static content. For this sample

application, the code inside of ImageHandler.ashx looks at the querystring key

"image". If the value of that querystring is either "Lighthouse" or "Tulips" the ASP.NET

handler transmits the corresponding JPG that is located in the App_Data folder.

Note: Since the image handler is just returning images, you want to be able to continue to

return an appropriate image even during application initialization. Although the mechanics

of serving these images uses managed code, you may want to quickly serve up pre-

http://localhost/appinit/ImageHandler.ashx?image=Lighthouse

http://localhost/appinit/ImageHandler.ashx?image=Tulips

154

generated images to customers even if the underlying ASP.NET application is taking a long

time to startup and initialize itself.

Modifications to application level web.config

1. Using the instance of Notepad that has application-level web.config open, add

another Url Rewrite rule before the final catch-all rule. The new snippet to add is

shown below. Alternatively you can uncomment the pre-populated image handler

rule in web.config that is located under the "Exercise 3 – Step 1 Complex Splash Page

Rules" comment in the web.config file.

<rule name="Image Handler Remapping" stopProcessing="true">

<match url="ImageHandler.ashx" />

<conditions>


<add input="{QUERY_STRING}" pattern="image=([A-Za-z]+)&?" />

</conditions>

<action type="Rewrite" url="Images/{C:1}_static.jpg" appendQueryString="false" />

</rule>

2. Save your changes.

Note: Just as with the rewrite rules for default.aspx and "/", this rule has the

stopProcessing attribute set to "true" to ensure that requests to ImageHandler.ashx don't

accidentally fallthrough to the final catch-all rewrite rule during application initialization.

For requests to "ImageHandler.ashx," the rewrite rule uses a regular expression capture

group to extract the requested image from the query-string. The match pattern definition

pattern="image=([A-Za-z]+)&?" tells IIS to extract the value of the "image" query-

string variable. That value is then used in the url attribute of the action attribute:

url="Images/{C:1}_static.jpg".

The url attribute on the action element tells the Url Rewrite module to rewrite

ImageHandler.ashx requests to instead point at files in the Images subdirectory of the

application. Furthermore the query-string value that was captured by the regular

expression is used to help form the name of the file that will ultimately be served from the

Images subdirectory. For example, a request to ImageHandler.ashx?image=Tulips will be

rewritten to Images/Tulips_static.jpg.

155

3. If you browse to the inetpub\wwwroot\appinit directory using Windows Explorer and

look in the Images subdirectory, you see two files: one representing the "static"

version of Tulips.jpg, and the other representing the "static" version of

Lighthouse.jpg. These static images act as pre-generated content that can be served

while the application initializes.

Run the application



2. Using Internet Explorer navigate to either:

a. http://localhost/appinit/ImageHandler.ashx?image=Lighthouse

b. http://localhost/appinit/ImageHandler.ashx?image=Tulips

3. Notice how the images returned in either case include a watermark indicating these

are the "static" pre-generated versions of the images. The watermark is text in the

upper portion of the image saying "This image is the static version of...."

4. If you refresh your browser about 10 seconds later, you see the returned image

content change to the "real" content being served by the ImageHandler.ashx handler.

The watermark disappears, which indicates that the content is now being dynamically

generated by the ASP.NET handler since the application has completed initialization.

5. Note: If Internet Explorer appears to not be refreshing, click either the "broken

document" icon in the address bar or the refresh icon to force Internet Explorer to

reload the page.

Lab summary

The IIS 8.0 Application Initialization feature gives developers and Administrators the ability

to return static content to browsers while IIS is initializing a "cold" application. Serving static

content immediately to browsers gives customers a better user experience. Instead of cold-

start applications resulting in a blank browser page or a spinning wait icon, the Application

Initialization feature can be used to serve relevant static content while the underlying

application completes expensive initialization processing.

The initialization process can occur automatically whenever a web server is brought online or

recycled. For scenarios where server Administrators don't want to greedily initialize

applications, the initialization process can instead be triggered on-demand when the first

request arrives at a "cold" application.

http://localhost/appinit/ImageHandler.ashx?image=Lighthouse

http://localhost/appinit/ImageHandler.ashx?image=Tulips

156

For both global and local application initialization the Url Rewrite module can be integrated

to provide richer and more complex initialization rules. Using Url Rewrite rules integrated with

the Application Initialization feature it is possible to serve different types of pre-generated

static content for different Urls and virtual paths while IIS continues to start-up an application

in the background.

157

Lab 41: IIS Backup – Web Deploy

1. Launch your IIS_WEBB server and verify you have some sites and applications.

2. Install WebDeploy 3.0 package using typical settings (you will find it in the ISO file).

3. Open IIS Management Console and verify if you have "deployment" links in the

action pane when you click on the server, the site or the application.

4. Select your web server name in the left pane.

5. Click on the "Export server package" link in the right pane and save the

"server.zip" package using default settings.

6. Remove some of your websites and then app pools.

7. Select your web server name in the left pane.

8. Click on the "Import server package" link in the right pane and save the

"server.zip" package using default settings. You need to accept a warning message.

Please read it before accepting.

9. Verify if your app pools, sites and applications were restored correctly and can be

open.

10. Launch cmd.exe.

11. Navigate to C:\Program Files\IIS\Microsoft Web Deploy V3

12. Type: msdeploy -verb:sync -source:appHostConfig="Your Site Name" -

dest:archivedir=c:\archive -enableLink:appPool

13. Optionally you can configure https binding and try to backup certificates by adding

"-enableLink:CertificateExtension" to the previous command.

14. Optionally you can replace your destination (type: archivedir, value: c:\archive) with

type "package" and value "c:\archive.zip".

15. Delete your site and associated app pools.

16. Try to restore your backup using command: msdeploy -verb:sync -

source:archivedir=c:\archive -dest:appHostConfig="Restored WebSite" -

enableLink:appPool

17. Go to you App Pools and find a pool associated with more than zero applications

18. Try to delete such pool. Is this possible? Why?

19. Navigate to C:\Program Files\IIS\Microsoft Web Deploy V3

20. Type: msdeploy -verb:delete -dest:appPoolConfig="your pool name"

21. Verify if your poll was actually deleted.

22. Try to launch your web application.

23. Use your backup to re-create your website with linked App Pools.

158

Lab 42: JavaScript Profiling (Optional)

1. On your host machine launch Internet Explorer browser and navigate to

http://ie.microsoft.com/testdrive/Performance/BrickBreaker

2. Click on the first tile in the "Level Selection" window

3. Press F12 to start F12 Developer Tools

4. Switch to "Profiler" tab and click "Start profiling"

5. Return to Internet Explorer window and play a game for some time

6. Switch to F12 console and click "Stop profiling"

7. Switch current view to "Call tree"

8. Expand nodes renderAll – renderAll – next – checkCollision – elementsInRect –

elementsOfClass – hasCssClass

9. Notify the count of hasCssClass function calls. Why it makes sense to start

improvement from this function?

10. Double click hasCssClass function name to switch to the "Script" tab

11. Right click function name and select "Insert breakpoint" from the context menu

12. Click "Start debugging" button on the toolbar

13. Click on the first tile in the Internet Explorer "Level Selection" window and start

playing

14. Wait until execution stops on the breakpoint.

15. Click "Locals" over the right pane and lok inside local objects. Click "Call stack" and

check how function was called.

16. Click "Breakpoints" over the right pane and de-select your breakpoint.

17. Click "Watch" over the right pane and add "Balls" to the watch list. Expand the object

properties and find Balls[0].speed

18. Right click the value and edit it. Change the value to 1.

19. Press F5 to continue. Intentionally miss the first ball and launch another one. Note

the difference.

20. Discuss how F12 may help you in troubleshooting performance problems in modern

web applications.

http://ie.microsoft.com/testdrive/Performance/BrickBreaker

159

Lab 43: Network traffic monitoring (Optional)

1. Launch IE browser and navigate to http://gizmodo.com/

2. Make sure you have no Tracking Protection enabled – the "no parking" sign next to

the URL must be gray.

3. Press F12.

4. Switch to "Network" tab and press "Start capturing".

5. Return to your browser and open gizmodo.com page again and wait until it fully

loads.

6. Switch to F12 tool and press "Stop capturing"

7. Sort by "URL" column and try to determine an amount of websites used to display

the webpage.

8. Sort by "Result" column and try to find 304 pages. What does it mean? Does it affect

performance?

9. Double click any entry to switch to detailed view.

Lab 44: IIS on Nano Server (Optional)

1. Copy the required Windows PowerShell scripts

Switch to HOST1. Then go to Computer. Mount the ISO for Windows Server 2016 and

verify the DVD media drive letter.

2. Right-click Start, and then click Windows PowerShell (Admin).

3. In the Windows PowerShell window, type cd\, and then press Enter.

4. In the Windows PowerShell window, type md Nano, and then press Enter.

5. In the Windows PowerShell window, type the following command, and then press Enter.

copy d:\NanoServer\NanoServerImageGenerator\*.ps* c:\nano

!To Verify the procedure: Go to C:\Nano and verify that You should have "Convert-

WindowsImage.ps1, NanoServerImageGenerator.psd1 and

NanoServerImageGenerator.psm1" If not copy the missing files from WindowsServer2016

ISO file > NanoServer

Import Windows PowerShell modules

In the Windows PowerShell window, type the following command, and then press

Enter.

Import-Module c:\nano\NanoServerImageGenerator.psm1

Create a virtual hard disk

1. In the Windows PowerShell window, type the following command, and then press Enter.

TP5:

http://gizmodo.com/

160

new-NanoServerImage -mediapath D:\ -Basepath c:\nano -targetpath

c:\nano\nano-svr1.vhdx -computername NANO-SVR1 -storage -packages

Microsoft-NanoServer-IIS-Package -DeploymentType Guest -Edition Datacenter

2. At the AdministratorPassword prompt, type P@ssw0rd, and then press Enter.

3. When the process is completed, on the taskbar, click File Explorer, navigate to C:\Nano,

and then examine the files listed. Verify that nano-svr1.vhdx exists.

-Storage File Server role and other storage components

-Compute Hyper-V Role

-Clustering Failover Clustering

-OEMDrivers Variety of network and storage controller drivers.

-GuestDrivers Drivers for running Nano Server as a Hyper-V virtual machine.

-

ReverseForwarders

Reverse forwarders allow you to run some software on Nano Server

that is not explicitly made for Nano Server.

Z <https://blogs.technet.microsoft.com/nanoserver/2015/06/15/powershell-script-to-build-your-nano-

server-image/>

4. Create a New VM from the Nano VHDX file . In the Windows PowerShell window, type

the following command, and then press Enter.

new-VM -Name NANO-SVR1 -Generation 2 -VHDPath c:\Nano\Nano-SVR1.vhdx

When the process is completed, go to Hyper-V Manager and verify that nano-svr1 VM

exists. Connect the VM to the same Virtual Switch as the Domain Controler VM is

connected for the next step.

!TIP You Can add Nano Server directly to a domain with a parameter like:

New-NanoServerImage -Edition Standard -DeploymentType Host -MediaPath

\\Path\To\Media\en_us -BasePath .\Base -TargetPath .\JoinDomHarvest.vhdx -

ComputerName JoinDomHarvest -DomainName Contoso

Sign in to the NANO-SVR1 virtual machine

1. On NANO-SVR1, in the User name box, type Administrator, and then press the Tab

key.

2. In the Password box, type P@ssw0rd, and then press Enter.

Completing post-installation tasks on Nano Server

Use the Nano Server Recovery Console to view basic settings

https://blogs.technet.microsoft.com/nanoserver/2015/06/15/powershell-script-to-build-your-nano-server-image/

https://blogs.technet.microsoft.com/nanoserver/2015/06/15/powershell-script-to-build-your-nano-server-image/

161

1. On NANO-SVR1, in the Nano Server Recovery Console, observe that the computer

name is Nano-Svr1 and that the computer is in a workgroup. Press the Tab key until

Networking is selected, and then press Enter.

2. Press Enter on the Ethernet adapter. In Network Adapter Settings, notice that DHCP is

obtaining the IP configuration.

3. Make a note of the IP address.

4. Press Esc twice.

Add Nano Server to the domain

1. Switch to DC with login as Administrator and password as P@ssw0rd.

2. Switch to the Administrator: Windows PowerShell window.

3. At the command prompt, type the following cmdlet, and then press Enter.

djoin.exe /provision /domain company /machine nano-svr1 /savefile .\odjblob

Note: Replace the IP address 192.168.127.X in the following commands with the IP address

you recorded earlier from your Nano Server installation.

4. At the command prompt, type the following cmdlet, and then press Enter. Your IP

address might be different.

Set-Item WSMan:\localhost\Client\TrustedHosts "192.168.127.X"

5. Type Y, and when prompted, press Enter.

6. At the command prompt, type the following cmdlet, and then press Enter. Your IP


$ip = "192.168.127.X"


Enter-PSSession -ComputerName $ip -Credential $ip\Administrator

8. In the Windows PowerShell credential request dialog box, in the Password box, type

P@ssw0rd, and then click OK.


netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes


Exit-PSSession

11. At the command prompt, type the following command, and then press Enter. Your IP


net use z: \\192.168.127.X\c$

12. At the command prompt, type Z:, and then press Enter.

13. At the command prompt, type the following command, and then press Enter.

copy c:\odjblob





16. At the command prompt, type cd\, and then press Enter.


djoin /requestodj /loadfile c:\odjblob /windowspath c:\windows /localos

18. At the command prompt, type the following cmdlet, and then press Enter. Nano Server

restarts.

shutdown /r /t 5

162

19. Switch to NANO-SVR1.

20. In the User name box, type Administrator, and then press the Tab key.

21. In the Password box, type P@ssw0rd and then press Tab.

22. In the Domain box, type Company, and then press Enter.

23. In the Nano Server Recovery Console, observe that the computer is in the adatum.com

domain.

Use Windows PowerShell to configure the settings of Nano Server

1. Switch to DC, and then close Windows PowerShell.

2. Right-click Start, and then click Windows PowerShell (Admin).


get-windowsfeature –comp Nano-svr1


install-windowsfeature Fs-fileserver –comp Nano-svr1


get-windowsfeature –comp Nano-svr1

6. At the command prompt, type the following cmdlet, and then press Enter. Substitute

the X for the last octet of the IP address on the Nano server.

$ip = "192.168.127.X"






get-netipaddress


bcdedit /enum


net share


Exit-PSSession

Enable remote management with Server Manager

1. On DC1, in Server Manager, in the navigation pane, right-click All Servers, and then

click Add Servers.

2. In the Add Servers dialog box, in the Name (CN): box, type Nano-SVR1, and then

click Find Now.

3. In the Name list, click Nano-svr1, and then to add the computer to the Computer list,

click the Right Arrow key.

4. Click OK.

5. In Server Manager, expand File and Storage Services.

6. Click Shares, and then in the TASKS list, click New Share.

7. In the New Share Wizard, click SMB Share – Quick and then click Next.

8. On the Select the server and path for this share page, in the Server list, click nano-

svr1, and then click Next.

9. On the Specify share name page, in the Share name box, type Data, and then click

Next.

163

10. To complete the wizard, click Next twice, and then click Create.

11. Click Close.

Test the file server and web server on Nano Server

1. On DC1, switch to the Administrator: Windows PowerShell window.


net use z: /d


net use z: \\Nano-svr1\c$

4. Click Start, type Notepad, and then press Enter.

5. In Notepad, type <H1> Nano Server Website </H1>.

6. Click File and then click Save As.

7. In the Save As dialog box, in the File name box, type z:\Inetpub\wwwroot, and then

press Enter.

8. In the Save as type list, click All Files.

9. In the File name box, type Default.htm, and then click Save.

10. Close Notepad.

11. Click Start, click All apps, click Windows Accessories, and then click Internet

Explorer.

12. Navigate to http://nano-svr1. Does your webpage display?

13. Close Windows Internet Explorer.

14. On DC1, at the command prompt, type the following command, and then press Enter.

net use y: \\nano-svr1\data

15. Type cmd and press Enter.

16. Type write, and then press Enter.

17. In WordPad, type This is my document, click File, and then click Save.

18. In the Save As dialog box, in the File name box, type Y: and then press Enter.

19. In the File name box, type My document, and then click Save.

20. In File Explorer, navigate to data (\\nano-svr1) (Y:). Is your file listed?

http://nano-svr1/

164

Lab 45: IIS and HTTP2 (Optional)


On Node5, log in as Cqure\Administrator. Verify HTTP2 settings in the browser

1. Switch to NODE5. Then run Internet Explorer. Go to Tools>Internet

Options>Advanced and make sure that HTTP2 support is enabled.

2. To close the window click OK

3. Click RUN (Win+R) and type certlm.msc and Request New Certificate.

165

6. In the certificate enrollment Wizard click Next two times, on the Request Certificates

select WebServer and click Properties

7. In the General tab in the Friendly Name type : http2.cqure.tec

8. Next switch to Subject tab and in Subject Name section select Common Name and

type : http2.cqure.tec and click Add, in the Alternative Name section select DNS and

type: http2.cqure.tec and click Add

166

9. Click OK to approve the changes and close the window.

10. At the end, the certificate should be successfully enrolled

Optionaly! You may generate a self-signed certificate.

Open Server Manger and in Tools>Internet Information Servicess (IIS) Manager , locate and

open Server Certificates

167

In the right pane in Actions window, choose Create Self-Signed Certificate, and

proceed with the wizard. In the highlighted field specify : http2.cqure.tec as the

name and select Personal as a certificate store.

If You got a certificate generated, proceed to the next steps.

11. Go to course labfiles so in the properties of Node5 VM select Media choose DVD and

mount http2.iso

12. In Windows Explorer, browse to DVD Drive>select IIS10-http2-loader.

13. Then copy the folder to C:\inetpub.

14. Open Server Manager > Dashboard and select Add roles and features, click Next till

Select server roles appears and in the Web Server (IIS) make sure that in

Application Development that Application Initialization, ASP, CGI, ISAPI

Extensions and ISAPI Filters are installed, if not, proceed with the procedure of

adding server roles.

15. Switch to IIS Manager and go to Sites and add a New Site

168

16. Then configure the site typing in Site Name: http2 in the Phisical path:

C:\inetupb\IIS10-http2-loader and in Host Name: http2.cqure.tec and click OK

17. After creating a new site switch to DC and open Server Manager>tools>DNS and in

the Cqure.tec zone add a new host entry. In the name type: http2 and in the IP

address: 192.168.127.109 (which is Your IIS server IP address) then click OK.

169

18. After creating a DNS entry for the new site switch back to NODE5 VM and continue to

configure IIS.

19. In the IIS Manager go to Application Pools and find newly create pool called http2,

right click Advanced Settings and in General select Enable 32-bit Applications and

set it to Ture, click OK to save and close the window.

20. Go to IIS Manager>Sites>http2 and in the IIS section find Default Document then in

the right pane Actions select Add… and type: loader.htm and OK.

21. IIS Manager>Sites>http2 in the IIS section find Handler Mappings and right click on

ISAPI-dll and choose Edit Feature Permissions… in the newly opened window make

sure to check Execute and save settings by clicking OK.

22. On the root node in the central IIS section open ISAPI and CGI restrictions, on the

right in Actions click Edit Feature Settings… enable unspecified CGI and ISAPI

modules and click OK.

170

23. Try to open the browser and in the address type: http://http2.cqure.tec (you should

see a new page is loading a picture, try to resize the window to see the whole picture

and refresh the site once more).

24. Open CMD and type : ipconfig / flushdns

25. Go back to the browser and refresh the site, observe how the picture is being loaded.

26. To add a new SSL binding go to IIS Manager>Sites>http2 right click Edit Bindings

and click Add.

27. Configure the new binding by selecting Type: https, in the Host Name type:

http2.cqure.tec and select in the SSL certificate: http2.cqure.tec as the default

certificate, click OK.

28. Go back to the browser and open a new tab, in the address type :

https://http2.cqure.tec.

29. Observe how the picture loads, test the protocol type and verify the performance.

In Internet Explorer open IE Tools select Developer Tools > Network Tab or use F12 to

run it. Clear the cache using ipconfig /flushdns, then in the browser try to access

http://http2.cqure.tec and observe results in Developer Tools, Network tab. Then try

to access https://http2.cqure.tec, check once again Developer Tools. You will observe

that accessing different sites uses different protocol versions, check the Time, Received

and performance load page . Like in the picture

171

Lab 46: IIS WildCard HostHeader support (Optional)


On NODE1 On the taskbar, click Server Manager, click Tools, and then click Internet

Information Services (IIS) Manager.

1. Go to course labfiles so in the properties of the VM select Media choose DVD and

mount http2.iso.

2. In Windows Explorer, browse to DVD Drive>select WildCard Host Header and copy

the folder to C:\inetpub.

3. From the IIS Manager connections list. Click the "Add Website.." option in the Actions

Pane.

4. Enter configuration of a Cqure WildCard site, in the text box Site Name:

WildCardCqure, in the Physical path point to previously copied folder in:

C:\inetpub\wwwroot\WildCard Host Header.

5. Configure the new binding by typing in the Host Name: *.cqure.tec and click OK.

6. Switch to DC and open DNS in Forward Lookup Zones>Cqure.tec, right click to

create a new Host (A). Type in the name type: WildCard and in the IP: (your IIS server

IP).

7. Open the browser and in the address type : http://wildcard.cqure.tec.

8. Observe the site loads and displays the name.

9. Go back to the DNS Manager console and expand "Forward Lookup Zones" then right-

click and select "New Zone", on the Zone Type make sure Primary zone is selected

and Uncheck “Store the zone in Active Directory” and click next. In the Zone Name

type: intranet.cqure.tec and finish the wizard. After the zone is created open the newly

172

created zone so in our case intranet.cqure.tec and right click to add a new Host (A),

leave the Host name blank and add only the IP address: (your IIS server IP).

10. Repeat the same procedure for private.cqure.tec, extranet.cqure.tec. At the end You

should have 3 new zones intranet, private, extranet.

11. Go back to Your browser and type: intranet.cqure.tec, open another new tab for:

extranet.cqure.tec, observe the results. Try to test private.cqure.tec and

wildcard.cqure.tec also.

173

Lab 47: OneToOne certificate mapping (Optional)


1. Log on to DC as Cqure\Administrator on the taskbar, click RUN (Win+R), and

type MMC, and then add a new snap-in (Ctrl+M) and select Certification Authority

and then Add selecting local computer and click Finish.

2. In the console window expand CA > CQure Root.. and go to Certificate Templates

then click Certificate Template to Issue

3. On the template list find template called User and click OK. Do the same for the

Computer template.

4. Switch to WEBA, log in as Cqure\Administrator and click RUN (Win+R) and type

certmgr.msc and Request New Certificate.

5. In the certificate enrollment Wizard click Next two times, on the Request Certificates

select User and click Enroll

6. At the end, the certificate should be successfully enrolled

174

7. Run one more time RUN (Win+R) and type certlm.msc and Request New Certificate

for the Computer.

8. Run Windows PowerShell as Administrator and type:

Import-module servermanager

Add-windowsfeature web-client-auth, web-cert-auth, web-windows-auth, web-basic-

auth

9. Open ServerManager and go to Tools > Internet Information Services (IIS) Manager >

Sites, right click and edit bindings.

10. Select the https site binding using the computer certificate and click OK.

175

11. Open the browser and type : https://weba.cqure.tec and you will see the default IIS

site.

Change the authentication settings

1. In the Default Web Site pane move to Features View and select Authentication to

change the settings. Enable only Basic Authentication and Windows

Authentication, rest should be disabled.

2. Open the browser and type : https://weba.cqure.tec and in the Windows Security

pop-up type as user name : administrator and password: P@ssw0rd

176

3. After typing the credentials you will be logged to the IIS default site.

Set One To One certificate on IIS server

1. On the WEBA open Certmgr.msc Export the Administrator certificate.

2. Export it wihout the private key and on the Export File Format choose Base-64

encoded X.509 (.CER) and save it as : UserOneToOne.cer on the desktop.

The oneToOneMappings collection item has an attribute called certificate. The

required value for this attribute is not the certificate has but the actual certificate

blob. Here's how you extract it.

3. Right click on your .cer file on the Desktop

4. Select Open With... in the context menu

177

5. Select Notepad from the list of More Apps and click OK. [Note: Notepad may be

hidden beneath a drop down in the list view]

6. This is what should be displayed in notepad:

-----BEGIN CERTIFICATE-----

MIIEfjCCA2agAwIBAgIKFW1IXAAAAAAAAjANBgkqhkiG9w0BAQUFADAbMRkwFwYD

VQQDExBJSVNSZW1vdGVNZ3JUZXN0MB4XDTA4MDIxMTIxNTk1NloXDTA5MDIxMTIy

MDk1NlowaDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV

BAcTB1JlZG1vbmQxDTALBgNVBAoTBE1TRlQxDDAKBgNVBAsTA0lJUzEVMBMGA1UE

AxMMUkxVQ0VSTzItSUlTMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3611j

34q2qQgHa7ao11TcQMDYlJMrqET05MWFY1/Vso+leujLoIGTfdHOuz4IBVoeUE+y

mlL8r53s2BQeVFROnDtg4Jko1zJsz7AUAnQNBk/GYA1AHYmhY79Z0p1KXW/wSTJB

tdUn732GQOqYf4wY8jOD2zUJDUG4HXm6ib8ajwIDAQABo4IB+TCCAfUwDgYDVR0P

AQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMHgGCSqGSIb3DQEJDwRrMGk

w

DgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJ

YIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYI

KoZIhvcNAwcwHQYDVR0OBBYEFHbHA+HwZcIrslklj1W3O23UFrBgMB8GA1UdIwQY

MBaAFMxzlGbmkp2+phhDg7TPfi83d7UVMHMGA1UdHwRsMGowaKBmoGSGL2h0dHA6

Ly9paXNzYjMwNS9DZXJ0RW5yb2xsL0lJU1JlbW90ZU1nclRlc3QuY3JshjFmaWxl

Oi8vXFxpaXNzYjMwNVxDZXJ0RW5yb2xsXElJU1JlbW90ZU1nclRlc3QuY3JsMIGe

BggrBgEFBQcBAQSBkTCBjjBEBggrBgEFBQcwAoY4aHR0cDovL2lpc3NiMzA1L0Nl

cnRFbnJvbGwvaWlzc2IzMDVfSUlTUmVtb3RlTWdyVGVzdC5jcnQwRgYIKwYBBQUH

MAKGOmZpbGU6Ly9cXGlpc3NiMzA1XENlcnRFbnJvbGxcaWlzc2IzMDVfSUlTUmVt

b3RlTWdyVGVzdC5jcnQwDQYJKoZIhvcNAQEFBQADggEBAEsSkcx0re36IL80UphJ

w/srR3LBsy8sfwqxBMzMTdF7k6jYtUVpn3D2Dd4JXXVOaEVud9YNn9pr6xJL4t79

Zh+hJzIPA5pQLbccx4vjWB4cWEYxzcoKYCuUdZrfPFXO1a5kQAj8IZ0/6bhMceyR

178

Z7dRDoaIuAGQLFAlC/KjIBCemDi54MlWtvATQ8bmiRuEOWeneK2Vd2e0fxyezk05

dRqa8DEC74CQN4rQuz395ECm+M/hQnN+dHOygV8n9swd0bdNq8qypwfVUes5HIpj

LFmKTuGyFSVj7jv+64oTxvxtYX2QFp9q6Bi+qj0uyrX8Xjxy5rPSVPEfnxPCBg58

RCI=

-----END CERTIFICATE-----

7. Remove -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----

8. Format the certificate blob to be a single line.

9. Save this file as UserOneToOneText.txt on the Desktop and copy the converted

certificate blob data.

10. Open the Internet Information Services (IIS) Manager go to Sites > Default Web

Site in the Features View select Configuration Editor. Select in the section address:

"system.webServer/security/authentication/iisClientCertificateMappingAuthent

ication" in the Section drop down box.

179

11. Then in the settings select the enabled field and change the value to true.

12. Select the oneToOneCertificateMappingsEnabled property grid entry and change

the value to true.

13. Select the oneToOneMappings property grid entry and click Edit Items... in the

Actions Task Pane.

14. Click Add in the Collection Editor task list

15. Copy the single string certificate blob from above and paste it into the certificate field

180

16. Set the username: Administrator and password: P@ssw0rd that client will be

authenticated as.

17. Set the enabled field to true

18. Close Collection Editor

19. On the right in the Actions pane click Generate Script and review that you are able

always to deploying the settings using C#, JavaScript, CommandLine and PowerShell

which IIS generates for you.

20. Close the Script Dialog of the generated scripts.

21. Click Apply in the Actions Task Pane

22. Once this is complete the server will be configured to handle IIS Client Certificate

Mapping authentication with a single one to one certificate mapping entry.

23. Internet Information Services (IIS) Manager go to Sites > Default Web Site in the

Features View select SSL Settings and configure to Accept certificates and Apply the

changes.

181

24. Open the browser and type : https://weba.cqure.tec and you will see the certificate

information.

25. Click OK and you will be successfully able to authenticate to the default IIS Web Site

using the OneToOne certificate.

182

CQURE Academy says thank you!

Thank you for attending IIS training. We hope it was useful and that you feel that your IIS

skills are on the higher level!

CQURE Team wish you all the best in your future engagements with IIS.

Please note that this training is a part of CQURE Academy and you are eligible to receive the

certificate of Certified Security Professional.

Do not forget to check our website: http://cqure.pl for new and existing training and

consultancy offers. You will find there useful tools as well.

Your opinion is extremely important for us. Please complete the 1 minute survey on

http://stderr.pl/surveys

http://cqure.pl/

http://stderr.pl/surveys

183