Advanced Internet Information Services 7.5/8/8stderr.pl/iis8/labs/LABS/IIS_LABS_80_edited_v16.pdf · only use the command line. This changes with Windows Server 2012 which enabled

1 | P a g e

Advanced Internet

Information Services 7.5/8/8.5

Lab Instr uctions

Version 1.2

Document created: 22nd of April 2014

This is an authored content - please respect intellectual property!

Author: CQURE

http://cqure.us

2 | P a g e

Contents

Welcome to IIS training! ........................................................................................................................................ 5

CQURE Academy ..................................................................................................................................................... 7

Note Pages (Page 1) ............................................................................................................................................. 10

Note Pages (Page 2) ............................................................................................................................................. 11

Lab 1: Installing IIS 8 with the Default Settings ............................................................................................ 12

Lab 2: Installing IIS on Server Core using Powershell ................................................................................. 17

Lab 3: Installing IIS Using Ghost Installation ................................................................................................. 24

Lab 4: Installing IIS on Server Core .................................................................................................................. 26

Lab 5: IIS Basic configuration steps .................................................................................................................. 27

Lab 6: Websites and Application Pools ........................................................................................................... 31

Lab 7: Creating Web Application ...................................................................................................................... 34

Lab 8: Working with Application Pools ........................................................................................................... 36

Lab 9: Configuring Application Settings ......................................................................................................... 40

Lab 10: Running both ASP.NET 3.5 and ASP.NET 4.5 Applications ......................................................... 45

Lab 11: Configuring ASP.NET Settings for development ........................................................................... 50

Lab 12: Configuring Multiple Applications .................................................................................................... 53

Lab 13: ASP.NET Security .................................................................................................................................... 58

Lab 14: Tracing and Logging for ASP.NET ..................................................................................................... 59

Lab 15: Request Filtering ..................................................................................................................................... 62

Lab 16: IIS Modules............................................................................................................................................... 64

Lab 17: Configuring Managed Modules ......................................................................................................... 68

Lab 18: Securing the IIS Web Server and Web Sites ................................................................................... 71

3 | P a g e

Lab 19: CPU Throttling: Sand-boxing Sites and Applications................................................................... 74

Lab 20: Central certificate store ........................................................................................................................ 81

Lab 21: Configuring FTP Protection ................................................................................................................. 86

Lab 22: Authorization, Authentication and Access ...................................................................................... 89

Lab 23: IIS Hardening ........................................................................................................................................... 94

Lab 24: IIS under attack ....................................................................................................................................... 99

Lab 25: Logging ................................................................................................................................................... 104

Lab 26: Delegation and Remote Administration ........................................................................................ 105

Lab 27: Configuring Delegated Administration .......................................................................................... 107

Lab 28: Configuring Feature Delegation ...................................................................................................... 112

Lab 29: Automating webserver management ............................................................................................. 114

Lab 30: Command-line and Scripting for IIS ............................................................................................... 118

Lab 31: Manage IIS tasks using WMI and AppCmd .................................................................................. 123

Lab 32: Tuning IIS ................................................................................................................................................ 125

Lab 33: Web Farms ............................................................................................................................................. 132

Lab 33: Shared Configuration .......................................................................................................................... 134

Lab 35: Web Deploy ........................................................................................................................................... 137

Lab 36: Configuring Network Load Balancing ............................................................................................ 140

Lab 37: Troubleshooting IIS ............................................................................................................................. 143

Lab 38: Troubleshooting Authorization ........................................................................................................ 145

Lab 39: Troubleshooting Communication.................................................................................................... 148

Lab 40: Troubleshooting Configuration ........................................................................................................ 150

Lab 41: Application Initialization (Optional) ................................................................................................ 151

Lab 42: Url Rewrite and Application Initialization (Optional) ................................................................. 159

4 | P a g e

Lab 43: IIS Backup – Web Deploy ................................................................................................................... 166

Lab 44: JavaScript Profiling (Optional) .......................................................................................................... 167

Lab 45: Network traffic monitoring (Optional) ........................................................................................... 168

CQURE Academy says thank you! .................................................................................................................. 169

5 | P a g e

Welcome to IIS training!

Before you start doing exercises, please take a look how classroom environment looks like. In this

course, you will use cloud service to perform the labs. You will connect to the server using RDP

connection. Your instructor will provide you username and password to access the environment.

Virtual machines are based on Hyper-V platform. Your instructor will provide you the guideline

how to start, shutdown, save and create snapshots on virtual machines. Please read the lab

instructions carefully as sometimes it is required to return to the starting point. It is necessary to

follow the instructions, so that labs do not interfere with each other. Each virtual machine is a

member of the domain: cqure.tec. Each machine has Windows Server 2012 installed. Within our

training we will use Web Applications that are hosted for company Raccoons.

At the beginning of usage of each machine you may be requested to configure IP addresses for

them. Our goal was to make such a simple tasks as fast as possible so we build up the scripts that

you may just run on each machine.

6 | P a g e

The following table shows the role of each virtual machine used in this course:

Virtual Machine

Name

Hostname Role

IIS8_DC DC Domain Controller

IIS8_WEBA WEBA Primary Web Server

IIS8_WEBB WEBB Primary Web Server

IIS8_NODE1 NODE1 Used for IIS installation - Regular

IIS8_NODE2 NODE2 Used for IIS installation - Core

IIS8_NODE3 NODE3 Used for IIS installation - Unattended

IIS8_NODE4 NODE4 Primary Web Server

IIS8_NODE5 NODE5 Primary Web Server

IIS8_WEB2 WEB2 Secondary Web Server

Please note that:

1. All necessary files are on the ISO image delivered to the course.

2. It may be necessary to configure IP addresses for each VM, please find ipaddress.iso

available and run the appropriate script from it. Verify the configuration.

3. Sometimes it may be necessary to configure during the exercise the firewall rules, so

please be prepared for that.

Enjoy!

7 | P a g e

CQURE Academy

Please note that this training is a part of CQURE Academy and you are eligible to receive the

certificate of Certified Security Professional.

Do not forget to check our website: http://cqure.pl for new and existing training and

consultancy offers. You will find there useful tools as well.

Please have a look at the next two pages for enlargement:

8 | P a g e

9 | P a g e

10 | P a g e

Note Pages (Page 1)

11 | P a g e

Note Pages (Page 2)

12 | P a g e

Lab 1: Installing IIS 8 with the Default Settings

Machines used in this Lab: NODE1 – please create snapshot before Installation!

To install IIS 8 on NODE1, use the following steps:

1. Logon as Administrator // Passw0rd

2. Open Server Manager.

3. Under Manage menu, select Add Roles and Features:

4. Select Role-based or Feature-based Installation:

13 | P a g e

5. Select the appropriate server (local is selected by default), as shown below:

6. Select Web Server (IIS):

7. Add Management Tools Feature

14 | P a g e

8. No additional features are needed for IIS, click Next:

9. Click Next:

10. Customize your installation of IIS, or accept the default settings that have already been

selected for you. Make sure that ASP under Application Development section is

15 | P a g e

checked and then click Next.

11. Click Install:

16 | P a g e

12. When the IIS installation completes, the wizard reflects the installation status:

13. Click Close to exit the wizard.

14. Open Internet Explorer. The Microsoft Windows Internet Explorer window opens.

Browse to http://localhost.

15. Notice that the IIS Welcome page loads, indicating that IIS is successfully installed and

running.

16. After this exercise you should have successfully verified that the IIS Welcome page

opens.

17 | P a g e

Lab 2: Installing IIS on Server Core using Powershell

Machines used in this Lab: DC, NODE3 - please create snapshot before Installation!

When Server Core originally shipped, a lot of Windows admins avoided it because you could

only use the command line. This changes with Windows Server 2012 which enabled the use of a

hybrid mode. Before we switch to IIS installation on the Server Core, let’s practice switching in

between the server modes:

Turning the GUI Off

In Windows Server 2012 the GUI has kept with the modular nature of recent Windows Server

Operating Systems and in turn has become a “Feature”. This makes removing the GUI very easy.

1. Login to NODE3 as Administrator//Passw0rd.

2. To get started launch Server Manager.

3. Click on Manage, and then select Remove Roles or Features from the menu.

4. Click next to skip past the before you begin page, then select your server from the server

pool and click next.

18 | P a g e

5. Since the GUI is not a Role, we can just click next again to skip past the Roles section.

6. When you reach the Features page, you need to uncheck the box next to the “User

Interfaces and Infrastructure” option, and then click next.

19 | P a g e

7. Now select the “Restart Destination Server” box, then click remove.

20 | P a g e

8. The GUI will now be removed.

9. After the binaries are removed your server will automatically reboot.

10. Once it comes back up, log in as Administrator//Passw0rd

11. The first thing we need to do is get into PowerShell, so type PowerShell and hit enter.

12. Now we need to specify the module in Powershell to import:

a. Import-module servermanager

13. Let’s list the features to install in IIS installation:

a. Get-WindowsFeature *web*

14. Install the basic configuration of IIS:

21 | P a g e

a. Add-WindowsFeature Web-Server, Web-ASP

15. On DC, use Internet Explorer and browse to http://10.10.10.103

16. Now we need to use the Add-WindowsFeature to add the components back:

a. Add-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra

This is just an alias for: Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra

17. When this is done, we will need to restart server by using the Shutdown command:

a. Exit Powershell and then type Shutdown -r -t 0

18. When your server reboots you will have the GUI back.

19. Revert machine from the snapshot created at the beginning of the exercise.

22 | P a g e

(Optional) Lab: Turn off and on GUI using different methods

This exercise is optional and could be nice if you have finished the lab before the group.

Turning the GUI Off with PowerShell

1. You can do the same thing as we did in the GUI much quicker with a PowerShell cmdlet.

To do so, open Server Manager, click on Tools and launch PowerShell.

2. We can use the Remove-WindowsFeature cmdlet to remove the feature:

a. Remove-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra

Since Remove-WindowsFeature is just an alias, you could also use: Uninstall-WindowsFeature

Server-Gui-Shell, Server-Gui-Mgmt-Infra

3. Not long after you have hit the enter key, the removal will begin.

23 | P a g e

4. When it’s done, you will be notified that you need to restart your server to complete the

process, which can be easily done from the current PowerShell window by running:

a. Shutdown -r -t 0

5. When your machine restarts you will only have the command line to work with .

24 | P a g e

Lab 3: Installing IIS Using Ghost Installation

Machines used in this Lab: DC, NODE3

Start the NODE3 virtual machine and log on as Local Admin with the password of Passw0rd.

Turn on Network Discovery

1. On NODE3, open network settings.

2. Click the information bar with the text Network discovery and file sharing are turned off.

Network computers and devices are not visible. Click to change....

3. Click Turn on network discovery and file sharing.

4. Click Yes, turn on network discovery and file sharing for all public networks.

5. Close Network.

Create the Unattend.xml file by copying the default XML file provided and removing

unnecessary features

1. Open Notepad, and then press Enter.

2. The Notepad window opens. On the File menu, click Open.

3. The Open dialog box appears. In the Text Documents list, click All Files.

4. Browse to the course labfiles to Step1 on the ISO file provided for you.

5. Click unattend_all.xml and then click Open.

6. Delete the following lines:

<selection name="IIS-HttpRedirect" state="true"/>

<selection name="IIS-ASP" state="true"/>

<selection name="IIS-CGI" state="true"/>

<selection name="IIS-IIS6ManagementCompatibility" s tate="true"/>

<selection name="IIS-Metabase" state="true"/>

<selection name="IIS-WMICompatibility" state="true" />

<selection name="IIS-LegacyScripts" state="true"/>

<selection name="IIS-LegacySnapIn" state="true"/>

7. The Unattend.Xml file needs to be modified with the correct version number (this will

match the HAL major and minor version numbers).

8. To do this, edit Version=”6.0.6001.16659”to Version="<found_in_cmd_properties>"

9. On the File menu, click Save As.

25 | P a g e

10. The Save As dialog box appears. Type c:\unattend.xml, and then click Save.

11. Close Notepad.

Install IIS using Pkgmgr with the Unattend.xml file and verify once completed

1. Open Command Prompt.

2. Type cd \and then press Enter.

3. Type start /w pkgmgr /n:unattend.xml and then press Enter.

4. When the process completes, type echo %errorlevel% and then press Enter. Note that it

may take up to four minutes to complete.

5. Notice that the return code is “0” indicating a successful installation. If you still

experience problems search for the answer in %windir%\logs\cbs\cbs.log – there is a

small surprise waiting for you there!

6. Type exit, and then press Enter.

7. In Server Manager, in the console pane, expand Roles. Note that you may need to

refresh the console.

8. Notice that Web Server (IIS) is installed. Open Internet Explorer.

9. Browse to http://localhost, notice that the IIS Welcome page appears.

10. Alternatively run the following:

start /w pkgmgr /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-

CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-

HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET;IIS-NetFxExtensibility;IIS-

ASP;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-

HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-Security;IIS-

ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-

RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-

HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementConsole;IIS-

ManagementScriptingTools;IIS-ManagementService;IIS-IIS6ManagementCompatibility;IIS-

Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;WAS-

WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-

ConfigurationAPI

26 | P a g e

Lab 4: Installing IIS on Server Core

Machines used in this Lab: DC, NODE2, NODE1

Login to the server

Start the NODE2 virtual machine and log on as Administrator with the password of Passw0rd.

Disable the firewall

1. On NODE2, in the command prompt window, type netsh firewall set opmode disable.

Install IIS from the command line

1. Type the following and then press Enter. Note that the feature names are case-sensitive:

2. Start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-

StaticContent;IIS-DefaultDocument;IIS-HttpErrors;IIS-HttpRedirect;WAS-

WindowsActivationService;WAS-ProcessModel

3. When the process completes, type echo %errorlevel%, and then press Enter. Note that it

may take up to two minutes to complete.

2. Notice that the return code is “0” indicating a successful installation.

3. On NODE1, use Internet Explorer and browse to http://NODE2.

4. Notice that the IIS Welcome page loads, indicating that the Web server role on NODE2

is installed and functioning.

27 | P a g e

Lab 5: IIS Basic configuration steps

Machines used in this Lab: DC, NODE1, NODE2, NODE3

Configure NODE1 for ASP debugging, detailed error messages, and HTTP compression

1. On NODE1, open Internet Information Services (IIS) Manager.

2. In the Connections pane, expand NODE1 | Sites, and then click Default Web Site.

3. In the details pane, double-click ASP.

4. In the Compilation section, expand Debugging Properties.

5. In the Enable Client-side Debugging list, click True.

6. In the Enable Server-side Debugging list, click True.

7. In the Send Errors to Browser list, click True.

8. In the Actions pane, click Apply.

9. In the Connections pane, click Default Web Site.

10. In the details pane, double-click HTTP Response Headers.

11. In the Actions pane, click Set Common Headers.

12. The Set Common HTTP Response Headers dialog box appears. Select Expire Web

content, and then click OK.


14. In the details pane, double-click Compression.

15. Notice that Enable static content compression is checked.


17. In the Details pane, double-click Error Pages.

18. In the Actions pane, click Edit Feature Settings

19. The Edit Error Pages Settings dialog box appears. Click Detailed errors, and then click

OK.

20. On NODE3, in the Internet Explorer, browse to http://NODE1/default.asp.

21. Notice that you get a detailed HTTP Error 404 page, indicating that the NODE1 web

server has been configured properly.

28 | P a g e

Configure NODE3 to:

- trace server errors

- enable directory browsing

- enable windows authentication and impersonation

- enable dynamic output compression and SMTP

1. On NODE3, make sure Tracing, Windows Authentication, Directory Browsing, SMTP

and ASP.NET 4.5 role features are checked:

2. Open Internet Information Services (IIS) Manager.

3. In the Connections pane, expand NODE3 | Sites, and then click Default Web Site.

4. In the Actions pane, click Failed Request Tracing Rules.

5. The Edit Web Site Failed Request Tracing Settings dialog box appears. Select Enable,

and then click OK.

29 | P a g e

6. In the details pane, in the IIS section, double-click Failed Request Tracing Rules.

7. In the Actions pane, click Add.

8. The Add Failed Request Tracing Rule dialog box appears. Click Next.

9. In the Status code(s) field, type 500.

10. Select Event severity, and then in the Event severity list, click Critical Error.

11. Click Next and then click Finish.


13. In the details pane, in the IIS section, double-click Directory Browsing.

14. In the Actions pane, click Enable.


16. In the Details pane, in the IIS section, double-click Authentication.

17. In the Details pane, click Windows Authentication.


19. In the Details pane, click ASP.NET Impersonation.


21. In Internet Information Services (IIS) Manager, in the Connections pane, click Default

Web Site.

22. In the Details pane, in the IIS section, double-click Output Caching.


24. The Add Cache Rule dialog box appears. In the File name extension field, type .aspx.

25. Select User-mode caching and then click OK.


27. In the Details pane, in the ASP.NET section, double-click SMTP E-mail.

28. In the E-mail address field, type [email protected].

29. In SMTP Server field, type SMTP.CQURE.TEC.


31. Browse to http://localhost/aspnet_client.

32. Notice that there is a detailed HTTP Error 500.24.

30 | P a g e

33. Under Detailed Error Information, right-click C:\inetpub\logs\FailedReqLogFiles, and then

click

34. Copy Shortcut.

35. Open Run. Right-click the Open field and then click Paste.

36. Click OK.

37. Double-click W3SVC1.

38. Notice that there is a failed request log for the server error: fr00001.xml.

Configure NODE2 to have no default documents, and redirect requests to NODE1

1. On NODE2, in the command prompt window, type cd \windows\system32\inetsrv\config

and then press Enter.

1. Open the applicationHost.config file with notepad.

2. Scroll down to <defaultDocument enabled="true"> (approximately line 169), and change

"true" to "false".

3. Scroll down to <httpRedirect enabled="false" /> (approximately line 246), and modify

this line to read:

<httpRedirect enabled="true" exactDestination="fals e" childOnly="false"

destination="http://10.10.10.101/" />

4. On the File menu, click Save.

5. On the File menu, click Exit.

6. On NODE3, in Internet Explorer, browse to http://NODE2.

7. Notice that the IIS Welcome page loads and the address field has changed to

http://10.10.10.101.

When you finish the lab, revert the virtual machines to their initial state. To do this, from

NODE3 Virtual Machine window click Media Menu and choose “Apply Snapshot”.

31 | P a g e

Lab 6: Websites and Application Pools

Machines used in this Lab: DC, WEBA

1. Start the DC virtual machine.

2. Start the WEBA virtual machine and log on as CQURE\Administrator.

Add Basic, Windows Integrated and Digest Security features to the IIS Role

1. On WEBA, in Server Manager, in the console pane, expand Roles and then click Web

Server (IIS).

2. Right-click Web Server (IIS) and then click Add Role Services.

3. The Add Role Services dialog box appears. In the Role services box, under Security,

select Basic Authentication, Windows Authentication, and Digest Authentication.

4. Click Next and then click Install.

5. When the installation is complete, click Close.

6. In the details pane, in the Role Services section, notice that Basic Authentication,

Windows Authentication, and Digest Authentication are listed as Installed.

Create a virtual directory


2. In the Connections pane, expand WEBA | Sites and then click Default Web Site.

3. In the Actions pane, click View Virtual Directories.

4. Click Add Virtual Directory.

5. The Add Virtual Directory dialog box appears. In the Alias field, type Public.

6. Next to the Physical path field, click the Browse (...)button.

7. The Browse For Folder dialog box appears. Browse to C:\inetpub, and then click Make New

Folder.

8. Type Public, and then click OK.

9. Click OK.

32 | P a g e

10. Open Computer and then browse to C:\inetpub\wwwroot.

11. Select all, then right-click and then click Copy.

12. Browse to C:\inetpub\public, right-click, and then click Paste.

Configure the public virtual directory for anonymous authentication

1. In Internet Information Services (IIS) Manager, in the Connections pane, expand

Default Web Site and then click Public.

2. In the Details pane, double-click Authentication.

3. Click Anonymous Authentication. Notice that it is enabled.

4. In the Actions pane, click Edit.

5. The Edit Anonymous Authentication Credentials dialog appears. Notice that Specific

user is selected and set to IUSR.

6. Click Cancel.

7. In Server Manager, in the console pane, expand Configuration | Local Users and

Groups and then click Users.

8. In the details pane, right-click Guest, and then click Properties.

9. The Guest Properties dialog box appears. Clear Account is disabled, and then click OK.

10. Open Local Security Policy.

11. The Local Security Policy window opens. In the console pane, expand Local Policies

and then click User Rights Assignment.

12. In the details pane, right-click Allow log on locally, and then click Properties.

13. The Allow log on locally Properties dialog appears. Click Add User or Group.

14. The Select Users, Computers, or Groups dialog box appears. Click Locations.

15. The Locations dialog box appears. Click WEBA, and then click OK.

16. In the Enter the object names to select field, type Guest, and then click OK twice.

17. Close Local Security Policy.

18. From the Menu Start: Switch User.

33 | P a g e

19. Logon as WEBA\Guest with no password.

20. Open Internet Explorer.

21. Internet Explorer window opens. Browse to http://localhost. Note that we’ve set the

default site to the Public virtual directory so there’s no need to use localhost/public.

22. Notice that the IIS Welcome page loads.

22. Go to: Switch User.

23. Log on as CQURE\Administrator with the password of Passw0rd.

34 | P a g e

Lab 7: Creating Web Application


1. Start the DC virtual machine.

2. Start the WEBA virtual machine and log on as CQURE\Administrator.

Create a site named Raccoons

1. On WEBA, in Internet Information Services (IIS) Manager, in the Connections pane,

click Sites.

2. In the Actions pane, click Add Web Site.

3. The Add Web Site dialog box appears. In the Site name field, type Raccoons.

4. In Physical path, click the Browse (...) button.

5. The Browse For Folder dialog box appears. Browse to C:\inetpub, and then click Make

New Folder.

6. Type Raccoons, and then click OK.

7. In the Port field, type 88, and then click OK.

Copy the Raccoons Application to the Appropriate Directory

1. In Windows Explorer, browse to Step2\Raccoons.

2. Select all, then right-click, and then click Copy.

3. Browse to C:\inetpub\Raccoons, right-click, and then click Paste.

Add the .NET 3.5 Feature and ASP.NET to the server

1. In Server Manager, in the console pane, add .NET Framework 3.5 Features.

2. The Add Features Wizard dialog box appears. Click Add Required Role Services.

3. Click Next twice.

4. On the Select Role Services page, select ASP.NET.

5. The Add Features Wizard dialog box appears. Click Add Required Role Services.

35 | P a g e

6. Click Next, and then click Install.

7. When the installation is complete, click Close.

Delegate administrative access

1. Internet Information Services (IIS) Manager, in the Connections pane, expand Sites

and then click Raccoons.

1. In the Actions pane, click Edit Permissions.

2. The Raccoons Properties dialog box appears. Click the Security tab.

3. Click Edit.

4. The Permissions for Raccoons dialog box appears. Click Add.

5. The Select, Users, Computers, or Groups dialog box appears. In the Enter the object

names to select field, type ITAdminsGG, and then click Check Names.

6. Click OK.

7. Next to Full control, select Allow and then click OK twice.

In order to proceed to the next Lab don't revert machines.

36 | P a g e

Lab 8: Working with Application Pools

Machines used in this Lab: DC, WEBA, NODE1

Create an application pool named TempPool

1. On WEBA, in Internet Information Services (IIS) Manager, expand WEBA and then

click Application Pools.

2. In the Actions pane, click Add Application Pool.

3. The Add Application Pool dialog box appears. In the Name field, type TempPool.

4. Click OK.

5. In the details pane, notice that TempPool appears in the list of application pools.

Rename Raccoons to RaccoonsPool

1. On WEBA, in Internet Information Services (IIS) Manager, expand Sites and then click

Raccoons.

2. In the Actions pane, click Basic Settings.

3. The Edit Site dialog box appears. Click Select.

4. The Select Application Pool dialog box appears. In the Application pool list, click

TempPool, and then click OK twice.

5. In the Connections pane, click Application Pools.

6. In the Details pane, click Raccoons.

7. In the Actions pane, click Rename.

8. Type RaccoonsPool, and then press Enter.

9. In the Connections pane, click Raccoons.


11. The Edit Site dialog box appears. Click Select.


RaccoonsPool, and then click OK twice.

37 | P a g e

Configure Windows Integrated authentication

1. In the Connections pane, expand Sites and then click Raccoons.


3. Click Windows Authentication. In the Actions pane, click Enable.

4. In the Details pane, click Anonymous Authentication.

5. In the Actions pane, click Disable.

6. Start NODE1.

7. Log on to NODE1 as Local Admin with the password of Passw0rd. Note that this

account is not a domain one.


9. The Windows Internet Explorer window opens. Browse to http://WEBA.CQURE.TEC.

10. IIS Welcome page appears indicating that the previous anonymous public site

configuration is correct.

11. Browse to http://WEBA.CQURE.TEC:88.

12. Notice that there is an error message and the page will not load. Windows

authentication has failed for this user/machine.

13. Question: Why does Windows authentication fail?

14. Answer: Because account you used is not the domain account so user account cannot

be authenticated.

13. On WEBA, Open Internet Explorer.

14. The Windows Internet Explorer window opens. Browse to http://localhost:88.

15. If you have problems with accessing port 88, for a moment you may disable firewall on

the Web server hosting the website. We all know that it is a bad practice, right? ☺

15. Notice that the Raccoons Bank page appears. Windows authentication is successful.

Configure TempPool to use LocalSystem as worker process identity

1. On WEBA in Internet Information Services (IIS) Manager, in the Connections pane,


2. In the Details pane, click TempPool.

38 | P a g e

3. In the Actions pane, click Advanced Settings.

4. The Advanced Settings dialog box appears. Under the Process Model section, click

Identity.

5. Next to Identity, click the Browse (...) button.

6. The Application Pool Identity dialog box appears. In the Built-in account list, click

LocalSystem.

7. Click OK twice.

Stop, start and recycle RaccoonsPool


2. In the Details pane, click RaccoonsPool.

3. In the Actions pane, click Stop.

4. In the Details pane, notice that the status of RaccoonsPoolchanges to Stopped.

5. In the Actions pane, click Start.

6. In the Details pane, notice that the status of RaccoonsPoolchanges to Started.

7. In the Actions pane, click Recycle.

Configure TempPool for Classic Pipeline Mode




4. The Edit Application Pool dialog box appears. In the Managed pipeline mode list, click

Classic.

5. Click OK.

Remove TempPool



3. In the Actions pane, click Remove.

39 | P a g e

4. The Confirm Remove dialog box appears. Click Yes.

Configure Health and Recycling settings for RaccoonsPool


2. In the Details pane, click RaccoonsPool.

3. In the Actions pane, click Recycling.

4. The Edit Application Pool Recycling Settings dialog box appears. Select Fixed number

of requests.

5. In the Fixed Number of requests field, type 1000.

6. Click Next.

7. On the Recycling Events to Log page, select Number of requests.

8. Click Finish.


10. The Advanced Settings dialog box appears. In the Rapid-Fail Protection section, click

Failure Interval (minutes).

11. In the value column, type 10 and then click OK.

When you finish the lab, revert the virtual machines to their initial state. To do this, from WEBA

Virtual Machine window click Media Menu and choose “Apply Snapshot”. Repeat this step on

NODE1.

40 | P a g e

Lab 9: Configuring Application Settings


Start the DC virtual machine

Start the WEBA virtual machine and log on as CQURE\Administrator

Add ASP.NET and Basic Security features to the IIS Role

1. On WEBA, in Server Manager, in the console pane, expand Roles and then click Web

Server (IIS).

2. Right-click Web Server (IIS), and then click Add Role Services.

3. The Add Role Services dialog box appears. In the Role services box, under Application

Development, select ASP.NET.

4. The Add Role Services box appears. Click Add Required Role Services.

5. In the Role services box, under Security, select Basic Authentication.

6. Click Next, and then click Install. When the installation is complete, click Close.

7. In the details pane, in the Role Services section, notice that ASP.NET and Basic

Authentication are listed as Installed.

Create the application and copy the ASP.NET application files



3. In the Actions pane, click View Applications. Click Add Application.

4. The Add Application dialog box appears. In the Alias field, type SalesSupport.

5. Next to the Physical path field, click the Browse (...) button.

6. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and then

click Make New Folder.

7. Type SalesSupport and then click OK.

8. Click OK.

41 | P a g e

9. Open Computer and then browse to The course labfiles to Step3\SalesSupport.


11. Browse to C:\inetpub\wwwroot\SalesSupport, right-click, and then click Paste.

Configure Basic Security


Default Web Site and then click Sales Support.


3. Click Anonymous Authentication.


5. In the Details pane, click Basic Authentication.


7. Click Edit.

8. The Edit Basic Authentication Settings dialog appears. In the Default domain and

Realm fields, type CQURE.

9. Click OK.


11. Internet Explorer window opens. Browse to http://localhost/salessupport.

12. The Connect to localhost dialog box appears. Notice that there is a warning about basic

authentication and insecure credentials.

13. In the User name field, type yvonne. Note that Yvonne is a marketing account manager

with a domain account in the CQURE domain.

12. In the Password field, type Passw0rd and then click OK.

14. Notice that the Sales Support Resources page loads successfully.

13. Close Internet Explorer. Note that you must close the browser to reset the session so

you can try logging in as a different user.


15. The Windows Internet Explorer window opens. Browse to

http://localhost/salessupport.

42 | P a g e

16. The Connect to localhost dialog box appears. In the User name field, type bob. Note that

Bob does not have a domain account in the CQURE domain.

15. Leave the Password field blank and then click OK.

16. Click OK two more times.

17. Notice that you get an HTTP 401.1 Unauthorized error. Note that detailed error

messages show up locally by default.

1. Close Internet Explorer.

Configure custom error pages

1. In Windows Explorer, browse to The course labfiles to Step3\WBErrors.

2. Select all, right-click and then click Copy.

3. Browse to C:\inetpub\custerr\, right-click, and then click Paste.

4. In Internet Information Services (IIS) Manager, in the Connections pane, click

SalesSupport.

5. In the Details pane, double-click Error Pages.

6. In the Actions pane, click Edit Feature Settings.

7. The Edit Error Pages Settings box appears. Click Custom error pages.

8. Click OK.

9. In the Details pane, under the Status Code column, click 401.


11. The Edit Custom Error Page dialog box appears. Click Set.

12. The Set Localized Custom Error Path dialog box appears. In the Relative file path field,

delete the existing text and then type 401.aspx. Click OK twice.

13. In the Details pane, under the Status Code column click 404 and in the Actions pane,

click Edit.

14. The Edit Custom Error Page dialog box appears. Click Set.

15. The Set Localized Custom Error Path dialog box appears. In the Relative file path field,

delete the existing text and then type Other_Errors.aspx.

43 | P a g e

16. Click OK twice. Note that in a real world situation, you would repeat these steps for each

error that you wanted to assign to a custom error message.

17. Open Internet Explorer. Browse to http://localhost/salessupport.

18. The Connect to localhost dialog box appears. In the User name field, type bob.

19. Leave the Password field blank and then click OK three times. Do you see the custom

error page as expected?

Note: You are not seeing custom error properly as system.webServer/httpErrors section

is made delegation safe!

In IIS 7.0, httpErrors section was not delegated by default which means custom errors were not

available to site owners for customization. Reason why the section was not delegated is because

once the section is delegated, site owners are free to return any file they can read as a custom

errors response which wasn’t secure. Server Administrators can delegate the section securely

using custom application pool identities and file ACLs which require lot of work.

Since IIS 7.5, if system.webServer/httpErrors@allowAbsolutePathsWhenDelegated property is

set to false custom errors module will only allow paths relative to site root folder (not absolute

paths) when the section is delegated. If server Administrators want to allow absolute paths in

web.config files even when section is delegated, they can set

allowAbsolutePathsWhenDelegated property to true. Error 500.19 (configuration error) with

detailed error description “Absolute physical path <folder> is not allowed in

system.webServer/httpErrors section in web.config file. Use relative path instead.” will be

generated if allowAbsolutePathsWhenDelegated is set to false and an absolute path is detected

in web.config. This restriction is applied to properties path and prefixLanguageFilePath but not

defaultPath. Here is how httpErrors section will look like if a site owner wants to configure

localized custom errors when only relative paths are allowed:

<httpErrors>

<clear/>



44 | P a g e

<error statusCode="401" prefixLanguageFilePath= "myerrorsfolder"

path="401.htm" />

<error ...

</httpErrors>

With this feature, hosters can now easily delegate custom errors section to site owners.

With httpErrors section now made delegation safe, the section is delegated in a fresh install.

Because the behavior is controlled by

system.webServer/httpErrors@allowAbsolutePathsWhenDelegated property, this attribute is

locked in the default configuration. This ensures that this property cannot be overridden by

site owners to enable absolute file paths. As relative path restriction is not applied to

defaultPath property, system.webServer/httpErrors@defaultPath is locked as well and cannot

be used in web.config files.

Additionally – in this scenario try to use absolute URL to the error page. Note the difference!

20. Notice that there is now a custom error message directing you to contact your district

sales manager.




http://localhost/salessupport/brokenlink.

24. The Connect to localhost dialog box appears. In the User name field, type yvonne.


26. If you are prompted, add the site to the allowed list.

27. Notice that you get a custom error that is slightly different. Since the path “brokenlink”

doesn’t exist, this is a custom 404 error.


Tip: Clear the browser cache, if necessary.

45 | P a g e

Lab 10: Running both ASP.NET 3.5 and ASP.NET 4.5

Applications

Machines used in this Lab: NODE1

Now that you have explored the setup state of IIS 8.0, try running some sample ASP.NET code to

confirm that both ASP.NET 3.5 and ASP.NET 4.5 applications can run simultaneously on a single

IIS 8.0 installation.

First, set up a simple ASP.NET 3.5 application on IIS 8.0:

1. Open the "examples.zip" file from examples.iso image.

2. In Windows Explorer on NODE1, navigate to the "wwwroot" directory for your IIS

installation, the "wwwroot" directory will be at "c:\inetpub\wwwroot".

3. Copy the folder "example35" from "examples.zip", and paste it into the directory

"c:\inetpub\wwwroot". When you are done the directory structure should look like the

following:

4. The newly created "example35" folder needs to be configured as an ASP.NET 3.5

application in the IIS Manager. Go back to the IIS Manager window, click on the Default

Web Site node, and select Refresh. The treeview of child nodes under the Default Web

Site now shows the "example35" folder:

46 | P a g e

5. Right-click the example35 folder and select Convert to Application:

6. The Add Application dialog will pop up. By default all directories within Default Web

Site are part of the application pool called DefaultAppPool. This means that newly

created folders containing ASP.NET run as ASP.NET 4.5 applications by default.

47 | P a g e

7. Since we want to run the example35 folder as an ASP.NET 3.5 application, the

application pool needs to be changed. Click Select, and the Select Application Pool

dialog that pops up. Change the application pool to .NET v2.0 as shown below:

8. Click OK button to accept the application pool change, and then click OK again to

commit the changes to IIS. The IIS Manager window appears again. In the treeview

showing "Default Web Site", the icon for "example35" is changed to indicate it is now a

separate ASP.NET application.

48 | P a g e

9. At this point start an instance of Internet Explorer and navigate to the following Url:

http://localhost/example35

After a short pause the application displays a list of .NET Framework features supported in this

application.

10. In Windows Explorer, if you navigate to the "c:\inetpub\wwwroot\example35" directory,

you can use notepad to look at the code for "default.aspx" and the information in

"web.config". For example, the contents of web.config include directives that configure

the .NET Framework compilers to run in "3.5" mode. The .NET Framework code in

"default.aspx" demonstrates some C# constructs that were introduced in .NET 3.5 -

specifically LINQ-to-Object queries.

Configure it to use .NET 4.5

1. Go back to the Windows Explorer window that has the .zip file "examples.zip" open.

2. Open up the contents of the "example45" folder.

3. In the second Windows Explorer window that you have open, navigate to

"c:\inetpub\wwwroot".

4. Copy the "default.aspx" file from the .zip file and paste it directly into

"c:\inetpub\wwwroot". The folder contents for "c:\inetpub\wwwroot" should now look

like:

49 | P a g e

5. Now go back to Internet Explorer and navigate to the following Url:

http://localhost/default.aspx

After a short pause a second application pool will start running an ASP.NET 4.5 application for

the "Default Web Site". The browser once again displays a list of .NET Framework features

supported in this application with a new entry at the end of the list for dynamically typed

variables (i.e. the dynamic keyword introduced in .NET 4.0/4.5). Notice that unlike the

"example35" application that required special web.config entries, no web.config file was

required to configure and run the "default.aspx" page in the "Default Web Site". This is because

.NET Framework 4.5 is the default .NET Framework used by ASP.NET applications in IIS 8.0, and

as a result no extra configuration is required.

6. If you use Notepad to open the "default.aspx" page that you just copied, you will also

see a few changes compared to the version in the "example35" directory. There are no

namespace directives at the top of the page since the .NET Framework 4.5 is the default

on IIS 8.0. The code on the page demonstrates using a dynamic variable, which is a

compiler concept introduced in .NET 4.0/4.5.

50 | P a g e

Lab 11: Configuring ASP.NET Settings for development


ASP.NET Connection Strings


expand Sites | Default Web Site and then click SalesSupport.

2. In the Details pane, double-click Connection Strings.


4. The Add Connection String dialog box appears. In the Name field, type Local

Resources.

5. Click Custom.

6. In the Custom field delete the existing text and then type data and click OK.

source=.\SQLEXPRESS;AttachDbFileName=d:\resources.m df;IntegratedSecurity=True

Configure ASP.NET Session State settings to rename the cookie to SalesSupport

1. In the Connections pane, click SalesSupport.

2. In the Details pane, double-click Session State.

3. In the Cookie Settings section, in the Name field, delete the existing text and then type

SalesSupport_SessionID.


Add a custom control: CQURE. TestControls Version=1.0.0.0


2. In the Details pane, double-click Pages and Controls.

3. In the Action pane, click Register Controls.

4. Click Add Custom Control.

5. The Add Custom Control dialog box appears. In the Tag prefix field type CQURE.

6. In the Namespace field, type TestControls.

7. In the Assembly field, type Version=1.0.0.0.

51 | P a g e

8. Click OK.

Add application settings at site and application levels


1. Internet Explorer window opens. Browse to http://localhost/salessupport/test.aspx.



4. Notice that the Raccoons Bank Sales Application Settings Test Page opens. It should

report “No Application Settings defined.”


Web Site.

6. In the Details pane, double-click Application Settings.


8. The Add Application Setting dialog box appears. In the Name field, type

DefaultLocation.

9. In the Value field, type New York. Click OK.

10. In Internet Explorer, click the Refresh button. Notice that it now reports “DefaultLocation

= New York”.


SalesSupport.

13. In the Details pane, double-click Application Settings. Notice in the details pane that

DefaultLocationis inherited.


15. The Add Application Setting dialog appears. In the Name field, type debug_mode.

16. In the Value field, type true. Click OK.

11. In Internet Explorer, click the Refresh button. Notice that it now reports “DefaultLocation

= New York” and “debug_mode = true”.

Question: How might the application settings be used in real world Web applications?

52 | P a g e

Answer: The application can customize content or actions based on the settings. This gives

flexibility to the Administrator to customize the application at deployment time.


53 | P a g e

Lab 12: Configuring Multiple Applications


Create three application pools named SalesSupport, SalesSupport_De, and

SalesSupport_Test




3. The Add Application Pool dialog box appears. In the Name field, type SalesSupport.

Click OK.


5. The Add Application Pool dialog box appears. In the Name field, type

SalesSupport_De. Click OK.


7. The Add Application Pool dialog box appears. In the Name field, type

SalesSupport_Test. Click OK.

8. In the Details pane, notice that SalesSupport, SalesSupport_DE, and

SalesSupport_Test appear in the list of application pools.

Create the applications SalesSupport_De and SalesSupport_Test


2. In the Actions pane, click View Applications.

3. Click Add Application.

4. The Add Application dialog box appears. In the Alias field, type SalesSupport_De.

5. Next to the Physical path field, click the Browse (…)button.



7. Type SalesSupport_De and then click OK twice.


54 | P a g e

9. The Add Application dialog box appears. In the Alias field, type SalesSupport_Test.

10. Next to the Physical path field, click the Browse (…)button.



12. Type SalesSupport_Test and then click OK twice.

13. In the Details pane, notice that SalesSupport, SalesSupport_DE, and SalesSupport_Test

appear in the list of applications.

Use XCopy to deploy the files


2. Type cd \inetpub\wwwroot and then press Enter.

3. Type xcopy /e SalesSupport\*.* SalesSupport_De and then press Enter.

4. Type dir SalesSupport_De and then press Enter to confirm that the files were copied.

5. Type xcopy /e SalesSupport\*.* SalesSupport_Test and then press Enter. Shortcut:

Press Up Arrow twice, and then Backspace and change the last few characters of the

previous command line to _Test, and then press Enter.

6. Type dir SalesSupport_Test and then press Enter to confirm that the files were copied.

Assign the applications to the appropriate application pools


Web Site.


3. In the Details pane, click SalesSupport.


5. The Edit Application dialog box appears. Click Select.


SalesSupport, and then click OK twice.

7. In the Details pane, click SalesSupport_De.



55 | P a g e


SalesSupport_De, and then click OK twice.

11. In the Details pane, click SalesSupport_Test.




SalesSupport_Test, and then click OK twice.

15. In the Connections pane, click SalesSupport_De.






21. Click Edit.



23. Click OK.

24. In the Connections pane, click SalesSupport_Test.






30. Click Edit.



32. Click OK.

Configure production application pool recycling for unlimited requests


56 | P a g e

2. In the Details pane, click SalesSupport.


4. The Edit Application Pool Recycling Settings dialog box appears. Clear the Regular

time intervals check box, and then click Next.

5. Click Finish.

6. In the Details pane, click SalesSupport_De.


8. The Edit Application Pool Recycling Settings dialog box appears. Clear Regular time

intervals check box, and then click Next. Click Finish.

Configure the application pool to record recycled events

1. In the Details pane, click SalesSupport_Test.


3. The Edit Application Pool Recycling Settings dialog box appears. Select Fixed number

of requests.

4. In the Fixed number of requests field, type 1024 and then click Next.

5. On the Recycling Events to Log page, select Number of requests, On-demand, and

Configuration changes.

6. Click Finish.

Configure.NET compilation debug setting to False


2. In the Details pane, double-click .NET Compilation.

3. Under Behavior, in the Debug list, click False.


Question: What is the advantage of disabling the debug setting in .NET compilation?

Answer: The compiled code will be smaller and faster without debug code. It is a good idea to

use this setting when an application is fully tested and deployed to final production.

Configure application globalization settings for Germany

57 | P a g e

1. In the Connections pane, click SalesSupport_De.

2. In the Details pane, double-click .NET Globalization.

3. In the Culture list, click German (Germany) (de-DE).

4. In the UI Culture list, click German (Germany) (de-DE).







10. Open a second tab in Internet Explorer and then browse to

http://localhost/salessupport_test.

11. Open a third tab and then browse to http://localhost/salessupport_de.

12. Right-click the notification area and then click Task Manager.

13. The Task Manager window opens. Click the Processes tab.

14. Under the Image Name column, notice that there are at least three instances of

w3wp.exe running, indicating at least three separate application pools. Close Task

Manager.

15. In Internet Explorer, browse to http://localhost/salessupport_de/test.aspx. Notice that

the date is now in dd.mm.yyyy format, the cultural default for Germany.


58 | P a g e

Lab 13: ASP.NET Security


Set the machine key


click SalesSupport_De.

2. In the Details pane, double-click Machine Key.

3. In the Actions pane, click Generate Keys.

4. Click Apply.

Configure the SalesSupport_Test site for medium trust level

1. In the Connections pane, click SalesSupport_Test.

2. In the Details pane, double-click .NET Trust Levels.

3. In the Trust level list, click Medium (web_mediumtrust.config).


Configure File and Folder security


2. In the Details pane, click the Content View tab at the bottom of the window. Click

test.aspx.

3. In the Actions pane, click Edit Permissions.

4. The test.aspx Properties dialog box appears. Click the Security tab.

5. Click Advanced.

6. The Advanced Security Settings for test.aspx dialog box appears. Click Edit.

7. Disable inheritance..

8. The Windows Security dialog box appears asking if you want to copy the inherited

permissions. Use the ones that you had but remote Users.

9. Click Users (WEBA\Users), and then click Remove.

10. Click Add.

59 | P a g e

11. The Select User, Computer, or Group dialog box appears. In the Enter the object name to

select field, type Network Service. Note that since we have removed Users, we need to

specifically allow the Network Service account. Note that SalesSupport application pool

must be running under the Network Service account with pass-through authentication as

well!

12. Click Check Names, and then click OK.

13. The Permission Entry for test.aspx dialog box appears. In the Permissions section, next

to Full control, select Allow. Click OK. Click Add.

14. The Select User, Computer, or Group dialog box appears. In the Enter the object name

to select field, type ITAdminsGG.

15. Click Check Names, and then click OK.

16. The Permission Entry for test.aspx dialog box appears. In the Permissions section, next

to Full control, select Allow.

17. Click OK four times.

18. In Internet Explorer, browse to http://localhost/salessupport/test.aspx.


20. In the Password field, type Passw0rdand then click OK.

21. Click OK two more times. Notice that Yvonne no longer has access to test.aspx.

22. Click the Refresh button.

23. The Connect to localhostdialog box appears. In the User name field, type betsy. Note

that Betsy is a member of the ITAdminsGG security group.


25. Notice that Betsy has access to the page.


Lab 14: Tracing and Logging for ASP.NET

1. On WEBA in Server Manager, in the console pane, expand Roles and then click Web

Server (IIS).

60 | P a g e

2. Right click Web Server (IIS), and then click Add Role Services.

3. The Add Role Services dialog box appears. Select Health and Diagnostics to select all

of the Health and Diagnostics services.


5. When the installation completes, click Close.

6. Open Notepad and then press Enter.



9. Browse to C:\inetpub\wwwroot\SalesSupport_Test.

10. Click test.aspx, and then click Open.

11. In the first line of the file, modify the trace=”false”attribute to read trace=”true” so that

the line reads:

<@ Page Language=”C#” trace=”true” %>

12. On the fifth line of the file, type This message should appear between the double quotes,

so that the line reads:

Response.Write(“This message should appear”);

Question: How would an application use tracing?

Answer: A developer can add trace commands to the Web application code to record

information that can be used for debugging and monitoring. The Administrator has the ability

to enable or disable tracing as needed.


14. Close Notepad.

15. In Internet Explorer, browse to http://localhost/salessupport_test/test.aspx.

16. If the Connect to localhost dialog box appears, in the User name field, type betsy.


18. Notice that This message should appear at the top of the page.

19. Scroll down and notice that the trace information appears at the bottom of the page.

61 | P a g e

20. In the Trace Information section, the next to last lines contain the trace messages from

the test.aspx file. Notice that the warning message is red.



Web Site.

20. In the Actions pane, click Failed Request Tracing. If Failed Request Tracing does not

appear, close and reopen IIS Manager for the added Health and Diagnostics features to

appear.


and then click OK.

22. In the Details pane, double-click Failed Request Tracing Rules.


24. The Add Failed Request Tracing Rule wizard appears. On the Specify Content to

Trace page, click ASP.NET (*.aspx), and then click Next.

25. On the Define Trace Conditions page, in the Status code(s)field, type 200 and then

click Next.

26. On the Select Trace Providers page, under Providers, clear all check boxes except

ASPNET.

27. Click ASPNET.

28. Under Areas, clear all check boxes except Page.

29. Under Verbosity, notice that it is set to Verbose.

30. Click Finish.

31. In Internet Explorer, browse to http://localhost/salessupport_test/test.aspx.

32. If the Connect to localhost dialog box appears, in the User name field, type betsy.


34. Press CTRL + O.

35. The Open dialog box appears. Click Browse.

36. Browse to C:\inetpub\logs\FailedReqLogFiles\W3SVC1.

37. In the HTML Files list, click All Files.

62 | P a g e

38. If there is more than one, click the most recent fr######.xmlfile, and then click Open.

Click OK.

39. The failed request log opens. Notice in the Request Summary section the details of the

request: AppPool is SalesSupport_Test, Authentication is Basic, User from token is

CQURE\betsy.

40. In the Errors and Warnings section, click Expand All.

41. Notice that the warning “This is a warning.” appears.

Lab 15: Request Filtering

1. On WEBA in Internet Explorer, browse to http://localhost/. Notice that the IIS graphics

appear and IIS Welcome page appears.



4. The Notepad window opens. On the File menu click Open.


6. Browse to C:\inetpub\wwwroot.

7. Click web.config, and then click Open.

8. After the sixth line, <system.webServer>, press Enter and then add the following security

section:

<security>

<requestFiltering>

<fileExtensions allowUnlisted="false" >

<add fileExtension=".aspx" allowed="true"/>

</fileExtensions>

</requestFiltering>

</security>

Question: How could you disable only certain extensions, such as .MP3 and .WMA?

Answer: Set the allowUnlisted property to “true”. Add the unallowed file extensions and set their

allowed properties to “false”.

63 | P a g e

9. On the File menu, click Save. Close Notepad.


11. Internet Explorer window opens. Browse to http://localhost/iis-8.png.

12. Notice that HTTP Error 404.7 appears. Detailed error messaging states that “The request

filtering module is configured to deny the file extension”.

13. Browse to http://localhost/iisstart.htm.

14. Notice the same error.



17. Type copy iisstart.htm *.aspx and then press Enter.

18. Type dir, and then press Enter and notice that the file was copied to iisstart.aspx.

19. In Internet Explorer, browse to http://localhost/iisstart.aspx.

20. Notice that the page with the aspx extension loads without error but the image still does

not display.

In order to proceed to the next Lab revert WEBA to default state.

64 | P a g e

Lab 16: IIS Modules

Machines used in this Lab: DC, WEBB

Start the WEBB virtual machine and log on as CQURE\Administrator

Backup the current Web server configuration.

1. On WEBB, if Server Manager opens, Close the Server Manager and open Command

Prompt.

2. Type cd c:\windows\system32\inetsrv\and then press Enter.

3. Type appcmd add backup original and then press Enter.

4. Notice that the AppCmd completes the backup and reports BACKUP object "original"

added.

Question: When using the appcmd add backup command, where are the backup configuration

file placed?

Answer: In a new folder, in the C:\Windows\System32\inetserv\backup\ folder.

Examine the modules currently installed on the Web server


2. In the Connections pane, click WEBB.

3. In the Details pane, in the Group by list, click Category.

4. In the Details pane, in the Server Components section, double-click Modules.

5. In the Group by list, click Module Type.

6. Notice that the DefaultDocumentModule and the DirectoryListingModule entries are

listed in the Native Modules section.

Question: What do the DefaultDocumentModule and DirectoryListingModules do?

65 | P a g e

Answer: The DefaultDocumentModule offers the functionality of offering the Web browser a

default file when a specified folder or directory is specified by the URL. The

DirectoryListingModule will supply the Web client with a list of the folder contents, when a

folder or directory is specified by the URL.

Remove the Default Document Module and the Directory Listing Module

1. In the Connections pane, expand WEBB | Sites, and then click Default Web Site.

2. In the Actions pane, click Browse *:80(http).

3. Internet Explorer window opens. Notice that the page opens as expected.

4. Open | Computer and then browse to C:\windows\system32\inetsrv\config\.

5. In the Details pane, double-click applicationHost.config.

6. The Notepad window opens. Find the <globalModules> section.

7. Delete the DefaultDocumentModule and the DirectoryListingModule entries from within

the <globalModules> tag by deleting these two lines:

<add name="DefaultDocumentModule" image=

"%windir%\System32\inetsrv\defdoc.dll" />

<add name="DirectoryListingModule" image=

"%windir%\System32\inetsrv\dirlist.dll" />

8. Scroll down to the bottom of the file and find the <system.webServer> section.

9. Delete the references to the DefaultDocumentModule and the DirectoryListingModule

from within the <handlers accessPolicy="Read, Script">tag by replacing:

<add name="StaticFile" path="*" verb="*"

modules="StaticFileModule,DefaultDocumentModule,Dir ectoryListingModule"

resourceType="Either" requireAccess="Read" />

With the line:

<add name="StaticFile" path="*" verb="*" modules="S taticFileModule"

resourceType="Either" requireAccess="Read" />

66 | P a g e

10. Delete the DefaultDocumentModuleand the DirectoryListingModuleentries from within

the <modules> tag. Delete the two lines:

<add name="DefaultDocumentModule" lockItem="true" / >

<add name="DirectoryListingModule" lockItem="true" />


12. Close Notepad.

Validate that the modules have been removed

1. In Internet Information Services (IIS) Manager, in the Connections pane, click WEBB.

2. In the Details pane, in the Server Components section, double-click Modules.

3. In the Native Modules section, notice that the DefaultDocumentModule and the

DirectoryListingModule entries are gone.

4. In Internet Explorer, click the Refresh button. Notice that the Web page is now blank,

even though Internet Explorer indicates that it is done loading.

5. In Internet Explorer, browse to http://localhost/default.aspx. Notice that the Web page

loads after you specify the default document.

Question: Why did the Web page get restored after the file name, default.aspx was added to the

URL?

Answer: The Web server is still completely operational, but no longer offers default documents

or directory browsing. So if a full URL is specified, complete with a file name, then the Web

server will return that file to the Web client, if available.

Restore the modules to the Web server configuration

1. In the Command Prompt, type appcmd restore backup original and then press Enter.

2. Notice that the AppCmd completes the restore and reports that the original

configuration has been restored.

67 | P a g e

Question: After the AppCmd completes the restore, where does it restore the configure files to?

Answer: The files are restored to the C:\Windows\System32\inetsrv\config folder.

Validate that the modules have been restored

1. Use IE to browse to http://localhost/, and then click Refresh.

2. Notice that the page once again loads properly from the default document. Close

Internet Explorer.

In order to proceed to the next Lab don’t revert machines.

68 | P a g e

Lab 17: Configuring Managed Modules


Install the logging managed module on WEBB

1. In Windows Explorer, browse to C:\inetpub\.

2. Right-click inetpub, and then click New | Folder.

3. Type logging_module and then press Enter.

4. Browse to The course labfiles to Step4\logging_module.


6. Browse to C:\inetpub\logging_module, right-click, and then click Paste.

7. Browse to C:\inetpub\logging_module\logs\.

8. Right-click logs, and then click Properties.

9. The logs Properties dialog box appears. Click the Security tab. Click Edit.

10. The Permissions for logs dialog box appears. In the Group or user names section, click

Users (WEBB\Users).

11. In the Permissions for Users box, next to Modify, select Allow. Click OK twice.

12. In Internet Information Services (IIS) Manager, in the Connections pane, click Sites.

13. In the Actions pane, click Add Web Site.

14. The Add Web Site dialog box appears. In the Site name field, type logging_module.

15. In the Physical path field, type C:\inetpub\logging_module.

16. In the Port field, type 8181. Click OK.

Confirm the installation of the logging managed module

1. In the Actions pane, click Browse *:8181 (http).

2. Internet Explorer window opens. Click Go on to Second Page.

3. Notice that the second page loads. Close Internet Explorer.


logging_module.

69 | P a g e

5. In the details pane, in the Server Components section, double-click Modules.

6. In the Managed Modules section, click Logger.


8. The Edit Managed Module dialog box appears. Notice that the type is listed as

HttpLogger.

9. Click Cancel.

10. In Windows Explorer, browse to C:\inetpub\logging_module\logs.

11. Double-click [yyyymmdd].txt.

12. The Notepad window opens. Notice the log entries for http://localhost:8181/default.aspx

and http://localhost:8181/second_page.htm.

13. Close Notepad.

Question: Why do the log file entries have the numbers 8181 listed?

Answer: The logging module records the complete URL of the requested Web site files. The

logging_module web site was configured to use port number 8181, which is a secondary Web

site port.

Test the Web site forms authentication functionality


Web Site.


3. Internet Explorer window opens. Click Shared Documents.

4. In the Email field, type [email protected].

5. In the Password field, type Passw0rd.

6. Click Login.

7. If you get the AutoComplete Passwords dialog box, click No.

14. Click Confidential Memo. Notice that the image representing the Confidential Memo

appears.

8. Click the Back button. Click Signout. Click Home.

70 | P a g e

Examine the modules currently running on the Web server

1. In the Internet Information Services (IIS) Manager window, in the Connections pane,

click WEBB.


3. In the Managed Modules section, click OutputCache.


5. The Edit Managed Module dialog box appears. Notice that the module is configured

properly and is set to run normally. Click Cancel.

Remove the forms authentication managed module



3. In the Managed Modules section, click Forms Authentication.



Test the new configuration

1. In the Internet Explorer window, click Shared Documents. Notice that you now get

Access is denied error message, indicating that the logon failed because the forms

authentication module has been removed.

Question: Why is the Access denied error message displayed at this point?

Answer: The Access is denied error message indicates that the logon failed because the forms

authentication module has been removed.

In order to proceed to the next Lab revert WEBB to default state.

71 | P a g e

Lab 18: Securing the IIS Web Server and Web Sites


Start the WEBB virtual machine and log on as CQURE\Administrator.

Create a self-signed server certificate for the Web server

1. On WEBB, Open | Administrative Tools | Internet Information Services (IIS) Manager.


3. In the details pane, in the Group by list, click Category.

4. In the details pane, in the Security section, double-click Server Certificates.

5. In the Actions pane, click Create Self-Signed Certificate.

6. The Create Self-Signed Certificate dialog box appears.

7. In the Specify a friendly name for the certificate field, type WEBB.CQURE.TEC.

8. Click OK. Notice that the new self-signed certificate has been added to the certificate list.

Question: What are the advantages and disadvantages of using self-signed certificates?

Block IP addresses as specified in the service request


2. In the details pane, in the Security section, double-click IP Address and Domain

Restrictions.

3. In the Actions pane, click Add Deny Entry.

4. The Add Deny Restrictions Rule dialog box appears. In the Specific IPv4 address field,

type 10.10.20.1.

5. Click OK.

6. In the Actions pane, click Add Deny Entry.

7. The Add Deny Restrictions Rule dialog box appears.

8. Click IP address range.

72 | P a g e

9. In the IP address range field, type 10.10.30.0.

10. In the Mask field, type 255.255.255.0.

11. Click OK. Notice that the new IP restrictions have been added to the list.

Question: When would you want to use this feature to block IP addresses?

Answer: An organization may want to block malicious users or restrict access from a certain

domain or location.

Configure ISAPI and CGI Restrictions


2. In the details pane, in the Security section, double-click ISAPI and CGI Restrictions.

Notice that ASP.NET are the only applications currently listed.

3. In the Action pane, click Edit Feature Settings.

4. The Edit ISAPI or CGI Restrictions Settings dialog box appears. While it’s not a

recommended practice, you can easily allow unspecified CGI and ISAPI modules. Click

Cancel.

Set the rights and permissions for Active Directory users

1. In Windows Explorer, browse to C:\inetpub\.

2. Right-click wwwroot and then click Properties.

3. The wwwroot Properties dialog box appears. Click the Security tab.

4. Click Edit.

5. The Permissions for wwwroot dialog box appears. Click Add.

6. The Select Users, Computers, or Groups dialog box appears. Click Locations.

7. The Locations dialog box appears. If CQURE.TEC is not already highlighted, then in the

Location tree, click CQURE.TEC.

8. Click OK.

9. In the Enter the object names to select field, type ITAdminsGG and then click Check

Names.

73 | P a g e

10. Click OK. Notice that the Read & execute, List folder contents, and Read options are

allowed.

11. Click Add.

12. The Select Users, Computers, or Groups dialog box appears. In the Enter the object

names to select field, type Herbert and then click Check Names. Click OK.

13. Next to Full control, select Allow. Click OK.

Test and validate the new configuration

1. In the Group or user names field click ITAdminsGG. Notice that the Read & execute, List

folder contents, and Read options are allowed.

2. In the Group or user names field click Herbert Dorner. Notice that the all the options

are allowed.

3. Click OK.

In order to proceed to the next Lab don't revert WEBB.

74 | P a g e

Lab 19: CPU Throttling: Sand-boxing Sites and Applications


Problem: In a multi-tenanted deployment, such as a shared hosting environment, it is important

to create a sand-box for each tenant. Without the sand-box, a tenant could intentionally or

unintentionally impact other tenants negatively by accessing other tenants' contents or by

monopolizing resources, such as memory, CPU, and bandwidth.

Solution: On Internet Information Services (IIS) on Windows Server 2012, the sand-box is

scoped to an IIS application pool. It offers both security boundaries at the Windows process

level by running each tenant in separate user identity and the resource limitations are also

enforced at the process.

On Windows Server 2012, IIS CPU Throttling feature enables customers to truly limit how much

CPU each tenant can consume as a percentage of CPU. Furthermore, this feature is configurable

per IIS application pool, which means each tenant could have different limits, which can lead to

a new business model in which tenants can pay more for higher limits.

It is important to clarify that IIS CPU Throttling is not a reservation of a CPU resource. Rather it

is a way to limit the maximum usage.

Step by Step Instructions:

Prerequisites:

• IIS is installed on Windows Server 2012.

o IIS CPU Throttling is part of IIS application pool configuration. Therefore, a

default install of IIS will have this feature installed. There is no specific IIS feature

that needs to be installed from Server Manager.

• There is at least one site with a corresponding IIS application pool.

o Default Web Site and DefaultAppPool can be used for this exercise.

75 | P a g e

o Copy CPUThrottlingTest to inetpub/wwwroot/CPUThrottlingTest

o Create Application CPUThrottlingTest with application pool (might be

DefaultAppPool) using NET 4.5

o ASP.NET must be installed, default.aspx must be on the list with Default

Documents.

Configure CPU Throttling

1. On WEBB Open IIS Manager.

2. Select Application Pools in the left navigation window:

3. Select DefaultAppPool:

4. In the Action pane, select Advanced Settings:

76 | P a g e

5. Under CPU group, locate the following configurations:

77 | P a g e

o Limit: Indicates the maximum CPU usage (in 1000th of a percent) for this

application pool. If there are multiple processes associated to this application

pool, the limit is applied to the total sum of all processes under this application

pool.

o LimitAction: Indicates what action to take when the limit value is met above.

� For Windows Server 8, new actions, Throttle and ThrottleUnderLoad

have been added:

� Throttle: The feature will throttle the CPU consumption to the value set

for Limit.

� ThrottleUnderLoad: The feature will throttle the CPU consumption to the

value set for Limit, but only if there is a contention on the CPU. This

means that the application pool may consume more CPU activity when

the CPU is idle.

o LimitInterval: Not used for both Throttle and ThrottleUnderLoad. This

configuration attribute is carried over from previous versions of Windows for

backward compatibility.

6. Run application in the web browser (localhost/CPUThrottlingTest). Open Task Manager

or Process Monitor and verify the CPU load based on w3wp.exe

78 | P a g e

7. In the Application Pool properties Set the maximum limit of 20%, enter:

a. Limit: 20000 (20% in 1000th of a percent)

b. LimitAction: Throttle

8. Verify the dependency of Limit setting and the CPU usage for w3wp.exe process.

9. Note that the configuration settings in question can be set as default values so that they

don't have to be configured individually per application pool. To configure the

application pool defaults, select Set Application Pool Defaults under Actions pane:

10. The same settings are exposed there to configure the application pool defaults:

79 | P a g e

11. Remove the application so that it does not disturb other exercises.

Usage Scenarios

• IIS CPU Throttling feature is designed for a multi-tenanted environment. Try these

settings in an environment where there are thousands of sites and applications, like a

shared hosting deployment.

• Set different limits for different "groups" of tenants to simulate those customers who are

allowed to consume more CPU resources than others.

• Set ThrottleUnderLoad as LimitAction to observe the behavior. It functions like

Throttle, if there are contentions on the CPU. If there aren't any contentions on the CPU,

the application pool is allowed to use more CPU resources than the value set for Limit.

80 | P a g e

• Create a sand-box with memory and bandwidth limits, along with IIS CPU Throttling

feature on Windows Server 2012. Memory and bandwidth limits are not discussed

specifically in this documentation because these features exist on Windows Server 2008

and Windows Server 2008 R2.

Summary

You have successfully explored IIS CPU Throttling feature in Windows Server 2012.

81 | P a g e

Lab 20: Central certificate store


Preparing file server

1. Switch to DC machine

2. Log on as Administrator

3. Launch cmd.exe

4. Type "md c:\certstore" and press Enter

5. Launch server manager

6. On the upper toolbar click "Manage" and then "Add Roles and Features"

7. Click "Next"

8. Leave the default (Role-based) installation type and click "Next"

9. Leave local server selected and click "Next"

10. Expand "File and Storage Services" then "File and iSCSI Services" and select "File Server"

11. Click "Next"

12. On the "Features" screen click "Next"

13. Click "Install" and wait until installation finishes and click "Close"

14. In the left pane of the Server Manager click "File and Storage Service" and then "Shares"

15. Expand the "Tasks..." button and select "New Share..."

16. Select "SMB Share – Quick" and click "Next"

17. Select "Type a custom path"

18. Click "Browse" and select c:\certstore folder

19. Click "Next"

20. Leave default values for share name and click "Next"

21. Leave default share settings and click "Next"

22. Leave default permissions (readonly share permissions) and click "Next"

23. Click "Create" and then "Close"

82 | P a g e

Copying certificates to central store

1. On DC attach the ISO file provided.

2. Launch cmd.exe.

3. Go to the Certs folder.

4. Type "copy *.pfx \certstore" and press Enter. Verify if files was actually copied.

5. Type "exit" and press Enter to close cmd.exe window.

Trusting your certificates

1. These steps are necessary only if you plan to browse your website from machine other

than DC.

2. Remember that following steps are necessary because you use self-signed certificates for

the lab. In real life scenarios certificates are signed by one of TRCA configured on your

machine.

3. Log on as Administrator, launch mmc.exe.

4. Press Ctrl+M and select "Certificates". Click "Add".

5. Select "Computer account". Click "Next" and then "Finish". Click "OK"

6. Navigate to Trusted Root Certificate Authorities\Certificates.

7. From the menu select Action -> All Tasks -> Import. Click "Next".

8. Select your certificate from \\dc\certstore and import it. Note that you should change

filetype to "*.pfx" to see your files.

9. Specify P@ssw0rd as certificate password. Note that there is "@" sign in the password

string.

10. Repeat steps 7-9 for all your certificates.

Verifying address resolution

1. Open cmd.exe and try to ping www.contoso.com

2. If the name is not recognized:

a. Open DNS Management Console and expand "Forward Lookup Zones" and

then "contoso.com".

83 | P a g e

b. Right-click the zone and select "New Alias (CNAME)".

c. Type "www" as alias name and "webb.cqure.tec" as FQDN for target host.

d. Click OK.

e. Return to the cmd.exe window and type "ipconfig /flushdns" to clean the name

resolution cache.

f. Ping www.contoso.com and verify if name is resolved correctly.

3. Ping test123.acme.net



then "acme.net".


c. Type "*" as alias name and "webb.cqure.tec" as FQDN for target host.

d. Click OK


resolution cache.

f. Ping test123.acme.net and verify if name is resolved correctly.

Installing CCS support

1. Switch to WEBB machine and log on as Administrator

2. Launch Server Manager and on the upper toolbar click "Manage" and then "Add Roles

and Features"

3. Click "Next"



6. Expand the "Web Server (IIS)" then "Web Server" and "Security"

7. Select "Centralized SSL Certificate Support". Click "Next"



84 | P a g e

Configuring CCS

1. Stay on WEBB machine and launch IIS Manager.

2. In the left pane select your server name.

3. If asked about to Web Platform Components press "No".

4. Double click "Centralized Certificates" under the "Management" in the central pane.

5. Click "Edit Feature Settings" in the right pane.

6. Click "Enable Centralized Certificates".

7. Type the UNC path to a share you created previously - \\dc\certstore.

8. Type username and password. Administrator credentials will work properly but using

dedicated user account is more secure.

9. In the "Certificate Private Key Password" type P@ssword twice. Note that there is "@"

sign in the password string. Click "OK"

10. Verify if certificates from your share appeared in the central pane.

Creating new website

1. Stay on WEBB machine and launch IIS Manager.

2. In the left pane expand your server name and right click "Sites".

3. Select "Add Website" and fill out the dialog box with values:

a. Site name – www.contoso.com

b. Physical path – c:\inetpub\wwwroot\contoso

c. Type – https

d. Host name – www.contoso.com

e. Require Server Name Identification – true

f. Use Centralized Certificate Store – true

4. If asked about duplicate :80 binding – click "No"

5. Note that you cannot select certificate and click OK

6. Repeat above steps and create virtual site for www.acme.net

a. Site name – www.acme.net

b. Physical path – c:\inetpub\wwwroot\acme

85 | P a g e

c. Type – https

d. Host name – www.acme.net

e. Require Server Name Identification – true

f. Use Centralized Certificate Store – true

Testing new website



3. Launch cmd.exe

4. Type "ping www.contoso.com" and verify if the IP address was resolved correctly

5. Launch Internet Explorer and navigate to https://www.contoso.com

6. If asked – accept the warning caused by self-signed certificate by clicking on "Continue

to this website"

7. Click on the certificate icon and select "View certificates"

8. Verify properties of the certificate used for encrypting data transmission

a. Verify if dates are OK

b. Verify if subject equals to server name (www.contoso .com)

c. Verify if certificate is trusted

9. Repeat above steps for https://www.acme.net.

a. What do you observe for certificate subject?

86 | P a g e

Lab 21: Configuring FTP Protection


FTP Server installation

10. Switch to WEBB machine


12. Launch server manager

13. On the upper toolbar click "Manage" and then "Add Role"

14. Click "Next"



17. Expand the "Web Server (IIS)" then "FTP Server"

18. Select "FTP Service"

19. Click "Next"



FTP Server configuration

1. Launch IIS Manager

2. In the left pane right click your server name and select "Add FTP Site"

3. Fill the dialog box with values:

a. FTP Site Name – FTP1

b. Physical Path – c:\inetpub\ftproot

4. Press "Next"

5. Switch SSL option to "No SSL" and click "Next"

6. Configure options:

a. Authentication – Basic

b. Allow Access to -All Users

87 | P a g e

c. Permissions - Read

7. Click "Finish"

8. Verify your FTP server by launching cmd.exe and typing ftp 127.0.0.1. If it asks for

username it means that server works properly.

Attacking unprotected FTP server

1. Create a local copy of Brutus utility from ISO

2. Launch BrutusA2.exe utility

3. Set your attack parameters:

a. Target – 127.0.0.1

b. Type – FTP

4. Press "Start"

5. If attack finishes note elapsed time and attempts count.

6. Navigate to c:\inetpub\logs\logfiles\ftpsvc and open the logfile. Try to identify attack

evidence. Note that IIS log files use UTC time not local one.

Protecting your FTP Server

1. Launch IIS Manager

2. In the left pane select your server name

3. Double click "FTP Logon Attempt Restrictions" in the central pane

4. Select "Enable FTP Logon Attempt Restrictions" and change the time period to 120

seconds

5. Leave default values and press "Apply" in the right pane

Attacking protected FTP server

6. Launch BrutusA2.exe utility

7. Set your attack parameters:

a. Target – 127.0.0.1

b. Type – FTP

88 | P a g e

8. Press "Start"

9. Observe the result of an attack

10. Try to repeat steps you used to verify FTP configuration:

a. Launch cmd.exe

b. Type "ftp 127.0.0.1" and press Enter

c. Could you see the difference?

89 | P a g e

Lab 22: Authorization, Authentication and Access


Disable IE ESC mode

1. On WEBB, log on as CQURE\Administrator // Passw0rd

2. launch Server Manager and select Local Server in the left pane.

3. Find the IE Enhanced Security Configuration entry in the main pane and switch it to

disabled for admins and users.

Turn off the Web site cache for the shared documents folder

1. On WEBB, in Internet Information Services (IIS) Manager, in the Connections pane,

ensure WEBB | Sites | HR | docs is expanded, and then click shared.

2. In the details pane, in the HTTP Features section, double-click HTTP Response

Headers.


4. The Add Custom HTTP Response Header dialog box appears. In the Name field, type

Cache-Control.

5. In the Value field, type no-cache and then click OK.

Sign into the Raccoons Bank Web site and retrieve the confidential memo

1. In Internet Information Services (IIS) Manager, in the Connections pane, click HR.


3. The Windows Internet Explorer window opens. Click Shared Documents.

4. In the Email field, type [email protected].


6. Click Login.

7. If you get the AutoComplete Passwords dialog box, click No.

90 | P a g e

8. Click Confidential Memo. Notice that the image representing the Confidential Memo

appears.

9. Click the Back button.

10. Click Signout.

Bypass the Web site forms authentication

1. In Internet Explorer, browse to http://hr.cqure.tec/docs/shared/Raccoons_memo.jpg.

Notice that the image representing the Confidential Memo appears.

Question: Why is the confidential memo being displayed even after the user logs out?

Answer: The Web site and directory are not fully protected by forms authentication.


Modify the applicationHost.config to unlock the URL Authorization <configSections>

section by changing the override mode default to allow

1. On WEBB in Windows Explorer, browse to C:\windows\system32\inetsrv\config.

2. In the details pane, double-click applicationHost.config. Unlock the URL Authorization

section by changing the override mode default to 'allow'. Do this by modifying the

authorization section indicated on the next step.

3. Find the <configSections>section. Find: <section name="authorization"

overrideModeDefault="Allow" /> And replace it with:

<section name="authorization"

type="System.WebServer.Configuration.UrlAuthorizati onSection, System.ApplicationHost,

Version=7.0.0.0, culture=neutral, PublicKeyToken=31 bf3856ad364e35"

overrideModeDefault="Allow" />

91 | P a g e

Modify the applicationHost.config <applicationPools> section to change the Classic .NET

application pool to Integrated mode

1. Change the Classic .NET application pool to Integrated mode by finding the

<applicationPools>

section and replacing:

<add name="Classic .NET AppPool" managedPipelineMod e="Classic" />

With:

<add name="Classic .NET AppPool" managedPipelineMod e="Integrated" />

Modify the applicationHost.config file to disable all other authentication types except for

anonymous

1. Find the <authentication>section.

2. Append:

enabled="false"

To:

clientCertificateMappingAuthentication, digestAuthe ntication,

iisClientCertificateMappingAuthentication, and wind owsAuthentication

Modify the applicationHost.config file to protect all content by removing the

managedHandler precondition from the <system.webServer> section

1. Remove the preconditions for Forms Authentication and Default Authentication from

the modules section. Do this by finding the <system.webServer> section, and then

modifying the lines indicated on the next steps.

2. Replace:

92 | P a g e

<add name="FormsAuthentication" type="System.Web.Se curity.FormsAuthenticationModule"

preCondition="managedHandler" />

With:

<add name="Forms Authentication" type="System.Web.S ecurity.FormsAuthenticationModule"

/>

3. Replace

<add name="Default Authentication"

type="System.Web.Security.DefaultAuthenticationModu le" preCondition="managedHandler"

/>

With:

<add name="Default Authentication"

type="System.Web.Security.DefaultAuthenticationModu le" />


5. Close Notepad.

Reconfigure the authorization and authentication so that the protected content uses

forms authentication

1. In Windows Explorer, browse to D:\AllFiles\Step6\Labfiles\RaccoonsHRSite.

2. In the details pane, double-click Web.Config.

3. The Notepad window opens. Find the line <authorization>section.

4. Add the line <allow users="[email protected]" />, above the line .

5. Remove the commenting brackets from the line , changing it

to<deny users="?" />.


7. Close Notepad.

93 | P a g e

8. In Internet Information Services (IIS) Manager, in the Connections pane, click shared.

9. In the details pane, in the Security section, double-click Authentication.



Test and validate the new Web site configuration

1. In Internet Explorer, in the Email field, type [email protected].


3. Click Login.

4. Click Confidential Memo.


6. Click Signout.

7. In Internet Explorer, browse to http://hr.cqure.tec/docs/shared/Raccoons_memo.jpg.

Notice that you are redirected to the login page and that proper authentication is now

required to access the Raccoons Memo file.

94 | P a g e

Lab 23: IIS Hardening


IIS platform is much bigger than it looks. It has many security features implemented on the

platform basics and many features to be configured when configuring the Web Site settings. In

the lab you will configure the security settings for the platform and for the Web Site.

Starting your lab environment

1. Launch DC and wait until it starts, logon as CQURE\Administrator with password

Passw0rd

2. Launch NODE1 machine and logon as CQURE\Administrator with password Passw0rd

Verifying existing configuration


2. Start Internet Explorer

3. Type http://NODE1.CQURE.TEC in the address field and verify if web server on node 1

is working correctly

4. Type https://NODE1.CQURE.TEC in the address field and verify if web server on node 1

is working correctly with SSL

5. Install the NMAP application and then start NMAP Zenmap GUI from desktop.

6. Type NODE1.CQURE.TEC in the target field

7. Select Quick scan as a profile

8. Click Scan

9. Verify open ports

Remove IPv6 bindings

If your server will not serve content to IPv6 clients (which is the most common scenario) you

should remove binding to this protocol.

1. Switch to NODE1

95 | P a g e

2. Start cmd.exe

3. Type ipconfig and try to identify IPv6 addresses.

4. Type ncpa.cpl

5. Right click Ethernet and select properties

6. Uncheck checkbox next to Internet Protocol Version 6 (TCP/IPv6)

7. Click OK

8. Right click Ethernet and select Disable and then Enable it.

9. Close Network Connections window

10. In the cmd.exe console type ipconfig to verify there's no IPv6 addresses

Configuring firewall

1. Stay on NODE1

2. Start cmd.exe

3. Type wf.msc to launch firewall management console

4. Select Inbound rules from the left pane

5. You may sort rules list by Enabled column for easier identification of enabled rules

6. Disable IPv6 Rule

a. Find Core Networking – IPv6 (IPv6-In) rule

b. Right click it

c. Select Disable from context menu

7. Disable all other rules such except:

a. World Wide Web Services (HTTP Traffic-In)

b. World Wide Web Services (HTTPS Traffic-In)


9. Start NMAP Zenmap GUI from desktop

10. Type NODE1.CQURE.TEC in the target field

11. Select Quick scan as a profile

12. Click Scan

13. Verify open ports

96 | P a g e

Encrypting traffic with https

2. Switch to NODE1

3. Launch Internet Information Services (IIS) Manager

4. Select NODE1 from the left pane

5. Double click on Server Certificates

6. Click Create Self-Signed Certificate from the right pane

7. Type NODE1.CQURE.TEC as a friendly name and click OK

8. Expand Sites in the left pane and select Default Web Site

9. Click Bindings… in the right pane. Click Add…

10. Create new binding

a. Type: https

b. IP Address: All Unassigned

c. Port: 443

d. SSL Certificate: NODE1.CQURE.TEC

11. Close site bindings window



14. Type https://NODE1.CQURE.TEC in the address field and verify if web server on node 1

is working correctly with SSL

15. Click Continue to this website

16. Click on the red icon next to the address bar in Internet Explorer

17. Click View certificates

18. Switch to Details tab

a. Is the Subject field valid for this website?

b. Are Valid from and Valid to fields correct?

19. Switch to Certification Path tab

a. Is this certificate trusted?

20. Click OK to close certificate properties window

21. What should change before you use such configuration in production environment?

97 | P a g e

Removing features

1. Switch to NODE1

2. Close all open windows and applications

3. Start Server Manager

4. Add Roles.

5. Click Remove Role Services in the Web Server (IIS) section

6. Uncheck Directory Browsing – it allows you to browse website directories when you do

not specify document name in the URI and usually is not necessary.

7. Click Next then Remove and Close

Adding features

1. Switch to NODE1


3. Start Server Manager

4. Add Role.

5. Click Add Role Services in the Web Server (IIS) section

6. Check following options under Security section:

a. Windows Authentication

b. URL Authorization

c. IP and Domain Restrictions

7. Click Next then Install and Close

Configuring IP restrictions

1. Switch to NODE1


3. Expand NODE1 and Default Web Site in the left pane and select test1 virtual directory

4. Double click IP Address and Domain Restrictions icon

5. Click Add Deny Entry from the right pane

6. Enter domain controllers IP Address (10.10.10.10) as a value to deny


98 | P a g e


9. Type http://NODE1.CQURE.TEC and then http://NODE1.CQURE.TEC/test1

a. What happens? What is verified first: IP restrictions or user account? Does it make

sense?

Adding other security modules

1. Switch to NODE1



4. Select Default Web Site from the left pane

5. Open IP and Domain Restrictions module

6. Click Edit Dynamic Restriction Settings in right pane

7. Check Deny IP addresses based on the number of requests over a period of time

option

8. Type 10 as a number of requests and 10000 as time period

9. Click Apply on the right pane

10. Click Default Web Site from the left pane



13. Type http://NODE1.CQURE.TEC in the address field and verify if page opens

14. Click refresh button (next to address field) several times and count refreshes until it

stops working. Is the count what you expected? Why?

99 | P a g e

Lab 24: IIS under attack

Machines used in this Lab: DC, NODE1/WEBA/WEBB

Internet Information Services is a great web platform that can host websites created with many

different technologies. IIS have been improved year by year ending up with the great functionality

with good performance and well-designed security concepts. IIS when being under attack

monitors traffic in a very efficient way – the goal of this exercise is to understand how to get access

to this information and how to test platform performing several performance attacks.

Starting your lab environment

1. Launch DC VM and wait until it starts

2. Logon as CQURE\Administrator with password Passw0rd

3. Launch NODE1 machine

4. Logon as CQURE\Administrator with password Passw0rd

Preparing stress tool


2. Mount provided ISO file and find the document named scenario1.txt Copy it to the

desktop.

3. Review scenario1.txt file. It contains data used to generate http traffic.

4. Install WCAT

a. Launch wcat.amd64.msi

b. Press Next

c. Accept license agreement and press Next

d. Click Complete

e. Click Install

f. Click Continue and Finish

g. Review instructions and close notepad window

100 | P a g e

5. Launch cmd.exe

6. Change working directory - type: cd "C:\Program Files\wcat"

7. Copy scenario file - type: copy "%userprofile%\desktop\scenario1.txt" "C:\Program

Files\wcat"

8. Set cscript as default script host- type: cscript //H:Cscript

9. Install wcat client – type: wcat.wsf -terminate -update -clients localhost

10. Launch wcat – type: wcat -run -s NODE1.CQURE.TEC -v 1 -t scenario1.txt

a. If you think that generated traffic is too low you can increase the value specified

after –v parameter

11. Do not close command prompt window. It allows you to easily re-launch wcat utility

Using logparser

1. Switch to NODE1 machine

2. Log on as CQURE\Administrator // Passw0rd

3. Install IIS Server Role

4. Mount provided ISO file and find the file named LogParser.msi.

5. Launch LogParser.msi

6. Click Next

7. Accept license terms and click Next

8. Click Complete

9. Click Install

10. Wait until installation finishes and click Finish

11. Launch Log Parser 2.2

12. Review LogParser help displayed on the screen and try to create some queries:

a. Count entries in logs: logparser –i:IISW3C "SELECT count(*) FROM

C:\inetpub\logs\LogFiles\W3SVC1\*.log"

b. Count http errors: logparser -i:IISW3C "SELECT count(*) FROM

C:\inetpub\logs\LogFiles\W3SVC1\*.log WHERE sc-status<>200"

101 | P a g e

c. Details of http errors: logparser -i:IISW3C "SELECT top 10 sc-status, date,

time, cs-uri-stem FROM C:\inetpub\logs\LogFiles\W3SVC1\*.log WHERE sc-

status<>200"

d. Processing times: logparser -i:iisw3c "SELECT TOP 10 cs-uri-stem AS Url,

MIN(time-taken) as [Min], AVG(time-taken) AS [Avg], max(time-taken) AS

[Max], count(time-taken) AS Hits FROM

C:\inetpub\logs\LogFiles\W3SVC1\*.log GROUP BY Url ORDER BY [Avg]

DESC"

e. List top 20 longest requests: logparser -i:IISW3C "SELECT top 20 cs-uri-

stem,date,time,time-taken FROM C:\inetpub\logs\LogFiles\W3SVC1\*.log

ORDER BY time-taken DESC"

13. Remember that IIS stores time in UTC time zone so it may be different than your time

Using performance monitor

1. Switch to NODE1

2. Launch cmd.exe and type: perfmon

3. Select Performance Monitor entry in the left pane

4. Click on the green plus sign on the toolbar and add counters:

a. Web Service\Anonymous Users/sec

b. Web Service\Bytes Total/sec\_Total

c. Web Service\Current Connections\_Total

d. Web Service\Not Found Errors/sec\_Total - this counter is useful if you'd like

to detect automated scanning scripts.

e. Network interface\Bytes Received/sec\<All Instances> - you can delete

unused network interface cards later

f. Network interface\Bytes Sent/sec\<All Instances> - you can delete unused

network interface cards later

5. Look if perfmon notifies anything other than zero

6. Switch to DC

102 | P a g e

7. Launch Internet Explorer, open NODE1.CQURE.TEC website and press Ctrl+F5 several

times

8. Switch to NODE1

9. Freeze perfmon using Pause button on the toolbar

10. Observe performance counter values. They are important because they should be a

baseline for admin. It is easier to detect attacks if Administrator knows everyday

behavior of his server

11. Un-freeze perfmon

12. Switch to DC and re-launch wcat

13. Switch to NODE1 and observe perfmon counters

14. Remember about these tips:

a. You can highlight perfmon graphs using Ctrl+H shortcut. It is extremely useful if

you have more than 5 counters active

b. Suggested set of counters is optimized for attacks detection. Perfmon is also

very useful for everyday performance monitoring of web applications.

c. If some counters are useless – just delete them. You can also add new counters

any time.

d. You can double click any counter and change his scale. It allows you to monitor

values that are constantly below or above display scale like Bytes Total/sec

e. Look at IIS hardening lab and consider using Dynamic IP Restrictions for

preventing some types of attacks.

Using traces

1. Switch to NODE1

2. Launch Server Manager

3. Add Role.

4. Right click Add Role Services in the Web Server (IIS) section in the right pane

5. Check Tracing option in the Health and Diagnostics section

6. Click Next

7. Click Install and then Close

103 | P a g e

8. Launch Internet Information Services (IIS) Management

9. Expand Sites in the left pane and select Default Web Site entry

10. Double click Failed Request Tracing Rules in the central pane

11. Click Add in the right pane

12. Leave default All content (*) entry selected and click Next

13. Clear all checkboxes except Status code and enter 404 then press Next. This error code

means page not found

14. Leave default providers selected and press Finish

15. Click Edit Site Tracing in the right pane

16. Select Enable and remember location for traces. Then press OK


18. Open Internet Explorer and enter URL: NODE1.CQURE.TEC/fakepath

19. Look if new files appeared in C:\inetpub\logs\FailedReqLogFiles\W3SVC1

20. Double click last one of XML files created

21. Click Add and add about:blank if asked about security settings by Internet Explorer

22. Review trace data using Request Summary, Request Details (with sub-tabs) and

Compact View tab. Remember that trace for non-existing URL is very simple. It gives

some idea about level of details but in real life scenarios may be more complicated.

Logging for IIS can provide a lot of information about how website behaves under certain

conditions. Logs can be converted to many formats, including output from the Performance

Monitor that shows you for example, network bandwidth usage graph.

When you finish the lab, revert the virtual machines to their initial state. To do this, from NODE1

Virtual Machine window click Media Menu and choose “Apply Snapshot”.

104 | P a g e

Lab 25: Logging


Examine and configure logging options

1. On WEBB, in Internet Information Services (IIS) Manager, in the Connections pane,

click WEBB.

1. In the details pane, in the Health and Diagnostics section, double-click Logging.

2. Notice that the Log File Rollover Schedule is set for Daily.

3. Select Use local time for file naming and rollover.


Test the logging operations

1. In Internet Explorer, click the Refresh button.

2. In Windows Explorer, browse to C:\ inetpub\logs\LogFiles\W3SVC1.

3. In the details pane, double-click the newest log file. Notice the most recent log entries

at the bottom of the log. Notice that the log entries include a number of lines with the

word “GET.”

Question: What does the word “GET” mean in this log file?

Answer: The GET commands indicate requests from the client to the Web server to retrieve the

Web pages and images.

105 | P a g e

Lab 26: Delegation and Remote Administration


Start the DC virtual machine and log on as CQURE\Administrator


Configure WEBB for remote administration

1. On WEBB, Open | Administrative Tools | Internet Information Services (IIS) Manager.

1. In the Internet Information Services (IIS) Manager connections pane, click

WEBB(CQURE\Administrator).

2. In the details pane, in the Management section, double-click Management Service.

3. Select Enable remote connections.

4. Click Windows credentials or IIS Manager credentials.


6. Click Start.

Test WEBB remote administration

1. On DC, Open and click Server Manager. In the Server Manager console pane, click

Roles.

2. Right-click Roles, and then click Add Roles.

3. The Add Roles Wizard appears. Click Next.

4. In the Roles box, select Web Server (IIS).

5. The Add Roles Wizard dialog box appears. Click Add Required Features.

6. Click Next twice.

7. In the Role services box, clear all check boxes except for IIS Management Console.



10. Open | Administrative Tools| Internet Information Services (IIS) Manager.

106 | P a g e

11. In the details pane, click Connect to a server.

12. The Connect to Server wizard appears. In the Server name field, type WEBB, and then

click Next.

13. On the Provide Credentials page, in the User name field, type

[email protected].

14. In the Password field, type Passw0rd, and then click Next.

15. The Server Certificate Alert dialog box appears. Click Connect.

16. The Specify a Connection Name dialog box appears. Click Finish.

17. In the Connections pane, expand WEBB | Sites and then click Default Web Site.

Question: Is the IIS Management Service available for configuration remotely?

Answer: No, this service can only be configured locally

18. In the details pane, in the IIS section, double-click Default Document.

19. Click index.htm.

20. In the Actions pane, click Move Up.

21. The Default Document dialog box appears. Click Yes.

22. In the Actions pane, click Move Up.


107 | P a g e

Lab 27: Configuring Delegated Administration


Configure delegated administration for the Human Resources site

1. On WEBB, Open | Computer and then browse the lab files in Step6.

2. Right-click RaccoonsHRSite, and then click Properties, Sharing and then Advanced

Sharing.

3. Check Share this folder checkbox and then click Permissions

4. Allow everyone full control and click OK twice

5. Click Close

6. Open Internet Information Services (IIS) Manger. Go to Management Service feature

and verify if management service is running and remote connections are enabled.

7. In the Internet Information Services (IIS) Manger Connections pane, expand Sites,

and then click HR.

8. In the details pane, in the Management section, double-click IIS Manager Permissions.

9. In the Actions pane, click Allow User.

10. The Allow User dialog box appears. In the Windows field, type Herbert and then click

OK.

11. Add Herbert as a user that can Modify the content of the HR application folder.

Share the Raccoons Sales Web Site

1. In Windows Explorer, browse to Step6

2. Right-click RaccoonsSalesSite, and then click Properties, Sharing and then Advanced

Sharing

3. Check Share this folder checkbox and then click Permissions

4. Allow everyone full control and click OK twice

5. Click Close

108 | P a g e

(Steps 1-20 described below are optional. You got the experience with the delegation based on

the steps above. Part below is just the extension for another approach based on file editing and

using shares.)

Configure delegated administration for the Sales site

1. Open, and click Run, then type Notepad, and then press ENTER.



4. Browse to C:\windows\system32\intesrv\config.

5. Click applicationHost.config, and then click Open.

6. Scroll down to the <authentication>tag in the <security> section and delete the

following text for the Sales site:

<anonymousAuthentication enabled="true" userName="I USR" />

<basicAuthentication enabled="false" />

<clientCertificateMappingAuthentication />

<digestAuthentication />

<iisClientCertificateMappingAuthentication />

<windowsAuthentication />


8. On the File menu, click Open.

9. The Open dialog box appears. Browse to Labfiles (Step 6).

10. Click EnableAnonymousAuthentication.txt, and then click Open.

11. On the Edit menu, click Select All.

12. On the Edit menu, click Copy.



15. Browse to C:\windows\system32\intesrv\config.

16. Click applicationHost.config, and then click Open.

17. Scroll to the end of the applicationhost.config file and put the cursor on the line before

</configuration>.

109 | P a g e

18. On the Edit menu, click Paste.


20. Close Notepad.

Test delegated administration for the Human Resources and Sales sites

1. Switch to WEBA.

2. Log on as CQURE\herbert with a password of Passw0rd.


4. In the details pane, click Connect to a site.

5. The Connect to Site dialog box appears. In the Server name field, type WEBB.

6. In the Site name field, type HR, and then click Next.

7. The Provide Credentials page appears. In the User name field, type [email protected].

8. In the Password field, type Passw0rd and then click Next.


10. The Specify a Connection Name dialog box appears. In the Connection Name field, type

Human Resources Site and then click Finish.

11. In the Connections pane, click Start Page.



14. In the Site Name dialog box, type Sales, and then click Next.

15. The Provide Credentials page appears. In the User name field, type

[email protected].


17. The Connect to Site dialog box appears with an error stating that the user is not

authorized to connect to the specified computer.

Question: Why does this error occur?

Answer: This error occurs because Herbert was not granted IIS Manager permission on the Sales

site.

110 | P a g e

18. Click OK.

19. Click Cancel.

20. Close Internet Information Service (IIS) Manager.

21. The Internet Information Service (IIS) Manager dialog box appears, asking if you want

to save changes. Click No.

(Steps 22-45 are optional. You got the experience with the delegation based on the steps above.

Steps is just the extension for another approach based on file editing and using shares.)

22. Switch User.

23. Log on as CQURE\betsy with a password of Passw0rd.

24. Click Start, and click Run, then type Notepad, and then press Enter.

25. The Notepad window opens.


27. The Open dialog box appears. Browse to Step6

28. Click Disable Authentications, and then click Open.

29. On the Edit menu, click Select All.

30. On the Edit menu, click Copy.


32. The Open dialog box appears. In the File name field, type

\\WEBB\RaccoonsSalesSite\Web.Config and then click Open.

33. Scroll to the end of the Web.Config file and put the cursor on the line before

</configuration>.

34. On the Edit menu, click Paste.


36. Close Notepad.


38. The Windows Internet Explorer window opens. Browse to http://sales.CQURE.TEC.

39. Notice error 401 indicating that the user does not have permission to view this page.

111 | P a g e

Question: Why does the server report this error?

Answer: The server reports a 401 error because both Anonymous Authentication and Windows

Authentication have been disabled. The web server is unable to service a request for a web page

if no means for authentication are configured.

40. Click Start, and click Run, then type Notepad, and then press Enter.

41. The Notepad window opens.


43. The Open dialog box appears. In the File name field, type

\\WEBB\RaccoonsHRSite\Web.Config and then click Open.

44. The Network Error dialog box appears. Click See details and note the resulting error and

notice that it says access is denied.

45. Click Cancel twice and then close Notepad.


112 | P a g e

Lab 28: Configuring Feature Delegation


Configure feature delegation for the Human Resources and Sales sites

1. On WEBB, in the Internet Information Services (IIS) Manger Connections pane, click

WEBB.

2. In the details pane, in the Management section, double-click Feature Delegation.

3. Click Error Pages.

4. In the Actions pane, click Read/Write.

Test feature delegation for the Human Resources site

1. On DC � Switch User,

2. Log on as CQURE\Herbert with a password of Passw0rd.

3. Open Administrative Tools| Internet Information Services (IIS) Manager.

4. The User Account Control dialog box appears. In the Password field, type Passw0rd, and

then click OK.



7. In the Site Name dialog box, type HR, and then click Next.

8. The Provide Credentials page appears. In the User name file, type [email protected].



11. The Specify a Connection Name dialog box appears. In the Connection Name field,

type Human Resources Site and then click Finish.

12. In the Connections pane, click Human Resources Site.

13. In the details pane, in the IIS section, double-click Error Pages.

14. Right-click the line beginning with 404, and then click Edit.

15. The Edit Custom Error Page dialog box appears. Click Execute a URL on this site.

113 | P a g e

16. In the URL (relative to site root) field, type /ErrorPages/custom404.htm and then click

OK.


18. The Internet Explorer window opens. Browse to

http://hr.CQURE.TEC/missingpage.htm.

19. Note that the custom error page is displayed.

In order to proceed to the next Lab revert WEBB to default state.

114 | P a g e

Lab 29: Automating webserver management


Verifying address resolution

1. On the DC machine open cmd.exe and try to ping www.contoso.com



then "contoso.com".


c. Type "www" as alias name and "webb.cqure.tec" as FQDN for target host.

d. Click OK


resolution cache.

f. Ping www.contoso.com and verify if name is resolved correctly.

3. Ping test123.acme.net



then "acme.net".


c. Type "*" as alias name and "webb.cqure.tec" as FQDN for target host.

d. Click OK


resolution cache.

f. Ping test123.acme.net and verify if name is resolved correctly.

PowerShell loop

22. Switch to WEBB machine


115 | P a g e

24. Launch PowerShell ISE

25. Create a new script by pressing Ctrl+N

26. Test simple loop by typing in the upper pane:

for ($i=10001; $i -le 10100; $i++) {Write-Host ("app{0}" -f $i)}

and press F5

27. Does it work as expected?

Creating website

1. In the PowerShell ISE create new script by pressing Ctrl+N

2. Type in the upper pane:

New-Website -Name "pstest" -HostHeader "pstest.acme.net" -PhysicalPath

"$env:systemdrive\inetpub\wwwroot\acme"

and press F5

3. Do you know why "$env:systemdrive" syntax was used?


5. Verify if "pstest" site was created correctly

6. Do you expect that typing http://pstest.acme.net in your web browser will work OK?

Adding the new binding to a website



New-Webbinding -Name "pstest" -Protocol "https" -Port 443 -HostHeader

"pstest.acme.net" -SslFlags 3

and press F5

3. Switch to Internet Information Services (IIS) Manager

4. Verify if "pstest" site has two bindings – one for http and one for https with SNI and CCS

options enabled

5. Do you expect that typing https://pstest.acme.net in your web browser will work OK?

116 | P a g e

Removing website



Remove-Website -Name "pstest"

and press F5

3. Switch to Internet Information Services (IIS) Manager

4. Verify if "pstest" site was deleted.

Combining scripts together



for ($i=10001; $i -le 10100; $i++)

{

New-Website -Name ("app{0}" -f $i) -HostHeader ("app{0}.acme.net" -f $i) -PhysicalPath

"$env:systemdrive\inetpub\wwwroot\acme"

New-Webbinding -Name ("app{0}" -f $i) -Protocol "https" -Port 443 -HostHeader

("app{0}.acme.net" -f $i) -SslFlags 3

}

and press F5

3. Switch to Internet Information Services (IIS) Manager and verify if sites are created

properly

4. You can browse any of your new websites by selecting website name in the left pane and

then clicking on the "Browse..." icon in the right pane

Cleaning app* sites



Remove-Website –Name "app10*"

and press F5

117 | P a g e

Generating scripts


2. Select any of websites in the left pane

3. Double click "Directory Browsing" icon in the central pane and verify (in the right pane) if

it is disabled

4. Click on the website name again

5. Double click "Configuration editor" in the central pane

6. In the "Section" listbox select the system.webServer/directoryBrowse entry

7. Look at two settings available: enabled and showFlags

8. Change the value for "enabled" to "True"

9. Click "Generate Script" in the right pane

10. Switch to "PowerShell" tab

11. Copy all text and paste it into a new tab in PowerShell ISE. Do not press F5 yet.

12. Switch to Internet Information Services (IIS) Manager and click "Close" and then "Cancel"

in the right pane

13. Verify if directory browsing is still disabled

14. Start the script in the PowerShell ISE by pressing F5

15. Verify directory browsing configuration in Internet Information Services (IIS) Manager

118 | P a g e

Lab 30: Command-line and Scripting for IIS



Use PowerShell to identify all services

1. On WEBB, open Windows PowerShell.

2. At the Windows PowerShell prompt, type get-service and then press Enter. Notice the

status, name, and display name of each service.

Use PowerShell to identify running services that start with a “w”

1. Type get-service -include w* | sort-object -property status and then press Enter.

2. Notice the list of services that begin with a “w” with the “stopped” services listed first.

3. Type stop-service -service name w3svc and then press Enter.

4. Type get-service -service name w3svc and then press Enter

5. Start the w3svc service using PowerShell.

6. Type start-service -service name w3svc and then press Enter.

7. Type get-service -service name w3svc and then press Enter.

List PowerShell.exe process using the get-wmiobject cmdlet

1. Type Get-WmiObject -query "Select * From Win32_Process Where Name =

'powershell.exe'"and then press Enter.

2. Notice the detailed information for the powershell.exe process.

Question: What operating system is listed in the details?

Answer: Microsoft Windows Server 2012.

Load Microsoft.Web.Administration.dll

119 | P a g e

1. On WEBB, in PowerShell, type

[System.Reflection.Assembly]::LoadFrom("C:\windows\system32\inetsrv\Microsoft

.Web.Administration.dll") and then press Enter.

2. Notice the GAC, version and location for the Microsoft.Web.Administration.dll, which

signifies the DLL file was loaded.

3. Type (New-Object Microsoft.Web.Administration.ServerManager).Sites and then

press Enter.

4. Notice the detailed information for the sites on the server.

5. Type (New-Object Microsoft.Web.Administration.ServerManager).Sites | For Each-

Object {$_.Name} and then press Enter.

6. Notice the names of the Websites on the server.

7. Type function findsite {$name=$args[0]; ((New-Object

Microsoft.Web.Administration.ServerManager).Sites | Where-Object {$_.Name -

match $name}); }and then press Enter.

Question: This command line didn't return any values. What did it do?

Answer: This command line created the command findsite, which integrates the

Microsoft.Web.Administration module into an easy-to-use single command.

1. Type findsite default* and then press Enter.

2. Notice the detailed information for the default Website.

3. Type (findsite default*).ID and then press Enter.

4. Notice the ID for the default Website: 1.

5. Type (findsite default*).Stop() and then press Enter.

6. Notice the status for the default Website is now “stopped”.

7. Type (findsite default*).Start() and then press Enter.

8. Notice the output is “unknown”.

Question: Why does the command return an output value of “unknown”?

120 | P a g e

Answer: Because it attempted to start the default Web site without first checking to see if it was

stopped or checking the result.

9. Type (findsite default*).State and then press Enter.

10. Notice the status for the default Website is now “started”.

Results: After this exercise, you should have successfully used Microsoft.Web.Administration to

gather Website information and created a function to start and stop the default Website.

Create Microsoft.PowerShell profile script to automatically load assemblies

1. On WEBB, in PowerShell, type if (test-path $profile) {echo "Path exists."} else {new-

item -path $profile –itemtype file-force}; notepad $profile and then press Enter.

2. The Notepad window opens. Type the following:

echo "Microsoft IIS Environment Loader"

echo "Copyright 2006 Microsoft Corporation. All rig hts reserved."

echo "Loading IIS Managed Assemblies"

$inetsrvDir = (join-path -path $env:windir -childPa th "\system32\inetsrv\")

Get-ChildItem -Path (join-path -path $inetsrvDir -c hildPath "Microsoft*.dll") |

For Each-Object {[System.Reflection.Assembly]::Load From((join-path -path $inetsrvDir -

childPath $_.Name))}

echo "Assemblies loaded."


4. Minimize but do not close Notepad.

5. In Windows PowerShell, type get-executionpolicy and then press Enter.

6. Notice the execution policy is set to “restricted”.

7. Type set-ExecutionPolicy Unrestricted and then press Enter.

8. In Notepad, at the end of the script, type, new-variable iismgr -value (New-Object

Microsoft.Web.Administration.ServerManager) -scope "global".


121 | P a g e

10. Minimize but do not close Notepad.

11. Close Windows PowerShell and then reopen it.

12. Notice the script information that now executes when you open PowerShell.

13. Type $iismgr.Sites and then press Enter.

14. Notice the site information that is displayed.

15. Close Windows PowerShell.

1. Browse to Step7\Scripts.

2. Right-click iis.type.ps1xml, and then click Edit.

3. The Notepad window opens. Review the code.

4. On the File menu, click Save As.

5. The Save As dialog box appears. In the Save as type list, click All Files.

6. Browse to C:\windows\System32\WindowsPowerShell\v1.0 and then click Save.

7. Close Notepad.

8. Restore Notepad, at the end of the script, type the following:

new-variable iissites -value (New-Object

Microsoft.Web.Administration.ServerManager).Sites - scope "global" new-variable

iisapppools -value (New-Object

Microsoft.Web.Administration.ServerManager).Applica tionPools -scope "global" update-

typedata -append (join-path -path $PSHome -childPat h "iis.types.ps1xml")


10. Close Notepad.

11. Open Windows PowerShell 1.0 | Windows PowerShell.

12. The Windows PowerShell window opens. Type $iissites.Find("^Default*")and then

press Enter.

13. Notice the details for the default Website are listed.

1. In Windows Explorer, browse to

Step7\Scripts\CreateWebsite\CreateWebsite\CreateWebsite.

2. Double-click CreateWebsite.cs.

122 | P a g e

3. The Notepad window opens. Review the code, and then close Notepad.

4. In Windows Explorer, browse to Step

7\Scripts\CreateWebsite\CreateWebsite\CreateWebsite \bin\Debug.

5. Right-click CreateWebsite.exe, and then click Copy.

6. Browse to C:\and then click Paste.

7. In Windows PowerShell, type c:\CreateWebsite.exe and then press Enter.

8. Type $iissites.Find("^NewSite*") and then press Enter.

9. Notice the details for the new Website are listed.

123 | P a g e

Lab 31: Manage IIS tasks using WMI and AppCmd


Use AppCmd to identify tasks running on the Web server

1. On WEBB, Open Command Prompt.

2. Type cd c:\windows\system32\inetsrv and then press Enter.

3. Type appcmd list wp and then press Enter.

4. Notice this command lists the current running worker processes. If the command doesn’t

list any results, there aren’t any worker processes running.

5. Type appcmd list apppool and then press Enter.

6. Notice the currently running application pools are listed.

7. Type appcmd list apppool /xml | appcmd recycle apppool /in and then press Enter.

8. Notice the message is displayed ““DefaultAppPool” successfully recycled”.

9. Type appcmd list app /site.name:"NewSite" /xml | appcmd set app /in

/applicationPool:NewAppPool and then press Enter

10. Notice the following is displayed “APP object “NewSite/” changed”.

Store configuration information to file, and then restore the configuration information

1. Type appcmd list config "Default Web Site/" /section:caching /xml /config >

config.xml and then press Enter.

2. Type appcmd set config "Default Web Site/" /in < config.xml and then press Enter.

3. Notice the configuration changes were applied to the Default Web Site.

Use WMI to list the Default Web Site on the Web server


2. The Notepad window opens. Type:

Set oIIS = GetObject("winmgmts:root\WebAdministrati on")

Set oSite = oIIS.Get("Site.Name='Default Web Site'" )

124 | P a g e

WScript.Echo "Retrieved an instance of Site"

WScript.Echo "Name: " & oSite.Name

WScript.Echo "ID: " & oSite.ID


4. The Save As dialog box appears. In the File name field, type C:\GetSite.vbs.

5. In the Save as type list, click All Files, and then click Save.

6. Close Notepad.

7. From the command prompt, type cd \, and then press Enter.

8. Type cscript //h:cscript, and then press Enter.

9. Notice the default script has been set to “cscript.exe”.

10. Type getsite.vbs, and then press Enter.

11. Notice the Web site name and ID are displayed.

125 | P a g e

Lab 32: Tuning IIS



Start the WEBA virtual machine and log on as CQURE\Administrator

ASP.NET and Dynamic Content Compression features

1. On WEBA, go to roles management, right-click Web Server (IIS), and then click Add

Role Services. Verify if ASP.NET 4.5 is installed.

2. In the Performance section, select Dynamic Content Compression.

3. Click Next and then click Install.


5. In the details pane, in the Role Services section, notice that ASP.NET and Dynamic

Content Compression is listed as Installed.





10. The Add Application dialog box appears. In the Alias field, type SalesSupport.




13. Type SalesSupport and then click OK.

14. Click OK.

15. Open Computer and then browse to Step10\SalesSupport.

16. Select all, then right-click and click Copy.

17. Browse to C:\inetpub\wwwroot\SalesSupport, right-click, and then click Paste.

126 | P a g e

Deploy a second copy of the SalesSupport application named SalesSupport2 using Xcopy



3. Type md SalesSupport2 and then press Enter.

4. Type xcopy /e SalesSupport\*.* SalesSupport2.

5. Notice that 36 files are copied.

6. At the command prompt locate the labfiles location.

7. Enter the following path: Step10\SalesSupport2 and then press Enter.

8. Type xcopy /e *.* c:\inetpub\wwwroot\salessupport2 and then press Enter.

9. When prompted to overwrite files, press A for all.


Web Site.

11. In the Actions pane, click View Applications. Click Add Application.

12. The Add Application dialog box appears. In the Alias field, type SalesSupport2.


14. The Browse For Folder dialog box appears. Browse to

C:\inetput\wwwroot\SalesSupport2, and then click OK twice.

Create and assign an application pool for SalesSupport2 and test functionality



1. The Add Application Pool dialog box appears. In the Name field, type SalesSupport2

and then click OK.

3. In the Connections pane, expand Default Web Site and then click SalesSupport2.




SalesSupport2, and then click OK twice.


127 | P a g e



8. Notice that the Raccoons Bank Sales Support page loads successfully.

9. In Internet Explorer, browse to http://localhost/salessupport2.

10. Notice that the Raccoons Bank Sales Support page version 2.0 loads successfully.

Use Performance Monitor to measure performance

1. On WEBA, open Reliability and Performance Monitor.

2. In the console pane, click Performance Monitor.

3. In the details pane, right-click the graph, and then click Remove All Counters.

4. The Performance Monitor Control dialog box appears. Click OK.

5. Above the graph, click the Add button (green plus).

6. The Add Counters dialog box appears. In the Available counters list, scroll down, and

then expand Web Service.

7. Click Bytes Sent/sec.

8. In the Instances of selected object field, click <All instances>.

9. Click Add, and then click OK.

10. With Reliability and Performance monitor running, in Internet Explorer, browse to

http://localhost/salessupport/test.aspx.

11. After the page loads, click Refresh several times rapidly. Notice that the dynamically

generated time updates each time you refresh.


13. In Reliability and Performance Monitor, notice that the graph reflects the throughput.

Note that you can right-click the graph and then click Scale Selected Counters to get a

better representation. You may need to do this a couple of times to get a zoomed in

view of the data.

128 | P a g e

Configure Output Caching


WEBA(CQURE)| Sites | Default Web Site and then click SalesSupport.

2. In the details pane, in the IIS section, double-click Output Caching.


4. The Add Cache Rule dialog box appears. In the File name extension field, type .aspx.

5. Select Kernel-mode caching.

6. Click At time intervals, and then delete the existing text and type 00:00:10.

7. Click OK.

8. Open Internet Explorer, and browse to http://localhost/salessupport/test.aspx.

9. Click Refresh several times rapidly for at least 30 seconds.

10. Notice that the time updates only every 10 seconds after the first couple of loads and

that the subsequent loads are much faster.

11. In Internet Explorer, browse to http://localhost/salessupport2/test.aspx.

12. Click Refresh several times rapidly.

13. Notice that the time updates with each load.

14. In Reliability and Performance monitor, compare the two peaks for throughput on the

graph. Notice that the first peak has higher throughput than the second.

Configure Compression

1. In Internet Explorer, browse to http://localhost.


3. In Reliability and Performance Monitor, note the throughput on the graph.


Web Site.

5. In the details pane, in the IIS section, double-click Compression.

6. Clear the Enable static content compression check box.


8. In Internet Explorer, browse to http://localhost.

129 | P a g e


10. In Reliability and Performance Monitor, note the throughput on the graph. There should

not be much change for static compression.

Question: Why does the graph show little or no change?

Answer: Static compression is cached. Only the first page load requires processing the

compression.

11. In Internet Explorer, browse to http://localhost/SalesSupport/test.aspx.


13. In Reliability and Performance Monitor, note the throughput on the graph.

14. In Internet Information Services (IIS) Manager, in the details pane, select Enable

dynamic content compression.


16. In Internet Explorer, browse to http://localhost/SalesSupport/test.aspx.



19. In Reliability and Performance Monitor, note the throughput on the graph. The

throughput has decreased because dynamic compression negates dynamic output

caching.

Configure connection limit throttling

1. Open Internet Explorer, and browse to http://localhost.

2. Right click the IIS tab, and then click New Tab.

3. In the new tab, browse to http://localhost.

4. Repeat to create another new tab, and then browse to http://localhost.

5. You should have three tabs open. Right-click one of the tabs, and then click Refresh All.

6. Notice that all of the tabs refresh successfully.

7. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs.

130 | P a g e


Web Site.

9. In the Actions pane, click Limits.

10. The Edit Web Site Limits dialog box appears. Select Limit number of connections.

11. In the Limit number of connections field, type 1.

12. Click OK.

13. Open Internet Explorer, and browse to http://localhost in three tabs.

14. In Internet Explorer, right-click one of the tabs, and then click Refresh All.

15. Notice that at least one of the tabs now reports Service Unavailable.


Use Reliability and Performance Monitor to measure resource usage

1. On WEBA, open Internet Explorer, and browse to http://localhost/salessupport.

2. Open a second tab and browse to http://localhost/salessupport2.

3. In Reliability and Performance Monitor, in the console pane, click Reliability and

Performance.

4. In the details pane, expand Memory.

5. Click the Image column heading to sort by image name, and then scroll down to

w3wp.exe.

6. Notice that there are two instances running. Note the amount of memory being used by

each in the Commit (KB) and Working Set (KB) columns.


Application Pools.

8. In the details pane, click SalesSupport2.

9. In the Actions pane, click Recycle.

10. In Reliability and Performance Monitor, notice that one of the w3wp.exe processes

consumes less memory.


131 | P a g e

Assign SalesSupport and SalesSupport2 to the same application pool


SalesSupport2.




DefaultAppPool.

5. Click OK twice.


7. In the details pane, click SalesSupport2.



10. Open Internet Explorer, and browse to http://localhost/salessupport.

11. Open a second tab and browse to http://localhost/salessupport2.

12. In Reliability and Performance Monitor, notice that is now only one w3wp.exe

process and less total memory consumed.

In order to proceed to the next Lab don’t revert WEBA.

132 | P a g e

Lab 33: Web Farms

Machines used in this Lab: DC, WEB2, NODE4


Start the NODE4 virtual machine and log on as CQURE\Administrator

Start the WEB2 virtual machine and log on as CQURE\Administrator

Backup the Web site, Web application, and config files to the D: drive

1. On NODE4, Open Computer, and then browse to C

2. In the File menu, click New | Folder.

3. Type WebSiteBackup, and then press Enter.

4. Right click the new folder and share it by selecting Properties, Sharing, Advanced

Sharing. Configure Share rights to allow write by clicking on Permissions button and

selecting "Full Control".

5. Browse to\\NODE4\WebSiteBackup.

6. Browse to C:\inetpub\wwwroot.

7. In the details pane, select all, right-click, and then click Copy.

8. Browse to \\NODE4\WebSiteBackup, right-click and then click Paste.

9. Notice that the Web site files are now backed up to this shared folder.

Restore the Web site, Web application, and config files from the shared drive

1. On WEB2, open Internet Information Services (IIS) Manager.

2. In the Connections pane, expand WEB2 | Sites, and then click Default Web Site.


4. The Microsoft Internet Explorer window opens. Notice that the IIS default page is

displayed.

5. Open Computer, and then browse to C:\inetpub\wwwroot.

133 | P a g e

6. Notice that the folder contains the IIS default Web site files, iisstart.htm, png files, and

the aspnet_client folder.

7. Browse to the networked computer NODE4.

8. If the NODE4 computer is not displayed in the details pane, network discovery may be

turned off. Click the notice bar, and then click Turn on network discovery and file sharing.

9. Browse to\\NODE4\WebSiteBackup.

10. In the details pane, select all, right-click and then click Copy.

11. Browse to C:\inetpub\wwwroot, right-click and then click Paste.

12. If a Copy File dialog box appears, indicating that you are about to overwrite any files or

folders, click Copy and Replace.

13. If a Confirm Folder Replace dialog box appears, indicating that you are about to

overwrite a folder, click Yes.

14. Notice that the new Web site files are now copied to this location.

15. In Internet Explorer, click the Refresh button.

16. Notice that the Raccoons Bank Web site has been deployed on the second Web server.

Question: What process on the Web server led to the Raccoons Bank Web site being displayed

instead of the IIS default Web site?

Answer: After the Raccoons Bank Web site files were copied to the second Web server, the

default file default.aspx superseded the file iisstart.htm.

134 | P a g e

Lab 33: Shared Configuration

Machines used in this Lab: DC, NODE4, WEB2

Export and Enable Shared Configuration

1. On NODE4, Open Computer, and then browse to C

2. In the File menu, click New | Folder.

3. Type Export, and then press Enter.

4. Right click the new folder and share it by selecting Properties, Sharing, Advanced

Sharing. Configure Share rights to allow write by clicking on Permissions button and

selecting "Full Control".


6. In the Connections pane, click NODE4.

7. In the details pane, in the Management section, double-click Shared Configuration.

8. In the Actions pane, click Export Configuration.

9. The Export Configuration dialog box appears, allowing you to export the local

configuration files, settings, and encryption keys. In the Physical path field, type

\\NODE4\Export.

10. In the Encryption keys password and Confirm Password fields, type Passw0rd.

11. Click OK.

12. The Export Configuration dialog box appears indicating that the files were exported

successfully. Click OK.

13. In the details pane, select Enable shared configuration.

14. In the Physical Path field, type \\NODE4\Export.

15. In the User name field, type CQURE\Administrator.

16. In the Password and Confirm Password fields, type Passw0rd.


18. The Encryption Keys Password dialog box appears for you to enter the encryption key.

In the Enter encryption key Password field, type Passw0rd.

135 | P a g e

19. Click OK.

20. The Shared Configuration dialog box appears, indicating that the current encryption

keys were backed up. Click OK.

21. The Shared Configuration dialog box appears, indicating that IIS Manager and

Management service must be restarted for these changes to be completed. Click OK.

22. Close Internet Information Services (IIS) Manager.


24. In the Connections pane, click NODE4.



Add the second Web server to use the Shared Configuration

1. On WEB2, in Internet Information Services (IIS) Manager, in the Connections pane,

click WEB2.

2. In the details pane, in the Management section, double-click Shared Configuration.

3. Select Enable shared configuration.

4. In the Physical Path field, type \\NODE4\Export.

5. In the User name field, type CQURE\Administrator.

6. In the Password and Confirm Password fields, type Passw0rd.


8. The Encryption Keys Password dialog box appears. In the Enter encryption key

Password field, type Passw0rd. Click OK.

9. The Shared Configuration dialog box appears, indicating that the current encryption

keys were backed up. Click OK.

10. The Shared Configuration dialog box appears, indicating that IIS Manager and

Management service must be restarted for these changes to be completed. Click OK.

11. Close Internet Information Services (IIS) Manager.

12. Open| Internet Information Services (IIS) Manager.

13. In the Connections pane, click WEB2.

136 | P a g e



Test the Shared Configuration

1. On NODE4, in Internet Information Services (IIS) Manager, in the Connections pane,

click NODE4.



4. The Add Default Document dialog box appears to allow us to add a default document

to test the shared configuration. In the Name field, type test.html and then click OK.

5. On WEB2, in Internet Information Services (IIS) Manager, in the Connections pane,

click WEB2.


7. Notice that the default document test.html has been added to the top of the list for the

second Web server as well,

Question: Why has the default document test.html has been added to the top of the list for the

second Web server as well?

Answer: The default document test.html has been added to the top of the list for the second

Web

because both servers are using shared configuration.

137 | P a g e

Lab 35: Web Deploy


Installing the remote service during the installation of Web Deploy on WEBA.

If you have not yet downloaded the Windows Installer file for Web Deploy, see ISO image

delivered by trainer and follow the next steps. After you start the installation, return to this topic

and follow these steps.

1. On the Welcome to the Microsoft Web Deployment Tool Setup Wizard page, click

Next.

2. On the End-User License Agreement page, select the I accept the terms in the license

agreement box, and then click Next.

3. On the Choose Setup Type page, click Custom.

4. On the Custom Setup page, click the Remote Agent Service down arrow, select Will be

installed on local hard drive, and then click Next.

5. Click Install.

6. Click Finish.

7. After you install the remote service, make sure that service is started, if necessary type:

net start msdepsvc.

8. By default, the remote service uses port 80. If necessary, you can enable this port

through the firewall by running netsh firewall add portopening TCP 80

WdeployAgent at an administrative command prompt.

To use the Web Deployment Agent Service remotely

(also called the Remote Agent Service), the following conditions must be true.

1. You have installed the Web Deployment Tool on the remote computer.

138 | P a g e

2. You have enabled port 80 through the firewall on the remote computer. By default,

the remote agent listens on port 80. If you are using a custom port setting, you must

enable the custom port through the firewall instead.

3. You have started the Web Deployment Agent Service (MsDepSvc) on the remote

computer..

4. You are a member of the administrator’s group on the remote computer, or you

specify administrator credentials in the Web Deploy command by using the

computerName=<serverName>, userName=<username>,password=<password>

syntax described in the Usage section.

5. You use an elevated command prompt to run the Web Deploy command.

Note: To use the remote service at the Web Deploy command line, add the computerName

provider setting to the source or destination provider by using the syntax:

,computerName=<host>. <host> is the name of the remote server. Only one destination

computer can be specified in a Web Deploy command.

The following example shows how you can use the computerName provider setting to return

metabase information from a remote computer named Server1. Notice that there is no space

after the comma.

msdeploy -verb:dump -source:metakey=lm/w3svc/1,computerName=Server1

Web Deploy converts the computer name into the default Web Deploy URL. For example,

computerName=Server1 will become http://Server1/MsDeployAgentService. If the remote

service is running with a custom port or URL, you must specify the full URL.

Example:

Use the remote service on Server1 and Server2 to update the contents of a directory on

Server2.

139 | P a g e

msdeploy -verb:sync -

source:contentpath=c:\abc,computerName=Server1,username=admin,password=pass -

dest:contentpath=c:\def,computerName=Server2,username=admin,password=pass

Using the Web Deployment Tool

1. Open IIS Manager and expand the default web site in the left pane and select

SalesSupport application

2. Click "Export Application..." in the right pane

3. Click "Advanced settings"

4. Set the password for security settings to Passw0rd

5. Click OK and then Next. Click Next.

6. Enter the path and name for your package. You can store it on your desktop. Click Next.

7. Verify summary and detailed status and click Finish

8. Remove SalsesSupport App (right click the name in the left pane and select "Remove")

9. Remove c:\inetpub\wwwroot\salessuport directory from your disk

10. Browse the content of a zip file you created on your desktop and observe how

application data was stored

11. Refresh the view in IIS Manager and verify if application was actually deleted

12. In the IIS Manager select the default web site in the left pane

13. Click "Import Application..." in the right pane

14. Enter the package path and click Next

15. Click "Advanced Settings" and enter the decrypt password for secure data

16. Click "OK" and then "Next"

17. Accept the default name and press "Next"

18. Verify summary and detailed status and click Finish

19. Verify if your application opens correctly in the web browser.

140 | P a g e

Lab 36: Configuring Network Load Balancing

Machines used in this Lab: DC, NODE4, WEB2

Create a new Network Load Balancing cluster

1. On NODE4 from Server Manager install Network Load Balancing Feature, after that

open Network Load Balancing Manager.

2. In the console pane, right-click Network Load Balancing Clusters and then click New

Cluster.

3. The New Cluster: Connect dialog box appears. Start the process by connecting to the

Network Load Balance host computer. In the Host field, Type NODE4, and then click

Connect.

1. Make sure the Local Area Connection interface with Interface IP address 10.10.10.104

is highlighted, and then click Next.

4. The New Clusters: Host Parameter page shows the dedicated IP addresses and the initial

host state. Click Next.

5. The New Clusters: Cluster IP Addresses page allows you to add cluster IP addresses that

are shared by every member of the cluster. Click Add.

2. The Add IP Address dialog box appears, allowing you to add IPv4 or IPv6 addresses to

the cluster. In the Add IPv4 address field, type 10.10.10.27.

6. In the Subnet mask field, type 255.255.255.0, and then click OK.

7. Make sure the newly added cluster IP address is highlighted. Click Next.

8. The New Clusters: Cluster Parameters page allows you to modify the operation mode

of the cluster IP addresses. In the Full Internet name field, type cluster.CQURE.TEC.

9. Click Multicast. Click Next.

10. The New Clusters: Port Rules page allows you to add, edit, and remove cluster IP

address port rules. Click Finish. Wait for the operation to complete before continuing.

141 | P a g e

Add the second host to the Network Load Balancing cluster

1. In the console pane, right-click cluster.CQURE.TEC and then click Add Host to Cluster.

2. The Add Host to Cluster: Connect dialog box appears. Add the second host computer.

In the Host field, Type WEB2, and then click Connect. Wait for the operation to

complete before continuing.

3. Make sure the Local Area Connection interface with Interface IP address 10.10.10.202

is highlighted, and then click Next.

4. The New Clusters: Host Parameter page shows the dedicated IP addresses and the

initial host state. Make sure that the Priority (unique host identifier) is 2, and then click

Next.

5. The New Clusters: Port Rules page allows you to add, edit, and remove cluster IP

address port rules. Click Finish. Wait for the operation to complete before continuing.

Add the second server to the Network Load Balancing cluster

1. On WEB2, Click Start, click Administrative Tools, and then click Network Load

Balancing Manager.

2. The Network Load Balancing Manager window opens and loads the current cluster. The

Warning dialog box appears, presenting a warning about running NLB in Unicast mode.

Click OK.

Verify Network Load Balancing using NLB commands


2. Type NLB query 10.10.10.27 and then press Enter.

3. Notice that the NLB command indicates that host 2 has entered a converging state with

the cluster.

4. On NODE4, Open Command Prompt.

5. Type NLB query 10.10.10.27and then press Enter.

6. Notice that the NLB command indicates that host 1 has entered a converging state with

the cluster.

142 | P a g e

7. Type NLB display and then press Enter.

8. The results show very detailed information about the cluster and its current state. Scroll

to the top of the displayed information to examine the Configuration section.

9. Close each of the running virtual machines. Do not save changes so they are reset to

default for the next lab.

143 | P a g e

Lab 37: Troubleshooting IIS


Start the DC virtual machine and log on as CQURE\Administrator

Start the NODE5 virtual machine and log on as CQURE\Administrator

On NODE5, browse to http://localhost/raccoons. Notice the Server Error: 401 – Unauthorized

message.

Examine the log file

1. Open Computer and then browse to C:\inetpub\logs\LogFiles\W3SVC1.

2. Double-click the most recent log file.

3. The Notepad window opens. Scroll to the far right and examine the last entries in the log

file. Notice that the status is 401 and sub status is 2.

4. Close Notepad.

Enable Detailed Error Messages

1. Open Internet Information Services (IIS Manager).

2. In the Connections pane, expand NODE5 | Sites | Default Web Site and then click

Raccoons.



3. The Edit Error Pages Settings dialog box appears. Click Detailed errors for local

requests and custom error pages for remote requests, and then click OK.

Reproduce the issue and examine the detailed error

1. In Internet Explorer, browse to http://localhost/raccoons.

2. Notice the detailed error message reports HTTP Error 401.2 - Unauthorized.

144 | P a g e

3. Scroll down to Most likely causes. Notice the first cause is No authentication protocol

(including anonymous) is selected in IIS.

Resolve the issue and test functionality

1. In Internet Information Services (IIS) Manager, click Raccoons.

2. In the details pane, in the IIS section, double-click Authentication.

3. Notice that all authentication methods are Disabled.

4. In the details pane, click Basic Authentication.


6. In the details pane, notice that Basic Authentication is Enabled, and all other

authentication methods are Disabled.

7. In Internet Explorer, browse to http://localhost/raccoons.

8. Notice that you are prompted for credentials. For User name, type Yvonne.

9. For Password type Passw0rd and then click OK.

10. Notice that the Raccoons application now loads without error.


145 | P a g e

Lab 38: Troubleshooting Authorization


Browse to http://localhost/raccoons2

1. On NODE5, in Internet Explorer, browse to http://localhost/raccoons2.

2. Notice that you are not prompted for credentials and the page loads without error.


Enable Failed Request Tracing and add a rule to trace successful requests


Web Site.

2. In the Actions pane, click Failed Request Tracing.


and then click OK.

4. In the Connections pane, click Raccons2.

5. In the details pane, in the IIS section, double-click Failed Request Tracing Rules.


7. The Add Failed Request Tracing Rule dialog box appears. Click Next.

8. Under Status code(s), type 200, and then click Next.

Question: Why do we use status code 200 for this issue?

Answer: Status code 200 is used for a successful page load in IIS. Since the page is loading

without error, we must use the status code 200 to trace the issue.

9. Under Providers, clear ASP and ISAPI Extension. Leave ASPNET and WWW Server

checked.

10. Click Finish.

146 | P a g e

Reproduce the issue and examine the Failed Request Tracing log

1. In Internet Explorer, browse to http://localhost/raccoons2.

2. In Windows Explorer, browse to c:\inetpub\logs\FailedReqLogFiles\W3SVC1.

3. Double-click fr000001.xml.

4. If prompted to add the site to the Trusted sites zone, click Add twice and then click

Close.

5. Under Request Summary, notice that Authentication is anonymous.

6. Click the Compact View tab.

7. Scroll down and examine the lines that begin with AUTH_SUCCEEDED and USER_SET.

Notice that the authorized user is “”. Close Internet Explorer.

Question: What did we learn from the Failed Request Tracing log?

Answer: Anonymous users are being allowed to access the site. Since anonymous authentication

happens successfully, users are not being prompted to enter credentials.

Resolve the issue and verify functionality


Raccoons2.

2. In the details pane, double-click Authorization Rules.

3. Notice that Anonymous Users are Allowed.

4. In the details pane, in the IIS section, click Anonymous Users.



7. In the Connections pane, click Raccoons2.

8. In the details pane, in the IIS section, double-click Authentication.

9. Notice that both Anonymous Authentication and Basic Authentication are Enabled.



12. In Internet Explorer, browse to http://localhost/raccoons2.

147 | P a g e

13. Notice that you are prompted for credentials. For User name, type Yvonne.

14. For Password, type Passw0rd and then click OK.

15. Notice that the Raccoons2 application loads without error.

16. Close Internet Explorer and open it again to create a new session.

17. Browse to http://localhost/raccoons2.

18. When prompted for credentials, leave both fields blank and click OK three times.

19. Notice that you get a 401 – Unauthorized message.

148 | P a g e

Lab 39: Troubleshooting Communication


Reproduce the issue

1. On DC, browse to http://NODE5/netapp/content. Notice the 500 – Internal server

error message.

Verify communication with the Web server


2. Type ping NODE5 and then press Enter.

3. Notice that the ping succeeds indicating that DC and NODE5 are communicating.

4. On NODE5, in Internet Information Services (IIS) Manager, in the Connections pane,

click NODE5.



7. The Edit Error Pages Settings dialog box appears. Click Detailed errors, and then click

OK.

8. In Internet Explorer, browse to http://localhost/netapp/content.

9. Notice the 500.19 error.

10. Next to Config Error, notice the message Cannot read configuration file because the

network path is not found.

11. Next to Config File, notice the path for the server name.

Correct the problem and verify functionality

1. Internet Information Services (IIS) Manager, in the Connections pane, expand

NetApp and then click Content.


149 | P a g e

3. The Advanced Settings dialog box appears. In the Physical Path field, modify the path

to read \\NODE5\content, and then click OK.

4. In Internet Explorer, browse to http://localhost/netapp/content.

5. Notice that the IIS Welcome page appears and there is no error message.

150 | P a g e

Lab 40: Troubleshooting Configuration


Reproduce the issue and examine the detailed error message

1. On NODE5, in Internet Explorer, browse to http://localhost/pics/logo.jpg.

2. Notice the HTTP Error 404.4 – Not Found message.

3. In the Most likely causes section, notice that the most likely cause is The file extension

for the requested URL does not have a handler configured to process the request on the

Web server.

Examine and correct the web.config file

1. In Windows Explorer, browse to C:\Pics.

2. Double-click web.config.

3. On the Windows dialog, click Select a Program from a list of installed programs, and

then click OK. Click Notepad, and then click OK.

4. The Notepad window opens. Notice that the <handlers>section contains a line for

handling static files.

5. Notice that the path attribute is set to “*.jgp”. Modify the line so that the path attribute

correctly reads “*.jpg”.


7. Close Notepad.

8. In Internet Explorer, browse to http://localhost/pics/logo.jpg.

9. Notice that the Raccoons Bank logo now appears successfully.

Close each of the running virtual machines and revert them to default state.

151 | P a g e

Lab 41: Application Initialization (Optional)


The IIS 8.0 Application Initialization feature enables website Administrators to configure IIS 8.0

to proactively perform initialization tasks for one or more web applications. While an application

is being initialized, IIS 8.0 can also be configured to return static content as a placeholder or

"splash page" until an application has completed its initialization tasks. The Application

Initialization feature is configured through a combination of global and application-specific rules

that tell IIS 8.0 how and when to initialize web applications. The Application Initialization feature

also supports integration with the IIS Url Rewrite Module to support more complex handling of

placeholder content while an application is still initializing.

1. Log in as Administrator//Passw0rd on NODE1.

2. Open Server Manager and run Add Role wizard.

3. From the configuration of the Web Server role, pick Application Initialization:

152 | P a g e

Note: The Application Initialization feature can be configured in two places: the machine-wide

applicationHost.config file, and the application-level web.config file. Configuration in the

applicationHost.config file contains "global" application initialization settings, while an

application-level web.config file contains "local" application initialization settings.

In this walkthrough, you will configure a sample application to always be initialized when the

application pool associated with the application starts up. Since application pool behaviors

can only be configured in applicationHost.config, running application initialization whenever

an application pool starts up is considered part of the "global" application initialization

settings.

Setting up the Sample ASP.NET Application

Note: The following steps assume your server already has both IIS 8.0 installed and ASP.NET 4.5

enabled for use in IIS 8.0.

1. Attach appinit.iso to NODE1. The sample ASP.NET application is contained in the

appinit.zip file.

2. Unzip the file to the wwwroot folder on NODE1, application should be copied to the

following path: "c:\inetpub\wwwroot\appinit".

3. Now it is time to configure the folder as an ASP.NET application in IIS 8.0. The screenshot

below shows the appinit sample application configured as an application in IIS 8.0. Also

notice that the application is assigned to the ".NET v4.5" application pool.

153 | P a g e

Install the Url Rewrite Module

The sample application makes use of the Url Rewrite module for advanced integration with the

Application Initialization feature. You need to install the Url Rewrite module on your server; you

will find the urlrewrite2.exe in the same ZIP file with application. It can be also downloaded from:

http://www.iis.net/download/URLRewrite.

Configure the Url Rewrite Module

1. Once the Url Rewrite module is installed on your web server, you need to modify the IIS

applicationHost.config file to allow usage of the SKIP_MANAGED_MODULES server

variable supported by the Application Initialization feature.

2. Open up the machine-wide applicationHost.config file in a text editor such as notepad.

The applicationHost.config file is located at C:\Windows\System32\inetsrv\config.

154 | P a g e

3. Scroll down the file and locate the security section. This section starts with the Xml

element: <security>.

4. Type in the following Xml elements before the <security> element:

<rewrite>

<allowedServerVariables>

<add name="SKIP_MANAGED_MODULES" />

</allowedServerVariables>

</rewrite>

5. Save the changes to the applicationHost.config file.

Modifications in applicationHost.config

1. Open up the applicationHost.config file located at %WINDIR%\system32\inetsrv\config

in Notepad - run the text editor with the "Run as Administrator" option.

2. Find the <applicationPools> configuration section, and then look for the application

pool entry with a name of ".NET v4.5".

3. Modify the application pool entry so that the application pool is always running. For

applications where you want global application initialization to occur, you normally want

the associated application pool to be started and running. The bolded attribute in the

configuration snippet shows what to add to the configuration entry.

<add name=".NET v4.5" startMode="AlwaysRunning" managedRuntimeVersion="v4.0" />

4. Scroll down a little more in applicationHost.config to the <sites> configuration element.

Within that section there will be an <application> entry for the sample application you

configured earlier. The application is called "appinit", and has a path attribute value of

"/appinit". Modify the <application> entry by adding the bolded preloadEnabled

attribute as shown in the configuration snippet and then save your changes.

<application path="/appinit" preloadEnabled="true" applicationPool=".NET v4.5">

5. Setting preloadEnabled to "true" tells IIS 8.0 that it sends a "fake" request to the

application when the associated application pool starts up. That is why in the previous

step we set the application pool's startMode to "AlwaysRunning".

Note: With the combination of the application pool always running, and the application itself

being marked to always receive a fake request, whenever the machine restarts and/or the

155 | P a g e

World Wide Web service is recycled, IIS 8.0 ensures that the application pool instance is

running and that the application "/appinit" is always sent a fake request to trigger the

application to start up.

Modifications in the application's web.config

1. Using a second instance of Notepad, open up the application level web.config file

located in the following location - run the text editor with the "Run as Administrator"

option.

C:\inetpub\wwwroot\appinit

2. The web.config file has a few configuration sections already pre-populated, but

commented out. Uncomment the configuration snippet shown that is inside of the

<system.webServer> configuration section. This snippet is just below the comment

"Exercise 1 - Step 1" in the web.config file. Then save your changes.

<applicationInitialization

remapManagedRequestsTo="Startup.htm"

skipManagedModules="true" >

<add initializationPage="/default.aspx" />

</applicationInitialization>

3. The applicationInitialization element tells IIS that it should issue a request to the

application's root Url ("/" in this example) in order to initialize the application. While IIS

waits for the request to "/" to complete, it will serve "Startup.htm" to any active browser

clients. "Startup.htm" is the "splash page" for the application.

Run the application

1. From an elevated command prompt window, recycle the World Wide Web Service with

the command shown below:

net stop w3svc & net start w3svc

2. Using Internet Explorer, navigate to the following Url:

http://localhost/appinit/default.aspx

3. The browser returns the static "Startup.htm" page with a grey background for the first

few seconds because that is the "splash page" that has been configured in web.config.

156 | P a g e

Note: You can continue refreshing the page in your web browser and observe that about eight

seconds later (simulated with a thread sleep in the sample application's global.asax) you receive

the "real" content for default.aspx with a white background. This indicates that application

initialization completed.

Configuring overlapped process recycling

IIS 8.0 integrates global application initialization with overlapped process recycling by

performing application initialization in an overlapped process in the background. When IIS

detects that an active worker process is being recycled, IIS does not switch active traffic over to

the new recycled worker process until the new worker process finishes running all application

initialization Urls in the new process. This ensures that customers browsing your website don't

see application initialization pages once an application is live and running.

1. Go back to the instance of Notepad that has applicationHost.config. Modify the

application pool entry for ".NET v4.5" to look like the configuration snippet shown below:

<add name=".NET v4.5"

startMode="AlwaysRunning"

managedRuntimeVersion="v4.0" >

<recycling logEventOnRecycle="Schedule">

<periodicRestart requests="30" />

</recycling>

</add>

2. Save your changes. The <recycling> element tells IIS to recycle the worker process every

30 HTTP requests.

Run the application a second time


the command: net stop w3svc & net start w3svc

2. Using a new instance of Internet Explorer, once again navigate to:


3. Note that that the "Startup.htm" splash page with the grey background is showing.

4. Open Task Manager and make sure the Processes tab is showing. Sort the process list by

name until you see one instance of w3wp.exe running. That instance is the worker

process that is currently running the "appinit" ASP.NET application.

157 | P a g e

3. Refresh the browser a few times until the content from the real default.aspx page is

being returned. You know that the application is running the "real" default.aspx page

when the background changes to white.

4. Arrange the windows on your screen so that you can see both Task Manager and the

browser.

5. Switch back to the browser and refresh the page at least 30 times, this causes IIS to

recycle the application pool. You can stop refreshing the page when you see a second

instance of w3wp.exe show up in the Task Manager process list as shown below:

158 | P a g e

6. The screenshot shows the second instance of w3wp.exe has started due to the process

recycling limit set earlier.

7. You can continue to periodically refresh the browser window for the next ten seconds or

so. Note that default.aspx continues to run. When the overlapped recycling completes,

one w3wp.exe instance disappears from the Task Manager Process window.

Throughout the duration of the overlapped recycling, you continue to see the content of the

"real" default.aspx served, even though application initialization was configured for the

application and was running the initialization Url in the background in the new instance of

w3wp.exe.

159 | P a g e

Lab 42: Url Rewrite and Application Initialization (Optional)

Machines used: DC, NODE1

By default, application initialization only enables you to specify a single "splash page" Url to

display while an application is initializing. However the Application Initialization feature supports

a few server variables that can be used to control request processing while an application

initializes. This enables you to create declarative rules using the Url Rewrite Module containing

more complex mappings to pre-generated static content.

In this walkthrough, you replace the remapManagedRequestsTo attribute with a set of Url

Rewrite rules that accomplish the same end result.

Modifications in applicationHost.config

1. Using the instance of Notepad that has applicationHost.config open, revert both the

application pool and the application elements to turn off all global application

initialization processing. The global settings are removed in this step since the remainder

of this walkthrough focuses on the configured Application Initialization behavior.

2. The applicationHost.config entries for the application pool and the application are as

shown below.

Application pool configuration entry:

<add name=".NET v4.5" managedRuntimeVersion="v4.0" />

Application configuration entry:

<application path="/appinit" applicationPool=".NET v4.5">

3. Save your changes when you are done!



Modifications to application level web.config

1. Using the instance of Notepad that has the application-level web.config open, remove

the remapManagedRequestsTo attribute from the <applicationInitialization> element.

The <applicationInitialization> configuration section should now look like this

configuration snippet.

160 | P a g e

<applicationInitialization skipManagedModules="true" >

<add initializationPage="/default.aspx" />

</applicationInitialization>

2. Because the <applicationInitialization> element no longer defines a Url to remap

requests to, add a set of Url Rewrite rules. Add a rewrite rule that explicitly maps

requests made to "default.aspx", as well as "/" to route to "Startup.htm". Two rules are

needed because the Url Rewrite Module doesn't "know" about how default documents

work. Since "/" equates to "default.aspx" in ASP.NET applications, you need two Url

Rewrite rules - one rule for each Url variation.

The new rules are shown in bold below. Alternatively you can uncomment the pre-populated Url

Rewrite rules under the "Exercise 2 - Step 2 Mapping Requests to the Home Page" comment in

the web.config file.

<rewrite>

<rules>

<rule name="Home Page-Expanded" stopProcessing="true">

<match url="default.aspx" />

<conditions>

<add input="{APP_WARMING_UP}" pattern="1" />

</conditions>

<action type="Rewrite" url="Startup.htm" />

</rule>

<rule name="Home Page-Short" stopProcessing="true">

<match url="^$" />

<conditions>


</conditions>


</rule>

</rules>

</rewrite>

3. Some items to note about these rules:

a. First, the stopProcessing attribute is set to "true" on the <rule /> elements. This

is necessary to add a catch-all Url Rewrite rule later, and for requests to

default.aspx or "/" that you don't want the catch-all rule to run.

161 | P a g e

b. Second, note that we have a Url Rewrite condition in the <conditions /> element.

This condition effectively says "only apply rule when the application is in an

initializing state". The server variable "APP_WARMING_UP" is set by IIS to a value

of "1" when application initialization is active and IIS is still processing all of the

initialization Urls.

c. Third, note that the action has been defined to rewrite the active request to

instead run "Startup.htm". This rule has the effect of telling IIS to pass the request

on to the static file handler which then renders the static page Startup.htm.

4. Add a catch-all rewrite rule. When using the Url Rewrite Module in conjunction with

application initialization, a catch-all rule that fires if none of the previous rules match is

needed. Add the bolded rule shown below to the rewrite section as the catch-all rule.

Alternatively you can uncomment the pre-populated catch-all rule in web.config that is

located under the "Exercise 2 - Step 2 Setting Up a Catch-All Rule" comment in the

web.config file.

<rewrite>

<rules>

<rule name="Home Page-Expanded" stopProcessing="true">

<match url="default.aspx" />

<conditions>


</conditions>


</rule>

<rule name="Home Page-Short" stopProcessing="true">

<match url="^$" />

<conditions>


</conditions>


</rule>

<rule name="All Other Requests">

<match url=".*" />

<conditions>


</conditions>

<serverVariables>

162 | P a g e

<set name="SKIP_MANAGED_MODULES" value="0" />

</serverVariables>

<action type="Rewrite" url="{URL}" />

</rule>

</rules>

</rewrite>

4. Save your changes.

5. The new rule matches against any Url that reaches it and tells IIS to continue processing

the request that was made to the inbound Url. The rule also sets a server variable called

"SKIP_MANAGED_MODULES" to a value of "0" - which equates to "false". This setting

tells IIS that it should treat the rewritten request from Url Rewrite the same way as if the

request had normally arrived off the wire.

Run the application



2. Using a new instance of Internet Explorer, once again navigate to:


Note: Even though Url Rewrite rules are now used to define the splash page logic, you still

see the same behavior from the first walkthrough. The Startup.htm page with the grey

background is displayed initially. If you refresh the browser periodically, about eight seconds

later you again see the page background switch to white, indicating that the "real"

default.aspx page is being served now that application initialization is complete.

(Optional) Lab: Complex Splash Page Rules

The previous walkthroughs use application initialization as a straight-forward mapping of Url "X"

to Url "Y". In this walkthrough, you are going to implement a more complex application

initialization scenario.

1. In your browser navigate to both of the following Urls:

a. http://localhost/appinit/ImageHandler.ashx?image=Lighthouse

b. http://localhost/appinit/ImageHandler.ashx?image=Tulips

163 | P a g e

2. These Urls are examples of dynamically generated static content. For this sample

application, the code inside of ImageHandler.ashx looks at the querystring key "image".

If the value of that querystring is either "Lighthouse" or "Tulips" the ASP.NET handler

transmits the corresponding JPG that is located in the App_Data folder.

Note: Since the image handler is just returning images, you want to be able to continue to

return an appropriate image even during application initialization. Although the mechanics of

serving these images uses managed code, you may want to quickly serve up pre-generated

images to customers even if the underlying ASP.NET application is taking a long time to

startup and initialize itself.

Modifications to application level web.config

1. Using the instance of Notepad that has application-level web.config open, add another

Url Rewrite rule before the final catch-all rule. The new snippet to add is shown below.

Alternatively you can uncomment the pre-populated image handler rule in web.config

that is located under the "Exercise 3 - Step 1 Complex Splash Page Rules" comment in

the web.config file.

<rule name="Image Handler Remapping" stopProcessing="true">

<match url="ImageHandler.ashx" />

<conditions>


<add input="{QUERY_STRING}" pattern="image=([A-Za-z]+)&?" />

</conditions>

<action type="Rewrite" url="Images/{C:1}_static.jpg" appendQueryString="false" />

</rule>

2. Save your changes.

Note: Just as with the rewrite rules for default.aspx and "/", this rule has the stopProcessing

attribute set to "true" to ensure that requests to ImageHandler.ashx don't accidentally

fallthrough to the final catch-all rewrite rule during application initialization.

For requests to "ImageHandler.ashx," the rewrite rule uses a regular expression capture group

to extract the requested image from the query-string. The match pattern definition

pattern="image=([A-Za-z]+)&?" tells IIS to extract the value of the "image" query-string

164 | P a g e

variable. That value is then used in the url attribute of the action attribute:

url="Images/{C:1}_static.jpg".

The url attribute on the action element tells the Url Rewrite module to rewrite

ImageHandler.ashx requests to instead point at files in the Images subdirectory of the

application. Furthermore the query-string value that was captured by the regular expression is

used to help form the name of the file that will ultimately be served from the Images

subdirectory. For example, a request to ImageHandler.ashx?image=Tulips will be rewritten to

Images/Tulips_static.jpg.

3. If you browse to the inetpub\wwwroot\appinit directory using Windows Explorer and

look in the Images subdirectory, you see two files: one representing the "static" version

of Tulips.jpg, and the other representing the "static" version of Lighthouse.jpg. These

static images act as pre-generated content that can be served while the application

initializes.

Run the application



2. Using Internet Explorer navigate to either:

a. http://localhost/appinit/ImageHandler.ashx?image=Lighthouse

b. http://localhost/appinit/ImageHandler.ashx?image=Tulips

3. Notice how the images returned in either case include a watermark indicating these are

the "static" pre-generated versions of the images. The watermark is text in the upper

portion of the image saying "This image is the static version of...."

4. If you refresh your browser about 10 seconds later, you see the returned image content

change to the "real" content being served by the ImageHandler.ashx handler. The

watermark disappears, which indicates that the content is now being dynamically

generated by the ASP.NET handler since the application has completed initialization.

165 | P a g e

5. Note: If Internet Explorer appears to not be refreshing, click either the "broken

document" icon in the address bar or the refresh icon to force Internet Explorer to reload

the page.

Lab summary

The IIS 8.0 Application Initialization feature gives developers and Administrators the ability to

return static content to browsers while IIS is initializing a "cold" application. Serving static content

immediately to browsers gives customers a better user experience. Instead of cold-start

applications resulting in a blank browser page or a spinning wait icon, the Application Initialization

feature can be used to serve relevant static content while the underlying application completes

expensive initialization processing.

The initialization process can occur automatically whenever a web server is brought online or

recycled. For scenarios where server Administrators don't want to greedily initialize applications,

the initialization process can instead be triggered on-demand when the first request arrives at a

"cold" application.

For both global and local application initialization the Url Rewrite module can be integrated to

provide richer and more complex initialization rules. Using Url Rewrite rules integrated with the

Application Initialization feature it is possible to serve different types of pre-generated static

content for different Urls and virtual paths while IIS continues to start-up an application in the

background.

166 | P a g e

Lab 43: IIS Backup – Web Deploy

1. Launch your IIS8_WEBB server and verify you have some sites and applications.

2. Install WebDeploy 3.0 package using typical settings (you will find it in the ISO file).

3. Open IIS Management Console and verify if you have "deployment" links in the action

pane when you click on the server, the site or the application.

4. Select your web server name in the left pane.

5. Click on the "Export server package" link in the right pane and save the "server.zip"

package using default settings.

6. Remove some of your websites and then app pools.

7. Select your web server name in the left pane.

8. Click on the "Import server package" link in the right pane and save the "server.zip"

package using default settings. You need to accept a warning message. Please read it

before accepting.

9. Verify if your app pools, sites and applications were restored correctly and can be open.

10. Launch cmd.exe.

11. Navigate to C:\Program Files\IIS\Microsoft Web Deploy V3

12. Type: msdeploy -verb:sync -source:appHostConfig="Your Site Name" -

dest:archivedir=c:\archive -enableLink:appPool

13. Optionally you can configure https binding and try to backup certificates by adding "-

enableLink:CertificateExtension" to the previous command.

14. Optionally you can replace your destination (type: archivedir, value: c:\archive) with type

"package" and value "c:\archive.zip".

15. Delete your site and associated app pools.

16. Try to restore your backup using command: msdeploy -verb:sync -

source:archivedir=c:\archive -dest:appHostConfig="Restored WebSite" -

enableLink:appPool

17. Go to you App Pools and find a pool associated with more than zero applications

18. Try to delete such pool. Is this possible? Why?

19. Navigate to C:\Program Files\IIS\Microsoft Web Deploy V3

20. Type: msdeploy -verb:delete -dest:appPoolConfig="your pool name"

21. Verify if your poll was actually deleted.

22. Try to launch your web application.

23. Use your backup to re-create your website with linked App Pools.

167 | P a g e

Lab 44: JavaScript Profiling (Optional)

1. On your host machine launch Internet Explorer browser and navigate to

http://ie.microsoft.com/testdrive/Performance/BrickBreaker

2. Click on the first tile in the "Level Selection" window

3. Press F12 to start F12 Developer Tools

4. Switch to "Profiler" tab and click "Start profiling"

5. Return to Internet Explorer window and play a game for some time

6. Switch to F12 console and click "Stop profiling"

7. Switch current view to "Call tree"

8. Expand nodes renderAll – renderAll – next – checkCollision – elementsInRect –

elementsOfClass – hasCssClass

9. Notify the count of hasCssClass function calls. Why it makes sense to start improvement

from this function?

10. Double click hasCssClass function name to switch to the "Script" tab

11. Right click function name and select "Insert breakpoint" from the context menu

12. Click "Start debugging" button on the toolbar

13. Click on the first tile in the Internet Explorer "Level Selection" window and start playing

14. Wait until execution stops on the breakpoint.

15. Click "Locals" over the right pane and lok inside local objects. Click "Call stack" and check

how function was called.

16. Click "Breakpoints" over the right pane and de-select your breakpoint.

17. Click "Watch" over the right pane and add "Balls" to the watch list. Expand the object

properties and find Balls[0].speed

18. Right click the value and edit it. Change the value to 1.

19. Press F5 to continue. Intentionally miss the first ball and launch another one. Note the

difference.

20. Discuss how F12 may help you in troubleshooting performance problems in modern web

applications.

168 | P a g e

Lab 45: Network traffic monitoring (Optional)

1. Launch IE browser and navigate to http://gizmodo.com/

2. Make sure you have no Tracking Protection enabled - the "no parking" sign next to the

URL must be gray.

3. Press F12.

4. Switch to "Network" tab and press "Start capturing".

5. Return to your browser and open gizmodo.com page again and wait until it fully loads.

6. Switch to F12 tool and press "Stop capturing"

7. Sort by "URL" column and try to determine an amount of websites used to display the

webpage.

8. Sort by "Result" column and try to find 304 pages. What does it mean? Does it affect

performance?

9. Double click any entry to switch to detailed view.

169 | P a g e

CQURE Academy says thank you!

Thank you for attending IIS training. We hope it was useful and that you feel that your IIS skills

are on the higher level!

CQURE Team wish you all the best in your future engagements with IIS.

Please note that this training is a part of CQURE Academy and you are eligible to receive the

certificate of Certified Security Professional.

Do not forget to check our website: http://cqure.pl for new and existing training and

consultancy offers. You will find there useful tools as well.

Your opinion is extremely important for us. Please complete the 1 minute survey on

http://stderr.pl/surveys