Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1 | P a g e
Advanced Internet
Information Services 7.5/8/8.5
Lab Instr uctions
Version 1.2
Document created: 22nd of April 2014
This is an authored content - please respect intellectual property!
Author: CQURE
http://cqure.us
2 | P a g e
Contents
Welcome to IIS training! ........................................................................................................................................ 5
CQURE Academy ..................................................................................................................................................... 7
Note Pages (Page 1) ............................................................................................................................................. 10
Note Pages (Page 2) ............................................................................................................................................. 11
Lab 1: Installing IIS 8 with the Default Settings ............................................................................................ 12
Lab 2: Installing IIS on Server Core using Powershell ................................................................................. 17
Lab 3: Installing IIS Using Ghost Installation ................................................................................................. 24
Lab 4: Installing IIS on Server Core .................................................................................................................. 26
Lab 5: IIS Basic configuration steps .................................................................................................................. 27
Lab 6: Websites and Application Pools ........................................................................................................... 31
Lab 7: Creating Web Application ...................................................................................................................... 34
Lab 8: Working with Application Pools ........................................................................................................... 36
Lab 9: Configuring Application Settings ......................................................................................................... 40
Lab 10: Running both ASP.NET 3.5 and ASP.NET 4.5 Applications ......................................................... 45
Lab 11: Configuring ASP.NET Settings for development ........................................................................... 50
Lab 12: Configuring Multiple Applications .................................................................................................... 53
Lab 13: ASP.NET Security .................................................................................................................................... 58
Lab 14: Tracing and Logging for ASP.NET ..................................................................................................... 59
Lab 15: Request Filtering ..................................................................................................................................... 62
Lab 16: IIS Modules............................................................................................................................................... 64
Lab 17: Configuring Managed Modules ......................................................................................................... 68
Lab 18: Securing the IIS Web Server and Web Sites ................................................................................... 71
3 | P a g e
Lab 19: CPU Throttling: Sand-boxing Sites and Applications................................................................... 74
Lab 20: Central certificate store ........................................................................................................................ 81
Lab 21: Configuring FTP Protection ................................................................................................................. 86
Lab 22: Authorization, Authentication and Access ...................................................................................... 89
Lab 23: IIS Hardening ........................................................................................................................................... 94
Lab 24: IIS under attack ....................................................................................................................................... 99
Lab 25: Logging ................................................................................................................................................... 104
Lab 26: Delegation and Remote Administration ........................................................................................ 105
Lab 27: Configuring Delegated Administration .......................................................................................... 107
Lab 28: Configuring Feature Delegation ...................................................................................................... 112
Lab 29: Automating webserver management ............................................................................................. 114
Lab 30: Command-line and Scripting for IIS ............................................................................................... 118
Lab 31: Manage IIS tasks using WMI and AppCmd .................................................................................. 123
Lab 32: Tuning IIS ................................................................................................................................................ 125
Lab 33: Web Farms ............................................................................................................................................. 132
Lab 33: Shared Configuration .......................................................................................................................... 134
Lab 35: Web Deploy ........................................................................................................................................... 137
Lab 36: Configuring Network Load Balancing ............................................................................................ 140
Lab 37: Troubleshooting IIS ............................................................................................................................. 143
Lab 38: Troubleshooting Authorization ........................................................................................................ 145
Lab 39: Troubleshooting Communication.................................................................................................... 148
Lab 40: Troubleshooting Configuration ........................................................................................................ 150
Lab 41: Application Initialization (Optional) ................................................................................................ 151
Lab 42: Url Rewrite and Application Initialization (Optional) ................................................................. 159
4 | P a g e
Lab 43: IIS Backup – Web Deploy ................................................................................................................... 166
Lab 44: JavaScript Profiling (Optional) .......................................................................................................... 167
Lab 45: Network traffic monitoring (Optional) ........................................................................................... 168
CQURE Academy says thank you! .................................................................................................................. 169
5 | P a g e
Welcome to IIS training!
Before you start doing exercises, please take a look how classroom environment looks like. In this
course, you will use cloud service to perform the labs. You will connect to the server using RDP
connection. Your instructor will provide you username and password to access the environment.
Virtual machines are based on Hyper-V platform. Your instructor will provide you the guideline
how to start, shutdown, save and create snapshots on virtual machines. Please read the lab
instructions carefully as sometimes it is required to return to the starting point. It is necessary to
follow the instructions, so that labs do not interfere with each other. Each virtual machine is a
member of the domain: cqure.tec. Each machine has Windows Server 2012 installed. Within our
training we will use Web Applications that are hosted for company Raccoons.
At the beginning of usage of each machine you may be requested to configure IP addresses for
them. Our goal was to make such a simple tasks as fast as possible so we build up the scripts that
you may just run on each machine.
6 | P a g e
The following table shows the role of each virtual machine used in this course:
Virtual Machine
Name
Hostname Role
IIS8_DC DC Domain Controller
IIS8_WEBA WEBA Primary Web Server
IIS8_WEBB WEBB Primary Web Server
IIS8_NODE1 NODE1 Used for IIS installation - Regular
IIS8_NODE2 NODE2 Used for IIS installation - Core
IIS8_NODE3 NODE3 Used for IIS installation - Unattended
IIS8_NODE4 NODE4 Primary Web Server
IIS8_NODE5 NODE5 Primary Web Server
IIS8_WEB2 WEB2 Secondary Web Server
Please note that:
1. All necessary files are on the ISO image delivered to the course.
2. It may be necessary to configure IP addresses for each VM, please find ipaddress.iso
available and run the appropriate script from it. Verify the configuration.
3. Sometimes it may be necessary to configure during the exercise the firewall rules, so
please be prepared for that.
Enjoy!
7 | P a g e
CQURE Academy
Please note that this training is a part of CQURE Academy and you are eligible to receive the
certificate of Certified Security Professional.
Do not forget to check our website: http://cqure.pl for new and existing training and
consultancy offers. You will find there useful tools as well.
Please have a look at the next two pages for enlargement:
8 | P a g e
9 | P a g e
10 | P a g e
Note Pages (Page 1)
11 | P a g e
Note Pages (Page 2)
12 | P a g e
Lab 1: Installing IIS 8 with the Default Settings
Machines used in this Lab: NODE1 – please create snapshot before Installation!
To install IIS 8 on NODE1, use the following steps:
1. Logon as Administrator // Passw0rd
2. Open Server Manager.
3. Under Manage menu, select Add Roles and Features:
4. Select Role-based or Feature-based Installation:
13 | P a g e
5. Select the appropriate server (local is selected by default), as shown below:
6. Select Web Server (IIS):
7. Add Management Tools Feature
14 | P a g e
8. No additional features are needed for IIS, click Next:
9. Click Next:
10. Customize your installation of IIS, or accept the default settings that have already been
selected for you. Make sure that ASP under Application Development section is
15 | P a g e
checked and then click Next.
11. Click Install:
16 | P a g e
12. When the IIS installation completes, the wizard reflects the installation status:
13. Click Close to exit the wizard.
14. Open Internet Explorer. The Microsoft Windows Internet Explorer window opens.
Browse to http://localhost.
15. Notice that the IIS Welcome page loads, indicating that IIS is successfully installed and
running.
16. After this exercise you should have successfully verified that the IIS Welcome page
opens.
17 | P a g e
Lab 2: Installing IIS on Server Core using Powershell
Machines used in this Lab: DC, NODE3 - please create snapshot before Installation!
When Server Core originally shipped, a lot of Windows admins avoided it because you could
only use the command line. This changes with Windows Server 2012 which enabled the use of a
hybrid mode. Before we switch to IIS installation on the Server Core, let’s practice switching in
between the server modes:
Turning the GUI Off
In Windows Server 2012 the GUI has kept with the modular nature of recent Windows Server
Operating Systems and in turn has become a “Feature”. This makes removing the GUI very easy.
1. Login to NODE3 as Administrator//Passw0rd.
2. To get started launch Server Manager.
3. Click on Manage, and then select Remove Roles or Features from the menu.
4. Click next to skip past the before you begin page, then select your server from the server
pool and click next.
18 | P a g e
5. Since the GUI is not a Role, we can just click next again to skip past the Roles section.
6. When you reach the Features page, you need to uncheck the box next to the “User
Interfaces and Infrastructure” option, and then click next.
19 | P a g e
7. Now select the “Restart Destination Server” box, then click remove.
20 | P a g e
8. The GUI will now be removed.
9. After the binaries are removed your server will automatically reboot.
10. Once it comes back up, log in as Administrator//Passw0rd
11. The first thing we need to do is get into PowerShell, so type PowerShell and hit enter.
12. Now we need to specify the module in Powershell to import:
a. Import-module servermanager
13. Let’s list the features to install in IIS installation:
a. Get-WindowsFeature *web*
14. Install the basic configuration of IIS:
21 | P a g e
a. Add-WindowsFeature Web-Server, Web-ASP
15. On DC, use Internet Explorer and browse to http://10.10.10.103
16. Now we need to use the Add-WindowsFeature to add the components back:
a. Add-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra
This is just an alias for: Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra
17. When this is done, we will need to restart server by using the Shutdown command:
a. Exit Powershell and then type Shutdown -r -t 0
18. When your server reboots you will have the GUI back.
19. Revert machine from the snapshot created at the beginning of the exercise.
22 | P a g e
(Optional) Lab: Turn off and on GUI using different methods
This exercise is optional and could be nice if you have finished the lab before the group.
Turning the GUI Off with PowerShell
1. You can do the same thing as we did in the GUI much quicker with a PowerShell cmdlet.
To do so, open Server Manager, click on Tools and launch PowerShell.
2. We can use the Remove-WindowsFeature cmdlet to remove the feature:
a. Remove-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra
Since Remove-WindowsFeature is just an alias, you could also use: Uninstall-WindowsFeature
Server-Gui-Shell, Server-Gui-Mgmt-Infra
3. Not long after you have hit the enter key, the removal will begin.
23 | P a g e
4. When it’s done, you will be notified that you need to restart your server to complete the
process, which can be easily done from the current PowerShell window by running:
a. Shutdown -r -t 0
5. When your machine restarts you will only have the command line to work with .
24 | P a g e
Lab 3: Installing IIS Using Ghost Installation
Machines used in this Lab: DC, NODE3
Start the NODE3 virtual machine and log on as Local Admin with the password of Passw0rd.
Turn on Network Discovery
1. On NODE3, open network settings.
2. Click the information bar with the text Network discovery and file sharing are turned off.
Network computers and devices are not visible. Click to change....
3. Click Turn on network discovery and file sharing.
4. Click Yes, turn on network discovery and file sharing for all public networks.
5. Close Network.
Create the Unattend.xml file by copying the default XML file provided and removing
unnecessary features
1. Open Notepad, and then press Enter.
2. The Notepad window opens. On the File menu, click Open.
3. The Open dialog box appears. In the Text Documents list, click All Files.
4. Browse to the course labfiles to Step1 on the ISO file provided for you.
5. Click unattend_all.xml and then click Open.
6. Delete the following lines:
<selection name="IIS-HttpRedirect" state="true"/>
<selection name="IIS-ASP" state="true"/>
<selection name="IIS-CGI" state="true"/>
<selection name="IIS-IIS6ManagementCompatibility" s tate="true"/>
<selection name="IIS-Metabase" state="true"/>
<selection name="IIS-WMICompatibility" state="true" />
<selection name="IIS-LegacyScripts" state="true"/>
<selection name="IIS-LegacySnapIn" state="true"/>
7. The Unattend.Xml file needs to be modified with the correct version number (this will
match the HAL major and minor version numbers).
8. To do this, edit Version=”6.0.6001.16659”to Version="<found_in_cmd_properties>"
9. On the File menu, click Save As.
25 | P a g e
10. The Save As dialog box appears. Type c:\unattend.xml, and then click Save.
11. Close Notepad.
Install IIS using Pkgmgr with the Unattend.xml file and verify once completed
1. Open Command Prompt.
2. Type cd \and then press Enter.
3. Type start /w pkgmgr /n:unattend.xml and then press Enter.
4. When the process completes, type echo %errorlevel% and then press Enter. Note that it
may take up to four minutes to complete.
5. Notice that the return code is “0” indicating a successful installation. If you still
experience problems search for the answer in %windir%\logs\cbs\cbs.log – there is a
small surprise waiting for you there!
6. Type exit, and then press Enter.
7. In Server Manager, in the console pane, expand Roles. Note that you may need to
refresh the console.
8. Notice that Web Server (IIS) is installed. Open Internet Explorer.
9. Browse to http://localhost, notice that the IIS Welcome page appears.
10. Alternatively run the following:
start /w pkgmgr /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-
CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-
HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASPNET;IIS-NetFxExtensibility;IIS-
ASP;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-
HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-Security;IIS-
ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-
RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-
HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementConsole;IIS-
ManagementScriptingTools;IIS-ManagementService;IIS-IIS6ManagementCompatibility;IIS-
Metabase;IIS-WMICompatibility;IIS-LegacyScripts;IIS-LegacySnapIn;WAS-
WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-
ConfigurationAPI
26 | P a g e
Lab 4: Installing IIS on Server Core
Machines used in this Lab: DC, NODE2, NODE1
Login to the server
Start the NODE2 virtual machine and log on as Administrator with the password of Passw0rd.
Disable the firewall
1. On NODE2, in the command prompt window, type netsh firewall set opmode disable.
Install IIS from the command line
1. Type the following and then press Enter. Note that the feature names are case-sensitive:
2. Start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-
StaticContent;IIS-DefaultDocument;IIS-HttpErrors;IIS-HttpRedirect;WAS-
WindowsActivationService;WAS-ProcessModel
3. When the process completes, type echo %errorlevel%, and then press Enter. Note that it
may take up to two minutes to complete.
2. Notice that the return code is “0” indicating a successful installation.
3. On NODE1, use Internet Explorer and browse to http://NODE2.
4. Notice that the IIS Welcome page loads, indicating that the Web server role on NODE2
is installed and functioning.
27 | P a g e
Lab 5: IIS Basic configuration steps
Machines used in this Lab: DC, NODE1, NODE2, NODE3
Configure NODE1 for ASP debugging, detailed error messages, and HTTP compression
1. On NODE1, open Internet Information Services (IIS) Manager.
2. In the Connections pane, expand NODE1 | Sites, and then click Default Web Site.
3. In the details pane, double-click ASP.
4. In the Compilation section, expand Debugging Properties.
5. In the Enable Client-side Debugging list, click True.
6. In the Enable Server-side Debugging list, click True.
7. In the Send Errors to Browser list, click True.
8. In the Actions pane, click Apply.
9. In the Connections pane, click Default Web Site.
10. In the details pane, double-click HTTP Response Headers.
11. In the Actions pane, click Set Common Headers.
12. The Set Common HTTP Response Headers dialog box appears. Select Expire Web
content, and then click OK.
13. In the Connections pane, click Default Web Site.
14. In the details pane, double-click Compression.
15. Notice that Enable static content compression is checked.
16. In the Connections pane, click Default Web Site.
17. In the Details pane, double-click Error Pages.
18. In the Actions pane, click Edit Feature Settings
19. The Edit Error Pages Settings dialog box appears. Click Detailed errors, and then click
OK.
20. On NODE3, in the Internet Explorer, browse to http://NODE1/default.asp.
21. Notice that you get a detailed HTTP Error 404 page, indicating that the NODE1 web
server has been configured properly.
28 | P a g e
Configure NODE3 to:
- trace server errors
- enable directory browsing
- enable windows authentication and impersonation
- enable dynamic output compression and SMTP
1. On NODE3, make sure Tracing, Windows Authentication, Directory Browsing, SMTP
and ASP.NET 4.5 role features are checked:
2. Open Internet Information Services (IIS) Manager.
3. In the Connections pane, expand NODE3 | Sites, and then click Default Web Site.
4. In the Actions pane, click Failed Request Tracing Rules.
5. The Edit Web Site Failed Request Tracing Settings dialog box appears. Select Enable,
and then click OK.
29 | P a g e
6. In the details pane, in the IIS section, double-click Failed Request Tracing Rules.
7. In the Actions pane, click Add.
8. The Add Failed Request Tracing Rule dialog box appears. Click Next.
9. In the Status code(s) field, type 500.
10. Select Event severity, and then in the Event severity list, click Critical Error.
11. Click Next and then click Finish.
12. In the Connections pane, click Default Web Site.
13. In the details pane, in the IIS section, double-click Directory Browsing.
14. In the Actions pane, click Enable.
15. In the Connections pane, click Default Web Site.
16. In the Details pane, in the IIS section, double-click Authentication.
17. In the Details pane, click Windows Authentication.
18. In the Actions pane, click Enable.
19. In the Details pane, click ASP.NET Impersonation.
20. In the Actions pane, click Enable.
21. In Internet Information Services (IIS) Manager, in the Connections pane, click Default
Web Site.
22. In the Details pane, in the IIS section, double-click Output Caching.
23. In the Actions pane, click Add.
24. The Add Cache Rule dialog box appears. In the File name extension field, type .aspx.
25. Select User-mode caching and then click OK.
26. In the Connections pane, click Default Web Site.
27. In the Details pane, in the ASP.NET section, double-click SMTP E-mail.
28. In the E-mail address field, type [email protected].
29. In SMTP Server field, type SMTP.CQURE.TEC.
30. In the Actions pane, click Apply.
31. Browse to http://localhost/aspnet_client.
32. Notice that there is a detailed HTTP Error 500.24.
30 | P a g e
33. Under Detailed Error Information, right-click C:\inetpub\logs\FailedReqLogFiles, and then
click
34. Copy Shortcut.
35. Open Run. Right-click the Open field and then click Paste.
36. Click OK.
37. Double-click W3SVC1.
38. Notice that there is a failed request log for the server error: fr00001.xml.
Configure NODE2 to have no default documents, and redirect requests to NODE1
1. On NODE2, in the command prompt window, type cd \windows\system32\inetsrv\config
and then press Enter.
1. Open the applicationHost.config file with notepad.
2. Scroll down to <defaultDocument enabled="true"> (approximately line 169), and change
"true" to "false".
3. Scroll down to <httpRedirect enabled="false" /> (approximately line 246), and modify
this line to read:
<httpRedirect enabled="true" exactDestination="fals e" childOnly="false"
destination="http://10.10.10.101/" />
4. On the File menu, click Save.
5. On the File menu, click Exit.
6. On NODE3, in Internet Explorer, browse to http://NODE2.
7. Notice that the IIS Welcome page loads and the address field has changed to
http://10.10.10.101.
When you finish the lab, revert the virtual machines to their initial state. To do this, from
NODE3 Virtual Machine window click Media Menu and choose “Apply Snapshot”.
31 | P a g e
Lab 6: Websites and Application Pools
Machines used in this Lab: DC, WEBA
1. Start the DC virtual machine.
2. Start the WEBA virtual machine and log on as CQURE\Administrator.
Add Basic, Windows Integrated and Digest Security features to the IIS Role
1. On WEBA, in Server Manager, in the console pane, expand Roles and then click Web
Server (IIS).
2. Right-click Web Server (IIS) and then click Add Role Services.
3. The Add Role Services dialog box appears. In the Role services box, under Security,
select Basic Authentication, Windows Authentication, and Digest Authentication.
4. Click Next and then click Install.
5. When the installation is complete, click Close.
6. In the details pane, in the Role Services section, notice that Basic Authentication,
Windows Authentication, and Digest Authentication are listed as Installed.
Create a virtual directory
1. Open Internet Information Services (IIS) Manager.
2. In the Connections pane, expand WEBA | Sites and then click Default Web Site.
3. In the Actions pane, click View Virtual Directories.
4. Click Add Virtual Directory.
5. The Add Virtual Directory dialog box appears. In the Alias field, type Public.
6. Next to the Physical path field, click the Browse (...)button.
7. The Browse For Folder dialog box appears. Browse to C:\inetpub, and then click Make New
Folder.
8. Type Public, and then click OK.
9. Click OK.
32 | P a g e
10. Open Computer and then browse to C:\inetpub\wwwroot.
11. Select all, then right-click and then click Copy.
12. Browse to C:\inetpub\public, right-click, and then click Paste.
Configure the public virtual directory for anonymous authentication
1. In Internet Information Services (IIS) Manager, in the Connections pane, expand
Default Web Site and then click Public.
2. In the Details pane, double-click Authentication.
3. Click Anonymous Authentication. Notice that it is enabled.
4. In the Actions pane, click Edit.
5. The Edit Anonymous Authentication Credentials dialog appears. Notice that Specific
user is selected and set to IUSR.
6. Click Cancel.
7. In Server Manager, in the console pane, expand Configuration | Local Users and
Groups and then click Users.
8. In the details pane, right-click Guest, and then click Properties.
9. The Guest Properties dialog box appears. Clear Account is disabled, and then click OK.
10. Open Local Security Policy.
11. The Local Security Policy window opens. In the console pane, expand Local Policies
and then click User Rights Assignment.
12. In the details pane, right-click Allow log on locally, and then click Properties.
13. The Allow log on locally Properties dialog appears. Click Add User or Group.
14. The Select Users, Computers, or Groups dialog box appears. Click Locations.
15. The Locations dialog box appears. Click WEBA, and then click OK.
16. In the Enter the object names to select field, type Guest, and then click OK twice.
17. Close Local Security Policy.
18. From the Menu Start: Switch User.
33 | P a g e
19. Logon as WEBA\Guest with no password.
20. Open Internet Explorer.
21. Internet Explorer window opens. Browse to http://localhost. Note that we’ve set the
default site to the Public virtual directory so there’s no need to use localhost/public.
22. Notice that the IIS Welcome page loads.
22. Go to: Switch User.
23. Log on as CQURE\Administrator with the password of Passw0rd.
34 | P a g e
Lab 7: Creating Web Application
Machines used in this Lab: DC, WEBA
1. Start the DC virtual machine.
2. Start the WEBA virtual machine and log on as CQURE\Administrator.
Create a site named Raccoons
1. On WEBA, in Internet Information Services (IIS) Manager, in the Connections pane,
click Sites.
2. In the Actions pane, click Add Web Site.
3. The Add Web Site dialog box appears. In the Site name field, type Raccoons.
4. In Physical path, click the Browse (...) button.
5. The Browse For Folder dialog box appears. Browse to C:\inetpub, and then click Make
New Folder.
6. Type Raccoons, and then click OK.
7. In the Port field, type 88, and then click OK.
Copy the Raccoons Application to the Appropriate Directory
1. In Windows Explorer, browse to Step2\Raccoons.
2. Select all, then right-click, and then click Copy.
3. Browse to C:\inetpub\Raccoons, right-click, and then click Paste.
Add the .NET 3.5 Feature and ASP.NET to the server
1. In Server Manager, in the console pane, add .NET Framework 3.5 Features.
2. The Add Features Wizard dialog box appears. Click Add Required Role Services.
3. Click Next twice.
4. On the Select Role Services page, select ASP.NET.
5. The Add Features Wizard dialog box appears. Click Add Required Role Services.
35 | P a g e
6. Click Next, and then click Install.
7. When the installation is complete, click Close.
Delegate administrative access
1. Internet Information Services (IIS) Manager, in the Connections pane, expand Sites
and then click Raccoons.
1. In the Actions pane, click Edit Permissions.
2. The Raccoons Properties dialog box appears. Click the Security tab.
3. Click Edit.
4. The Permissions for Raccoons dialog box appears. Click Add.
5. The Select, Users, Computers, or Groups dialog box appears. In the Enter the object
names to select field, type ITAdminsGG, and then click Check Names.
6. Click OK.
7. Next to Full control, select Allow and then click OK twice.
In order to proceed to the next Lab don't revert machines.
36 | P a g e
Lab 8: Working with Application Pools
Machines used in this Lab: DC, WEBA, NODE1
Create an application pool named TempPool
1. On WEBA, in Internet Information Services (IIS) Manager, expand WEBA and then
click Application Pools.
2. In the Actions pane, click Add Application Pool.
3. The Add Application Pool dialog box appears. In the Name field, type TempPool.
4. Click OK.
5. In the details pane, notice that TempPool appears in the list of application pools.
Rename Raccoons to RaccoonsPool
1. On WEBA, in Internet Information Services (IIS) Manager, expand Sites and then click
Raccoons.
2. In the Actions pane, click Basic Settings.
3. The Edit Site dialog box appears. Click Select.
4. The Select Application Pool dialog box appears. In the Application pool list, click
TempPool, and then click OK twice.
5. In the Connections pane, click Application Pools.
6. In the Details pane, click Raccoons.
7. In the Actions pane, click Rename.
8. Type RaccoonsPool, and then press Enter.
9. In the Connections pane, click Raccoons.
10. In the Actions pane, click Basic Settings.
11. The Edit Site dialog box appears. Click Select.
12. The Select Application Pool dialog box appears. In the Application pool list, click
RaccoonsPool, and then click OK twice.
37 | P a g e
Configure Windows Integrated authentication
1. In the Connections pane, expand Sites and then click Raccoons.
2. In the Details pane, double-click Authentication.
3. Click Windows Authentication. In the Actions pane, click Enable.
4. In the Details pane, click Anonymous Authentication.
5. In the Actions pane, click Disable.
6. Start NODE1.
7. Log on to NODE1 as Local Admin with the password of Passw0rd. Note that this
account is not a domain one.
8. Open Internet Explorer.
9. The Windows Internet Explorer window opens. Browse to http://WEBA.CQURE.TEC.
10. IIS Welcome page appears indicating that the previous anonymous public site
configuration is correct.
11. Browse to http://WEBA.CQURE.TEC:88.
12. Notice that there is an error message and the page will not load. Windows
authentication has failed for this user/machine.
13. Question: Why does Windows authentication fail?
14. Answer: Because account you used is not the domain account so user account cannot
be authenticated.
13. On WEBA, Open Internet Explorer.
14. The Windows Internet Explorer window opens. Browse to http://localhost:88.
15. If you have problems with accessing port 88, for a moment you may disable firewall on
the Web server hosting the website. We all know that it is a bad practice, right? ☺
15. Notice that the Raccoons Bank page appears. Windows authentication is successful.
Configure TempPool to use LocalSystem as worker process identity
1. On WEBA in Internet Information Services (IIS) Manager, in the Connections pane,
click Application Pools.
2. In the Details pane, click TempPool.
38 | P a g e
3. In the Actions pane, click Advanced Settings.
4. The Advanced Settings dialog box appears. Under the Process Model section, click
Identity.
5. Next to Identity, click the Browse (...) button.
6. The Application Pool Identity dialog box appears. In the Built-in account list, click
LocalSystem.
7. Click OK twice.
Stop, start and recycle RaccoonsPool
1. In the Connections pane, click Application Pools.
2. In the Details pane, click RaccoonsPool.
3. In the Actions pane, click Stop.
4. In the Details pane, notice that the status of RaccoonsPoolchanges to Stopped.
5. In the Actions pane, click Start.
6. In the Details pane, notice that the status of RaccoonsPoolchanges to Started.
7. In the Actions pane, click Recycle.
Configure TempPool for Classic Pipeline Mode
1. In the Connections pane, click Application Pools.
2. In the Details pane, click TempPool.
3. In the Actions pane, click Basic Settings.
4. The Edit Application Pool dialog box appears. In the Managed pipeline mode list, click
Classic.
5. Click OK.
Remove TempPool
1. In the Connections pane, click Application Pools.
2. In the Details pane, click TempPool.
3. In the Actions pane, click Remove.
39 | P a g e
4. The Confirm Remove dialog box appears. Click Yes.
Configure Health and Recycling settings for RaccoonsPool
1. In the Connections pane, click Application Pools.
2. In the Details pane, click RaccoonsPool.
3. In the Actions pane, click Recycling.
4. The Edit Application Pool Recycling Settings dialog box appears. Select Fixed number
of requests.
5. In the Fixed Number of requests field, type 1000.
6. Click Next.
7. On the Recycling Events to Log page, select Number of requests.
8. Click Finish.
9. In the Actions pane, click Advanced Settings.
10. The Advanced Settings dialog box appears. In the Rapid-Fail Protection section, click
Failure Interval (minutes).
11. In the value column, type 10 and then click OK.
When you finish the lab, revert the virtual machines to their initial state. To do this, from WEBA
Virtual Machine window click Media Menu and choose “Apply Snapshot”. Repeat this step on
NODE1.
40 | P a g e
Lab 9: Configuring Application Settings
Machines used in this Lab: DC, WEBA
Start the DC virtual machine
Start the WEBA virtual machine and log on as CQURE\Administrator
Add ASP.NET and Basic Security features to the IIS Role
1. On WEBA, in Server Manager, in the console pane, expand Roles and then click Web
Server (IIS).
2. Right-click Web Server (IIS), and then click Add Role Services.
3. The Add Role Services dialog box appears. In the Role services box, under Application
Development, select ASP.NET.
4. The Add Role Services box appears. Click Add Required Role Services.
5. In the Role services box, under Security, select Basic Authentication.
6. Click Next, and then click Install. When the installation is complete, click Close.
7. In the details pane, in the Role Services section, notice that ASP.NET and Basic
Authentication are listed as Installed.
Create the application and copy the ASP.NET application files
1. Open Internet Information Services (IIS) Manager.
2. In the Connections pane, expand WEBA | Sites and then click Default Web Site.
3. In the Actions pane, click View Applications. Click Add Application.
4. The Add Application dialog box appears. In the Alias field, type SalesSupport.
5. Next to the Physical path field, click the Browse (...) button.
6. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and then
click Make New Folder.
7. Type SalesSupport and then click OK.
8. Click OK.
41 | P a g e
9. Open Computer and then browse to The course labfiles to Step3\SalesSupport.
10. Select all, then right-click and then click Copy.
11. Browse to C:\inetpub\wwwroot\SalesSupport, right-click, and then click Paste.
Configure Basic Security
1. In Internet Information Services (IIS) Manager, in the Connections pane, expand
Default Web Site and then click Sales Support.
2. In the Details pane, double-click Authentication.
3. Click Anonymous Authentication.
4. In the Actions pane, click Disable.
5. In the Details pane, click Basic Authentication.
6. In the Actions pane, click Enable.
7. Click Edit.
8. The Edit Basic Authentication Settings dialog appears. In the Default domain and
Realm fields, type CQURE.
9. Click OK.
10. Open Internet Explorer.
11. Internet Explorer window opens. Browse to http://localhost/salessupport.
12. The Connect to localhost dialog box appears. Notice that there is a warning about basic
authentication and insecure credentials.
13. In the User name field, type yvonne. Note that Yvonne is a marketing account manager
with a domain account in the CQURE domain.
12. In the Password field, type Passw0rd and then click OK.
14. Notice that the Sales Support Resources page loads successfully.
13. Close Internet Explorer. Note that you must close the browser to reset the session so
you can try logging in as a different user.
14. Open Internet Explorer.
15. The Windows Internet Explorer window opens. Browse to
http://localhost/salessupport.
42 | P a g e
16. The Connect to localhost dialog box appears. In the User name field, type bob. Note that
Bob does not have a domain account in the CQURE domain.
15. Leave the Password field blank and then click OK.
16. Click OK two more times.
17. Notice that you get an HTTP 401.1 Unauthorized error. Note that detailed error
messages show up locally by default.
1. Close Internet Explorer.
Configure custom error pages
1. In Windows Explorer, browse to The course labfiles to Step3\WBErrors.
2. Select all, right-click and then click Copy.
3. Browse to C:\inetpub\custerr\, right-click, and then click Paste.
4. In Internet Information Services (IIS) Manager, in the Connections pane, click
SalesSupport.
5. In the Details pane, double-click Error Pages.
6. In the Actions pane, click Edit Feature Settings.
7. The Edit Error Pages Settings box appears. Click Custom error pages.
8. Click OK.
9. In the Details pane, under the Status Code column, click 401.
10. In the Actions pane, click Edit.
11. The Edit Custom Error Page dialog box appears. Click Set.
12. The Set Localized Custom Error Path dialog box appears. In the Relative file path field,
delete the existing text and then type 401.aspx. Click OK twice.
13. In the Details pane, under the Status Code column click 404 and in the Actions pane,
click Edit.
14. The Edit Custom Error Page dialog box appears. Click Set.
15. The Set Localized Custom Error Path dialog box appears. In the Relative file path field,
delete the existing text and then type Other_Errors.aspx.
43 | P a g e
16. Click OK twice. Note that in a real world situation, you would repeat these steps for each
error that you wanted to assign to a custom error message.
17. Open Internet Explorer. Browse to http://localhost/salessupport.
18. The Connect to localhost dialog box appears. In the User name field, type bob.
19. Leave the Password field blank and then click OK three times. Do you see the custom
error page as expected?
Note: You are not seeing custom error properly as system.webServer/httpErrors section
is made delegation safe!
In IIS 7.0, httpErrors section was not delegated by default which means custom errors were not
available to site owners for customization. Reason why the section was not delegated is because
once the section is delegated, site owners are free to return any file they can read as a custom
errors response which wasn’t secure. Server Administrators can delegate the section securely
using custom application pool identities and file ACLs which require lot of work.
Since IIS 7.5, if system.webServer/httpErrors@allowAbsolutePathsWhenDelegated property is
set to false custom errors module will only allow paths relative to site root folder (not absolute
paths) when the section is delegated. If server Administrators want to allow absolute paths in
web.config files even when section is delegated, they can set
allowAbsolutePathsWhenDelegated property to true. Error 500.19 (configuration error) with
detailed error description “Absolute physical path <folder> is not allowed in
system.webServer/httpErrors section in web.config file. Use relative path instead.” will be
generated if allowAbsolutePathsWhenDelegated is set to false and an absolute path is detected
in web.config. This restriction is applied to properties path and prefixLanguageFilePath but not
defaultPath. Here is how httpErrors section will look like if a site owner wants to configure
localized custom errors when only relative paths are allowed:
<httpErrors>
<clear/>
<!-- Make module return %SITEROOT%\myerrorsfold er\%LANGUAGECODE%\401.htm
-->
44 | P a g e
<error statusCode="401" prefixLanguageFilePath= "myerrorsfolder"
path="401.htm" />
<error ...
</httpErrors>
With this feature, hosters can now easily delegate custom errors section to site owners.
With httpErrors section now made delegation safe, the section is delegated in a fresh install.
Because the behavior is controlled by
system.webServer/httpErrors@allowAbsolutePathsWhenDelegated property, this attribute is
locked in the default configuration. This ensures that this property cannot be overridden by
site owners to enable absolute file paths. As relative path restriction is not applied to
defaultPath property, system.webServer/httpErrors@defaultPath is locked as well and cannot
be used in web.config files.
Additionally – in this scenario try to use absolute URL to the error page. Note the difference!
20. Notice that there is now a custom error message directing you to contact your district
sales manager.
21. Close Internet Explorer.
22. Open Internet Explorer.
23. The Windows Internet Explorer window opens. Browse to
http://localhost/salessupport/brokenlink.
24. The Connect to localhost dialog box appears. In the User name field, type yvonne.
25. In the Password field, type Passw0rd and then click OK.
26. If you are prompted, add the site to the allowed list.
27. Notice that you get a custom error that is slightly different. Since the path “brokenlink”
doesn’t exist, this is a custom 404 error.
28. Close Internet Explorer.
Tip: Clear the browser cache, if necessary.
45 | P a g e
Lab 10: Running both ASP.NET 3.5 and ASP.NET 4.5
Applications
Machines used in this Lab: NODE1
Now that you have explored the setup state of IIS 8.0, try running some sample ASP.NET code to
confirm that both ASP.NET 3.5 and ASP.NET 4.5 applications can run simultaneously on a single
IIS 8.0 installation.
First, set up a simple ASP.NET 3.5 application on IIS 8.0:
1. Open the "examples.zip" file from examples.iso image.
2. In Windows Explorer on NODE1, navigate to the "wwwroot" directory for your IIS
installation, the "wwwroot" directory will be at "c:\inetpub\wwwroot".
3. Copy the folder "example35" from "examples.zip", and paste it into the directory
"c:\inetpub\wwwroot". When you are done the directory structure should look like the
following:
4. The newly created "example35" folder needs to be configured as an ASP.NET 3.5
application in the IIS Manager. Go back to the IIS Manager window, click on the Default
Web Site node, and select Refresh. The treeview of child nodes under the Default Web
Site now shows the "example35" folder:
46 | P a g e
5. Right-click the example35 folder and select Convert to Application:
6. The Add Application dialog will pop up. By default all directories within Default Web
Site are part of the application pool called DefaultAppPool. This means that newly
created folders containing ASP.NET run as ASP.NET 4.5 applications by default.
47 | P a g e
7. Since we want to run the example35 folder as an ASP.NET 3.5 application, the
application pool needs to be changed. Click Select, and the Select Application Pool
dialog that pops up. Change the application pool to .NET v2.0 as shown below:
8. Click OK button to accept the application pool change, and then click OK again to
commit the changes to IIS. The IIS Manager window appears again. In the treeview
showing "Default Web Site", the icon for "example35" is changed to indicate it is now a
separate ASP.NET application.
48 | P a g e
9. At this point start an instance of Internet Explorer and navigate to the following Url:
http://localhost/example35
After a short pause the application displays a list of .NET Framework features supported in this
application.
10. In Windows Explorer, if you navigate to the "c:\inetpub\wwwroot\example35" directory,
you can use notepad to look at the code for "default.aspx" and the information in
"web.config". For example, the contents of web.config include directives that configure
the .NET Framework compilers to run in "3.5" mode. The .NET Framework code in
"default.aspx" demonstrates some C# constructs that were introduced in .NET 3.5 -
specifically LINQ-to-Object queries.
Configure it to use .NET 4.5
1. Go back to the Windows Explorer window that has the .zip file "examples.zip" open.
2. Open up the contents of the "example45" folder.
3. In the second Windows Explorer window that you have open, navigate to
"c:\inetpub\wwwroot".
4. Copy the "default.aspx" file from the .zip file and paste it directly into
"c:\inetpub\wwwroot". The folder contents for "c:\inetpub\wwwroot" should now look
like:
49 | P a g e
5. Now go back to Internet Explorer and navigate to the following Url:
http://localhost/default.aspx
After a short pause a second application pool will start running an ASP.NET 4.5 application for
the "Default Web Site". The browser once again displays a list of .NET Framework features
supported in this application with a new entry at the end of the list for dynamically typed
variables (i.e. the dynamic keyword introduced in .NET 4.0/4.5). Notice that unlike the
"example35" application that required special web.config entries, no web.config file was
required to configure and run the "default.aspx" page in the "Default Web Site". This is because
.NET Framework 4.5 is the default .NET Framework used by ASP.NET applications in IIS 8.0, and
as a result no extra configuration is required.
6. If you use Notepad to open the "default.aspx" page that you just copied, you will also
see a few changes compared to the version in the "example35" directory. There are no
namespace directives at the top of the page since the .NET Framework 4.5 is the default
on IIS 8.0. The code on the page demonstrates using a dynamic variable, which is a
compiler concept introduced in .NET 4.0/4.5.
50 | P a g e
Lab 11: Configuring ASP.NET Settings for development
Machines used in this Lab: DC, WEBA
ASP.NET Connection Strings
1. On WEBA, in Internet Information Services (IIS) Manager, in the Connections pane,
expand Sites | Default Web Site and then click SalesSupport.
2. In the Details pane, double-click Connection Strings.
3. In the Actions pane, click Add.
4. The Add Connection String dialog box appears. In the Name field, type Local
Resources.
5. Click Custom.
6. In the Custom field delete the existing text and then type data and click OK.
source=.\SQLEXPRESS;AttachDbFileName=d:\resources.m df;IntegratedSecurity=True
Configure ASP.NET Session State settings to rename the cookie to SalesSupport
1. In the Connections pane, click SalesSupport.
2. In the Details pane, double-click Session State.
3. In the Cookie Settings section, in the Name field, delete the existing text and then type
SalesSupport_SessionID.
4. In the Actions pane, click Apply.
Add a custom control: CQURE. TestControls Version=1.0.0.0
1. In the Connections pane, click SalesSupport.
2. In the Details pane, double-click Pages and Controls.
3. In the Action pane, click Register Controls.
4. Click Add Custom Control.
5. The Add Custom Control dialog box appears. In the Tag prefix field type CQURE.
6. In the Namespace field, type TestControls.
7. In the Assembly field, type Version=1.0.0.0.
51 | P a g e
8. Click OK.
Add application settings at site and application levels
1. Open Internet Explorer.
1. Internet Explorer window opens. Browse to http://localhost/salessupport/test.aspx.
2. The Connect to localhost dialog box appears. In the User name field, type yvonne.
3. In the Password field, type Passw0rd and then click OK.
4. Notice that the Raccoons Bank Sales Application Settings Test Page opens. It should
report “No Application Settings defined.”
5. In Internet Information Services (IIS) Manager, in the Connections pane, click Default
Web Site.
6. In the Details pane, double-click Application Settings.
7. In the Actions pane, click Add.
8. The Add Application Setting dialog box appears. In the Name field, type
DefaultLocation.
9. In the Value field, type New York. Click OK.
10. In Internet Explorer, click the Refresh button. Notice that it now reports “DefaultLocation
= New York”.
12. In Internet Information Services (IIS) Manager, in the Connections pane, click
SalesSupport.
13. In the Details pane, double-click Application Settings. Notice in the details pane that
DefaultLocationis inherited.
14. In the Actions pane, click Add.
15. The Add Application Setting dialog appears. In the Name field, type debug_mode.
16. In the Value field, type true. Click OK.
11. In Internet Explorer, click the Refresh button. Notice that it now reports “DefaultLocation
= New York” and “debug_mode = true”.
Question: How might the application settings be used in real world Web applications?
52 | P a g e
Answer: The application can customize content or actions based on the settings. This gives
flexibility to the Administrator to customize the application at deployment time.
In order to proceed to the next Lab don't revert machines.
53 | P a g e
Lab 12: Configuring Multiple Applications
Machines used in this Lab: DC, WEBA
Create three application pools named SalesSupport, SalesSupport_De, and
SalesSupport_Test
1. On WEBA, in Internet Information Services (IIS) Manager, in the Connections pane,
click Application Pools.
2. In the Actions pane, click Add Application Pool.
3. The Add Application Pool dialog box appears. In the Name field, type SalesSupport.
Click OK.
4. In the Actions pane, click Add Application Pool.
5. The Add Application Pool dialog box appears. In the Name field, type
SalesSupport_De. Click OK.
6. In the Actions pane, click Add Application Pool.
7. The Add Application Pool dialog box appears. In the Name field, type
SalesSupport_Test. Click OK.
8. In the Details pane, notice that SalesSupport, SalesSupport_DE, and
SalesSupport_Test appear in the list of application pools.
Create the applications SalesSupport_De and SalesSupport_Test
1. In the Connections pane, click Default Web Site.
2. In the Actions pane, click View Applications.
3. Click Add Application.
4. The Add Application dialog box appears. In the Alias field, type SalesSupport_De.
5. Next to the Physical path field, click the Browse (…)button.
6. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and then
click Make New Folder.
7. Type SalesSupport_De and then click OK twice.
8. Click Add Application.
54 | P a g e
9. The Add Application dialog box appears. In the Alias field, type SalesSupport_Test.
10. Next to the Physical path field, click the Browse (…)button.
11. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and then
click Make New Folder.
12. Type SalesSupport_Test and then click OK twice.
13. In the Details pane, notice that SalesSupport, SalesSupport_DE, and SalesSupport_Test
appear in the list of applications.
Use XCopy to deploy the files
1. Open Command Prompt.
2. Type cd \inetpub\wwwroot and then press Enter.
3. Type xcopy /e SalesSupport\*.* SalesSupport_De and then press Enter.
4. Type dir SalesSupport_De and then press Enter to confirm that the files were copied.
5. Type xcopy /e SalesSupport\*.* SalesSupport_Test and then press Enter. Shortcut:
Press Up Arrow twice, and then Backspace and change the last few characters of the
previous command line to _Test, and then press Enter.
6. Type dir SalesSupport_Test and then press Enter to confirm that the files were copied.
Assign the applications to the appropriate application pools
1. In Internet Information Services (IIS) Manager, in the Connections pane, click Default
Web Site.
2. In the Actions pane, click View Applications.
3. In the Details pane, click SalesSupport.
4. In the Actions pane, click Basic Settings.
5. The Edit Application dialog box appears. Click Select.
6. The Select Application Pool dialog box appears. In the Application pool list, click
SalesSupport, and then click OK twice.
7. In the Details pane, click SalesSupport_De.
8. In the Actions pane, click Basic Settings.
9. The Edit Application dialog box appears. Click Select.
55 | P a g e
10. The Select Application Pool dialog box appears. In the Application pool list, click
SalesSupport_De, and then click OK twice.
11. In the Details pane, click SalesSupport_Test.
12. In the Actions pane, click Basic Settings.
13. The Edit Application dialog box appears. Click Select.
14. The Select Application Pool dialog box appears. In the Application pool list, click
SalesSupport_Test, and then click OK twice.
15. In the Connections pane, click SalesSupport_De.
16. In the Details pane, double-click Authentication.
17. Click Anonymous Authentication.
18. In the Actions pane, click Disable.
19. In the Details pane, click Basic Authentication.
20. In the Actions pane, click Enable.
21. Click Edit.
22. The Edit Basic Authentication Settings dialog appears. In the Default domain and
Realm fields, type CQURE.
23. Click OK.
24. In the Connections pane, click SalesSupport_Test.
25. In the Details pane, double-click Authentication.
26. Click Anonymous Authentication.
27. In the Actions pane, click Disable.
28. In the Details pane, click Basic Authentication.
29. In the Actions pane, click Enable.
30. Click Edit.
31. The Edit Basic Authentication Settings dialog appears. In the Default domain and
Realm fields, type CQURE.
32. Click OK.
Configure production application pool recycling for unlimited requests
1. In the Connections pane, click Application Pools.
56 | P a g e
2. In the Details pane, click SalesSupport.
3. In the Actions pane, click Recycling.
4. The Edit Application Pool Recycling Settings dialog box appears. Clear the Regular
time intervals check box, and then click Next.
5. Click Finish.
6. In the Details pane, click SalesSupport_De.
7. In the Actions pane, click Recycling.
8. The Edit Application Pool Recycling Settings dialog box appears. Clear Regular time
intervals check box, and then click Next. Click Finish.
Configure the application pool to record recycled events
1. In the Details pane, click SalesSupport_Test.
2. In the Actions pane, click Recycling.
3. The Edit Application Pool Recycling Settings dialog box appears. Select Fixed number
of requests.
4. In the Fixed number of requests field, type 1024 and then click Next.
5. On the Recycling Events to Log page, select Number of requests, On-demand, and
Configuration changes.
6. Click Finish.
Configure.NET compilation debug setting to False
1. In the Connections pane, click SalesSupport.
2. In the Details pane, double-click .NET Compilation.
3. Under Behavior, in the Debug list, click False.
4. In the Actions pane, click Apply.
Question: What is the advantage of disabling the debug setting in .NET compilation?
Answer: The compiled code will be smaller and faster without debug code. It is a good idea to
use this setting when an application is fully tested and deployed to final production.
Configure application globalization settings for Germany
57 | P a g e
1. In the Connections pane, click SalesSupport_De.
2. In the Details pane, double-click .NET Globalization.
3. In the Culture list, click German (Germany) (de-DE).
4. In the UI Culture list, click German (Germany) (de-DE).
5. In the Actions pane, click Apply.
6. Open Internet Explorer.
7. The Windows Internet Explorer window opens. Browse to
http://localhost/salessupport.
8. The Connect to localhost dialog box appears. In the User name field, type yvonne.
9. In the Password field, type Passw0rd and then click OK.
10. Open a second tab in Internet Explorer and then browse to
http://localhost/salessupport_test.
11. Open a third tab and then browse to http://localhost/salessupport_de.
12. Right-click the notification area and then click Task Manager.
13. The Task Manager window opens. Click the Processes tab.
14. Under the Image Name column, notice that there are at least three instances of
w3wp.exe running, indicating at least three separate application pools. Close Task
Manager.
15. In Internet Explorer, browse to http://localhost/salessupport_de/test.aspx. Notice that
the date is now in dd.mm.yyyy format, the cultural default for Germany.
In order to proceed to the next Lab don't revert machines.
58 | P a g e
Lab 13: ASP.NET Security
Machines used in this Lab: DC, WEBA
Set the machine key
1. On WEBA, in Internet Information Services (IIS) Manager, in the Connections pane,
click SalesSupport_De.
2. In the Details pane, double-click Machine Key.
3. In the Actions pane, click Generate Keys.
4. Click Apply.
Configure the SalesSupport_Test site for medium trust level
1. In the Connections pane, click SalesSupport_Test.
2. In the Details pane, double-click .NET Trust Levels.
3. In the Trust level list, click Medium (web_mediumtrust.config).
4. In the Actions pane, click Apply.
Configure File and Folder security
1. In the Connections pane, click SalesSupport.
2. In the Details pane, click the Content View tab at the bottom of the window. Click
test.aspx.
3. In the Actions pane, click Edit Permissions.
4. The test.aspx Properties dialog box appears. Click the Security tab.
5. Click Advanced.
6. The Advanced Security Settings for test.aspx dialog box appears. Click Edit.
7. Disable inheritance..
8. The Windows Security dialog box appears asking if you want to copy the inherited
permissions. Use the ones that you had but remote Users.
9. Click Users (WEBA\Users), and then click Remove.
10. Click Add.
59 | P a g e
11. The Select User, Computer, or Group dialog box appears. In the Enter the object name to
select field, type Network Service. Note that since we have removed Users, we need to
specifically allow the Network Service account. Note that SalesSupport application pool
must be running under the Network Service account with pass-through authentication as
well!
12. Click Check Names, and then click OK.
13. The Permission Entry for test.aspx dialog box appears. In the Permissions section, next
to Full control, select Allow. Click OK. Click Add.
14. The Select User, Computer, or Group dialog box appears. In the Enter the object name
to select field, type ITAdminsGG.
15. Click Check Names, and then click OK.
16. The Permission Entry for test.aspx dialog box appears. In the Permissions section, next
to Full control, select Allow.
17. Click OK four times.
18. In Internet Explorer, browse to http://localhost/salessupport/test.aspx.
19. The Connect to localhost dialog box appears. In the User name field, type yvonne.
20. In the Password field, type Passw0rdand then click OK.
21. Click OK two more times. Notice that Yvonne no longer has access to test.aspx.
22. Click the Refresh button.
23. The Connect to localhostdialog box appears. In the User name field, type betsy. Note
that Betsy is a member of the ITAdminsGG security group.
24. In the Password field, type Passw0rdand then click OK.
25. Notice that Betsy has access to the page.
26. Close Internet Explorer.
Lab 14: Tracing and Logging for ASP.NET
1. On WEBA in Server Manager, in the console pane, expand Roles and then click Web
Server (IIS).
60 | P a g e
2. Right click Web Server (IIS), and then click Add Role Services.
3. The Add Role Services dialog box appears. Select Health and Diagnostics to select all
of the Health and Diagnostics services.
4. Click Next, and then click Install.
5. When the installation completes, click Close.
6. Open Notepad and then press Enter.
7. The Notepad window opens. On the File menu, click Open.
8. The Open dialog box appears. In the Text Documents list, click All Files.
9. Browse to C:\inetpub\wwwroot\SalesSupport_Test.
10. Click test.aspx, and then click Open.
11. In the first line of the file, modify the trace=”false”attribute to read trace=”true” so that
the line reads:
<@ Page Language=”C#” trace=”true” %>
12. On the fifth line of the file, type This message should appear between the double quotes,
so that the line reads:
Response.Write(“This message should appear”);
Question: How would an application use tracing?
Answer: A developer can add trace commands to the Web application code to record
information that can be used for debugging and monitoring. The Administrator has the ability
to enable or disable tracing as needed.
13. On the File menu, click Save.
14. Close Notepad.
15. In Internet Explorer, browse to http://localhost/salessupport_test/test.aspx.
16. If the Connect to localhost dialog box appears, in the User name field, type betsy.
17. In the Password field, type Passw0rd and then click OK.
18. Notice that This message should appear at the top of the page.
19. Scroll down and notice that the trace information appears at the bottom of the page.
61 | P a g e
20. In the Trace Information section, the next to last lines contain the trace messages from
the test.aspx file. Notice that the warning message is red.
18. Close Internet Explorer.
19. In Internet Information Services (IIS) Manager, in the Connections pane, click Default
Web Site.
20. In the Actions pane, click Failed Request Tracing. If Failed Request Tracing does not
appear, close and reopen IIS Manager for the added Health and Diagnostics features to
appear.
21. The Edit Web Site Failed Request Tracing Settings dialog box appears. Select Enable,
and then click OK.
22. In the Details pane, double-click Failed Request Tracing Rules.
23. In the Actions pane, click Add.
24. The Add Failed Request Tracing Rule wizard appears. On the Specify Content to
Trace page, click ASP.NET (*.aspx), and then click Next.
25. On the Define Trace Conditions page, in the Status code(s)field, type 200 and then
click Next.
26. On the Select Trace Providers page, under Providers, clear all check boxes except
ASPNET.
27. Click ASPNET.
28. Under Areas, clear all check boxes except Page.
29. Under Verbosity, notice that it is set to Verbose.
30. Click Finish.
31. In Internet Explorer, browse to http://localhost/salessupport_test/test.aspx.
32. If the Connect to localhost dialog box appears, in the User name field, type betsy.
33. In the Password field, type Passw0rdand then click OK.
34. Press CTRL + O.
35. The Open dialog box appears. Click Browse.
36. Browse to C:\inetpub\logs\FailedReqLogFiles\W3SVC1.
37. In the HTML Files list, click All Files.
62 | P a g e
38. If there is more than one, click the most recent fr######.xmlfile, and then click Open.
Click OK.
39. The failed request log opens. Notice in the Request Summary section the details of the
request: AppPool is SalesSupport_Test, Authentication is Basic, User from token is
CQURE\betsy.
40. In the Errors and Warnings section, click Expand All.
41. Notice that the warning “This is a warning.” appears.
Lab 15: Request Filtering
1. On WEBA in Internet Explorer, browse to http://localhost/. Notice that the IIS graphics
appear and IIS Welcome page appears.
2. Close Internet Explorer.
3. Open Notepad and then press Enter.
4. The Notepad window opens. On the File menu click Open.
5. The Open dialog box appears. In the Text Documents list, click All Files.
6. Browse to C:\inetpub\wwwroot.
7. Click web.config, and then click Open.
8. After the sixth line, <system.webServer>, press Enter and then add the following security
section:
<security>
<requestFiltering>
<fileExtensions allowUnlisted="false" >
<add fileExtension=".aspx" allowed="true"/>
</fileExtensions>
</requestFiltering>
</security>
Question: How could you disable only certain extensions, such as .MP3 and .WMA?
Answer: Set the allowUnlisted property to “true”. Add the unallowed file extensions and set their
allowed properties to “false”.
63 | P a g e
9. On the File menu, click Save. Close Notepad.
10. Open Internet Explorer.
11. Internet Explorer window opens. Browse to http://localhost/iis-8.png.
12. Notice that HTTP Error 404.7 appears. Detailed error messaging states that “The request
filtering module is configured to deny the file extension”.
13. Browse to http://localhost/iisstart.htm.
14. Notice the same error.
15. Open Command Prompt.
16. Type cd \inetpub\wwwroot and then press Enter.
17. Type copy iisstart.htm *.aspx and then press Enter.
18. Type dir, and then press Enter and notice that the file was copied to iisstart.aspx.
19. In Internet Explorer, browse to http://localhost/iisstart.aspx.
20. Notice that the page with the aspx extension loads without error but the image still does
not display.
In order to proceed to the next Lab revert WEBA to default state.
64 | P a g e
Lab 16: IIS Modules
Machines used in this Lab: DC, WEBB
Start the WEBB virtual machine and log on as CQURE\Administrator
Backup the current Web server configuration.
1. On WEBB, if Server Manager opens, Close the Server Manager and open Command
Prompt.
2. Type cd c:\windows\system32\inetsrv\and then press Enter.
3. Type appcmd add backup original and then press Enter.
4. Notice that the AppCmd completes the backup and reports BACKUP object "original"
added.
Question: When using the appcmd add backup command, where are the backup configuration
file placed?
Answer: In a new folder, in the C:\Windows\System32\inetserv\backup\ folder.
Examine the modules currently installed on the Web server
1. Open Internet Information Services (IIS) Manager.
2. In the Connections pane, click WEBB.
3. In the Details pane, in the Group by list, click Category.
4. In the Details pane, in the Server Components section, double-click Modules.
5. In the Group by list, click Module Type.
6. Notice that the DefaultDocumentModule and the DirectoryListingModule entries are
listed in the Native Modules section.
Question: What do the DefaultDocumentModule and DirectoryListingModules do?
65 | P a g e
Answer: The DefaultDocumentModule offers the functionality of offering the Web browser a
default file when a specified folder or directory is specified by the URL. The
DirectoryListingModule will supply the Web client with a list of the folder contents, when a
folder or directory is specified by the URL.
Remove the Default Document Module and the Directory Listing Module
1. In the Connections pane, expand WEBB | Sites, and then click Default Web Site.
2. In the Actions pane, click Browse *:80(http).
3. Internet Explorer window opens. Notice that the page opens as expected.
4. Open | Computer and then browse to C:\windows\system32\inetsrv\config\.
5. In the Details pane, double-click applicationHost.config.
6. The Notepad window opens. Find the <globalModules> section.
7. Delete the DefaultDocumentModule and the DirectoryListingModule entries from within
the <globalModules> tag by deleting these two lines:
<add name="DefaultDocumentModule" image=
"%windir%\System32\inetsrv\defdoc.dll" />
<add name="DirectoryListingModule" image=
"%windir%\System32\inetsrv\dirlist.dll" />
8. Scroll down to the bottom of the file and find the <system.webServer> section.
9. Delete the references to the DefaultDocumentModule and the DirectoryListingModule
from within the <handlers accessPolicy="Read, Script">tag by replacing:
<add name="StaticFile" path="*" verb="*"
modules="StaticFileModule,DefaultDocumentModule,Dir ectoryListingModule"
resourceType="Either" requireAccess="Read" />
With the line:
<add name="StaticFile" path="*" verb="*" modules="S taticFileModule"
resourceType="Either" requireAccess="Read" />
66 | P a g e
10. Delete the DefaultDocumentModuleand the DirectoryListingModuleentries from within
the <modules> tag. Delete the two lines:
<add name="DefaultDocumentModule" lockItem="true" / >
<add name="DirectoryListingModule" lockItem="true" />
11. On the File menu, click Save.
12. Close Notepad.
Validate that the modules have been removed
1. In Internet Information Services (IIS) Manager, in the Connections pane, click WEBB.
2. In the Details pane, in the Server Components section, double-click Modules.
3. In the Native Modules section, notice that the DefaultDocumentModule and the
DirectoryListingModule entries are gone.
4. In Internet Explorer, click the Refresh button. Notice that the Web page is now blank,
even though Internet Explorer indicates that it is done loading.
5. In Internet Explorer, browse to http://localhost/default.aspx. Notice that the Web page
loads after you specify the default document.
Question: Why did the Web page get restored after the file name, default.aspx was added to the
URL?
Answer: The Web server is still completely operational, but no longer offers default documents
or directory browsing. So if a full URL is specified, complete with a file name, then the Web
server will return that file to the Web client, if available.
Restore the modules to the Web server configuration
1. In the Command Prompt, type appcmd restore backup original and then press Enter.
2. Notice that the AppCmd completes the restore and reports that the original
configuration has been restored.
67 | P a g e
Question: After the AppCmd completes the restore, where does it restore the configure files to?
Answer: The files are restored to the C:\Windows\System32\inetsrv\config folder.
Validate that the modules have been restored
1. Use IE to browse to http://localhost/, and then click Refresh.
2. Notice that the page once again loads properly from the default document. Close
Internet Explorer.
In order to proceed to the next Lab don’t revert machines.
68 | P a g e
Lab 17: Configuring Managed Modules
Machines used in this Lab: DC, WEBB
Install the logging managed module on WEBB
1. In Windows Explorer, browse to C:\inetpub\.
2. Right-click inetpub, and then click New | Folder.
3. Type logging_module and then press Enter.
4. Browse to The course labfiles to Step4\logging_module.
5. Select all, then right-click and then click Copy.
6. Browse to C:\inetpub\logging_module, right-click, and then click Paste.
7. Browse to C:\inetpub\logging_module\logs\.
8. Right-click logs, and then click Properties.
9. The logs Properties dialog box appears. Click the Security tab. Click Edit.
10. The Permissions for logs dialog box appears. In the Group or user names section, click
Users (WEBB\Users).
11. In the Permissions for Users box, next to Modify, select Allow. Click OK twice.
12. In Internet Information Services (IIS) Manager, in the Connections pane, click Sites.
13. In the Actions pane, click Add Web Site.
14. The Add Web Site dialog box appears. In the Site name field, type logging_module.
15. In the Physical path field, type C:\inetpub\logging_module.
16. In the Port field, type 8181. Click OK.
Confirm the installation of the logging managed module
1. In the Actions pane, click Browse *:8181 (http).
2. Internet Explorer window opens. Click Go on to Second Page.
3. Notice that the second page loads. Close Internet Explorer.
4. In Internet Information Services (IIS) Manager, in the Connections pane, click
logging_module.
69 | P a g e
5. In the details pane, in the Server Components section, double-click Modules.
6. In the Managed Modules section, click Logger.
7. In the Actions pane, click Edit.
8. The Edit Managed Module dialog box appears. Notice that the type is listed as
HttpLogger.
9. Click Cancel.
10. In Windows Explorer, browse to C:\inetpub\logging_module\logs.
11. Double-click [yyyymmdd].txt.
12. The Notepad window opens. Notice the log entries for http://localhost:8181/default.aspx
and http://localhost:8181/second_page.htm.
13. Close Notepad.
Question: Why do the log file entries have the numbers 8181 listed?
Answer: The logging module records the complete URL of the requested Web site files. The
logging_module web site was configured to use port number 8181, which is a secondary Web
site port.
Test the Web site forms authentication functionality
1. In Internet Information Services (IIS) Manager, in the Connections pane, click Default
Web Site.
2. In the Actions pane, click Browse *:80 (http).
3. Internet Explorer window opens. Click Shared Documents.
4. In the Email field, type [email protected].
5. In the Password field, type Passw0rd.
6. Click Login.
7. If you get the AutoComplete Passwords dialog box, click No.
14. Click Confidential Memo. Notice that the image representing the Confidential Memo
appears.
8. Click the Back button. Click Signout. Click Home.
70 | P a g e
Examine the modules currently running on the Web server
1. In the Internet Information Services (IIS) Manager window, in the Connections pane,
click WEBB.
2. In the details pane, in the Server Components section, double-click Modules.
3. In the Managed Modules section, click OutputCache.
4. In the Actions pane, click Edit.
5. The Edit Managed Module dialog box appears. Notice that the module is configured
properly and is set to run normally. Click Cancel.
Remove the forms authentication managed module
1. In the Connections pane, click Default Web Site.
2. In the details pane, in the Server Components section, double-click Modules.
3. In the Managed Modules section, click Forms Authentication.
4. In the Actions pane, click Remove.
5. The Confirm Remove dialog box appears. Click Yes.
Test the new configuration
1. In the Internet Explorer window, click Shared Documents. Notice that you now get
Access is denied error message, indicating that the logon failed because the forms
authentication module has been removed.
Question: Why is the Access denied error message displayed at this point?
Answer: The Access is denied error message indicates that the logon failed because the forms
authentication module has been removed.
In order to proceed to the next Lab revert WEBB to default state.
71 | P a g e
Lab 18: Securing the IIS Web Server and Web Sites
Machines used in this Lab: DC, WEBB
Start the WEBB virtual machine and log on as CQURE\Administrator.
Create a self-signed server certificate for the Web server
1. On WEBB, Open | Administrative Tools | Internet Information Services (IIS) Manager.
2. In the Connections pane, click WEBB.
3. In the details pane, in the Group by list, click Category.
4. In the details pane, in the Security section, double-click Server Certificates.
5. In the Actions pane, click Create Self-Signed Certificate.
6. The Create Self-Signed Certificate dialog box appears.
7. In the Specify a friendly name for the certificate field, type WEBB.CQURE.TEC.
8. Click OK. Notice that the new self-signed certificate has been added to the certificate list.
Question: What are the advantages and disadvantages of using self-signed certificates?
Block IP addresses as specified in the service request
1. In the Connections pane, click WEBB.
2. In the details pane, in the Security section, double-click IP Address and Domain
Restrictions.
3. In the Actions pane, click Add Deny Entry.
4. The Add Deny Restrictions Rule dialog box appears. In the Specific IPv4 address field,
type 10.10.20.1.
5. Click OK.
6. In the Actions pane, click Add Deny Entry.
7. The Add Deny Restrictions Rule dialog box appears.
8. Click IP address range.
72 | P a g e
9. In the IP address range field, type 10.10.30.0.
10. In the Mask field, type 255.255.255.0.
11. Click OK. Notice that the new IP restrictions have been added to the list.
Question: When would you want to use this feature to block IP addresses?
Answer: An organization may want to block malicious users or restrict access from a certain
domain or location.
Configure ISAPI and CGI Restrictions
1. In the Connections pane, click WEBB.
2. In the details pane, in the Security section, double-click ISAPI and CGI Restrictions.
Notice that ASP.NET are the only applications currently listed.
3. In the Action pane, click Edit Feature Settings.
4. The Edit ISAPI or CGI Restrictions Settings dialog box appears. While it’s not a
recommended practice, you can easily allow unspecified CGI and ISAPI modules. Click
Cancel.
Set the rights and permissions for Active Directory users
1. In Windows Explorer, browse to C:\inetpub\.
2. Right-click wwwroot and then click Properties.
3. The wwwroot Properties dialog box appears. Click the Security tab.
4. Click Edit.
5. The Permissions for wwwroot dialog box appears. Click Add.
6. The Select Users, Computers, or Groups dialog box appears. Click Locations.
7. The Locations dialog box appears. If CQURE.TEC is not already highlighted, then in the
Location tree, click CQURE.TEC.
8. Click OK.
9. In the Enter the object names to select field, type ITAdminsGG and then click Check
Names.
73 | P a g e
10. Click OK. Notice that the Read & execute, List folder contents, and Read options are
allowed.
11. Click Add.
12. The Select Users, Computers, or Groups dialog box appears. In the Enter the object
names to select field, type Herbert and then click Check Names. Click OK.
13. Next to Full control, select Allow. Click OK.
Test and validate the new configuration
1. In the Group or user names field click ITAdminsGG. Notice that the Read & execute, List
folder contents, and Read options are allowed.
2. In the Group or user names field click Herbert Dorner. Notice that the all the options
are allowed.
3. Click OK.
In order to proceed to the next Lab don't revert WEBB.
74 | P a g e
Lab 19: CPU Throttling: Sand-boxing Sites and Applications
Machines used in this Lab: DC, WEBB
Problem: In a multi-tenanted deployment, such as a shared hosting environment, it is important
to create a sand-box for each tenant. Without the sand-box, a tenant could intentionally or
unintentionally impact other tenants negatively by accessing other tenants' contents or by
monopolizing resources, such as memory, CPU, and bandwidth.
Solution: On Internet Information Services (IIS) on Windows Server 2012, the sand-box is
scoped to an IIS application pool. It offers both security boundaries at the Windows process
level by running each tenant in separate user identity and the resource limitations are also
enforced at the process.
On Windows Server 2012, IIS CPU Throttling feature enables customers to truly limit how much
CPU each tenant can consume as a percentage of CPU. Furthermore, this feature is configurable
per IIS application pool, which means each tenant could have different limits, which can lead to
a new business model in which tenants can pay more for higher limits.
It is important to clarify that IIS CPU Throttling is not a reservation of a CPU resource. Rather it
is a way to limit the maximum usage.
Step by Step Instructions:
Prerequisites:
• IIS is installed on Windows Server 2012.
o IIS CPU Throttling is part of IIS application pool configuration. Therefore, a
default install of IIS will have this feature installed. There is no specific IIS feature
that needs to be installed from Server Manager.
• There is at least one site with a corresponding IIS application pool.
o Default Web Site and DefaultAppPool can be used for this exercise.
75 | P a g e
o Copy CPUThrottlingTest to inetpub/wwwroot/CPUThrottlingTest
o Create Application CPUThrottlingTest with application pool (might be
DefaultAppPool) using NET 4.5
o ASP.NET must be installed, default.aspx must be on the list with Default
Documents.
Configure CPU Throttling
1. On WEBB Open IIS Manager.
2. Select Application Pools in the left navigation window:
3. Select DefaultAppPool:
4. In the Action pane, select Advanced Settings:
76 | P a g e
5. Under CPU group, locate the following configurations:
77 | P a g e
o Limit: Indicates the maximum CPU usage (in 1000th of a percent) for this
application pool. If there are multiple processes associated to this application
pool, the limit is applied to the total sum of all processes under this application
pool.
o LimitAction: Indicates what action to take when the limit value is met above.
� For Windows Server 8, new actions, Throttle and ThrottleUnderLoad
have been added:
� Throttle: The feature will throttle the CPU consumption to the value set
for Limit.
� ThrottleUnderLoad: The feature will throttle the CPU consumption to the
value set for Limit, but only if there is a contention on the CPU. This
means that the application pool may consume more CPU activity when
the CPU is idle.
o LimitInterval: Not used for both Throttle and ThrottleUnderLoad. This
configuration attribute is carried over from previous versions of Windows for
backward compatibility.
6. Run application in the web browser (localhost/CPUThrottlingTest). Open Task Manager
or Process Monitor and verify the CPU load based on w3wp.exe
78 | P a g e
7. In the Application Pool properties Set the maximum limit of 20%, enter:
a. Limit: 20000 (20% in 1000th of a percent)
b. LimitAction: Throttle
8. Verify the dependency of Limit setting and the CPU usage for w3wp.exe process.
9. Note that the configuration settings in question can be set as default values so that they
don't have to be configured individually per application pool. To configure the
application pool defaults, select Set Application Pool Defaults under Actions pane:
10. The same settings are exposed there to configure the application pool defaults:
79 | P a g e
11. Remove the application so that it does not disturb other exercises.
Usage Scenarios
• IIS CPU Throttling feature is designed for a multi-tenanted environment. Try these
settings in an environment where there are thousands of sites and applications, like a
shared hosting deployment.
• Set different limits for different "groups" of tenants to simulate those customers who are
allowed to consume more CPU resources than others.
• Set ThrottleUnderLoad as LimitAction to observe the behavior. It functions like
Throttle, if there are contentions on the CPU. If there aren't any contentions on the CPU,
the application pool is allowed to use more CPU resources than the value set for Limit.
80 | P a g e
• Create a sand-box with memory and bandwidth limits, along with IIS CPU Throttling
feature on Windows Server 2012. Memory and bandwidth limits are not discussed
specifically in this documentation because these features exist on Windows Server 2008
and Windows Server 2008 R2.
Summary
You have successfully explored IIS CPU Throttling feature in Windows Server 2012.
81 | P a g e
Lab 20: Central certificate store
Machines used in this Lab: DC, WEBB
Preparing file server
1. Switch to DC machine
2. Log on as Administrator
3. Launch cmd.exe
4. Type "md c:\certstore" and press Enter
5. Launch server manager
6. On the upper toolbar click "Manage" and then "Add Roles and Features"
7. Click "Next"
8. Leave the default (Role-based) installation type and click "Next"
9. Leave local server selected and click "Next"
10. Expand "File and Storage Services" then "File and iSCSI Services" and select "File Server"
11. Click "Next"
12. On the "Features" screen click "Next"
13. Click "Install" and wait until installation finishes and click "Close"
14. In the left pane of the Server Manager click "File and Storage Service" and then "Shares"
15. Expand the "Tasks..." button and select "New Share..."
16. Select "SMB Share – Quick" and click "Next"
17. Select "Type a custom path"
18. Click "Browse" and select c:\certstore folder
19. Click "Next"
20. Leave default values for share name and click "Next"
21. Leave default share settings and click "Next"
22. Leave default permissions (readonly share permissions) and click "Next"
23. Click "Create" and then "Close"
82 | P a g e
Copying certificates to central store
1. On DC attach the ISO file provided.
2. Launch cmd.exe.
3. Go to the Certs folder.
4. Type "copy *.pfx \certstore" and press Enter. Verify if files was actually copied.
5. Type "exit" and press Enter to close cmd.exe window.
Trusting your certificates
1. These steps are necessary only if you plan to browse your website from machine other
than DC.
2. Remember that following steps are necessary because you use self-signed certificates for
the lab. In real life scenarios certificates are signed by one of TRCA configured on your
machine.
3. Log on as Administrator, launch mmc.exe.
4. Press Ctrl+M and select "Certificates". Click "Add".
5. Select "Computer account". Click "Next" and then "Finish". Click "OK"
6. Navigate to Trusted Root Certificate Authorities\Certificates.
7. From the menu select Action -> All Tasks -> Import. Click "Next".
8. Select your certificate from \\dc\certstore and import it. Note that you should change
filetype to "*.pfx" to see your files.
9. Specify P@ssw0rd as certificate password. Note that there is "@" sign in the password
string.
10. Repeat steps 7-9 for all your certificates.
Verifying address resolution
1. Open cmd.exe and try to ping www.contoso.com
2. If the name is not recognized:
a. Open DNS Management Console and expand "Forward Lookup Zones" and
then "contoso.com".
83 | P a g e
b. Right-click the zone and select "New Alias (CNAME)".
c. Type "www" as alias name and "webb.cqure.tec" as FQDN for target host.
d. Click OK.
e. Return to the cmd.exe window and type "ipconfig /flushdns" to clean the name
resolution cache.
f. Ping www.contoso.com and verify if name is resolved correctly.
3. Ping test123.acme.net
4. If the name is not recognized:
a. Open DNS Management Console and expand "Forward Lookup Zones" and
then "acme.net".
b. Right-click the zone and select "New Alias (CNAME)".
c. Type "*" as alias name and "webb.cqure.tec" as FQDN for target host.
d. Click OK
e. Return to the cmd.exe window and type "ipconfig /flushdns" to clean the name
resolution cache.
f. Ping test123.acme.net and verify if name is resolved correctly.
Installing CCS support
1. Switch to WEBB machine and log on as Administrator
2. Launch Server Manager and on the upper toolbar click "Manage" and then "Add Roles
and Features"
3. Click "Next"
4. Leave the default (Role-based) installation type and click "Next"
5. Leave local server selected and click "Next"
6. Expand the "Web Server (IIS)" then "Web Server" and "Security"
7. Select "Centralized SSL Certificate Support". Click "Next"
8. On the "Features" screen click "Next"
9. Click "Install" and wait until installation finishes and click "Close"
84 | P a g e
Configuring CCS
1. Stay on WEBB machine and launch IIS Manager.
2. In the left pane select your server name.
3. If asked about to Web Platform Components press "No".
4. Double click "Centralized Certificates" under the "Management" in the central pane.
5. Click "Edit Feature Settings" in the right pane.
6. Click "Enable Centralized Certificates".
7. Type the UNC path to a share you created previously - \\dc\certstore.
8. Type username and password. Administrator credentials will work properly but using
dedicated user account is more secure.
9. In the "Certificate Private Key Password" type P@ssword twice. Note that there is "@"
sign in the password string. Click "OK"
10. Verify if certificates from your share appeared in the central pane.
Creating new website
1. Stay on WEBB machine and launch IIS Manager.
2. In the left pane expand your server name and right click "Sites".
3. Select "Add Website" and fill out the dialog box with values:
a. Site name – www.contoso.com
b. Physical path – c:\inetpub\wwwroot\contoso
c. Type – https
d. Host name – www.contoso.com
e. Require Server Name Identification – true
f. Use Centralized Certificate Store – true
4. If asked about duplicate :80 binding – click "No"
5. Note that you cannot select certificate and click OK
6. Repeat above steps and create virtual site for www.acme.net
a. Site name – www.acme.net
b. Physical path – c:\inetpub\wwwroot\acme
85 | P a g e
c. Type – https
d. Host name – www.acme.net
e. Require Server Name Identification – true
f. Use Centralized Certificate Store – true
Testing new website
1. Switch to DC machine
2. Log on as Administrator
3. Launch cmd.exe
4. Type "ping www.contoso.com" and verify if the IP address was resolved correctly
5. Launch Internet Explorer and navigate to https://www.contoso.com
6. If asked – accept the warning caused by self-signed certificate by clicking on "Continue
to this website"
7. Click on the certificate icon and select "View certificates"
8. Verify properties of the certificate used for encrypting data transmission
a. Verify if dates are OK
b. Verify if subject equals to server name (www.contoso .com)
c. Verify if certificate is trusted
9. Repeat above steps for https://www.acme.net.
a. What do you observe for certificate subject?
86 | P a g e
Lab 21: Configuring FTP Protection
Machines used in this Lab: DC, WEBB
FTP Server installation
10. Switch to WEBB machine
11. Log on as Administrator
12. Launch server manager
13. On the upper toolbar click "Manage" and then "Add Role"
14. Click "Next"
15. Leave the default (Role-based) installation type and click "Next"
16. Leave local server selected and click "Next"
17. Expand the "Web Server (IIS)" then "FTP Server"
18. Select "FTP Service"
19. Click "Next"
20. On the "Features" screen click "Next"
21. Click "Install" and wait until installation finishes and click "Close"
FTP Server configuration
1. Launch IIS Manager
2. In the left pane right click your server name and select "Add FTP Site"
3. Fill the dialog box with values:
a. FTP Site Name – FTP1
b. Physical Path – c:\inetpub\ftproot
4. Press "Next"
5. Switch SSL option to "No SSL" and click "Next"
6. Configure options:
a. Authentication – Basic
b. Allow Access to -All Users
87 | P a g e
c. Permissions - Read
7. Click "Finish"
8. Verify your FTP server by launching cmd.exe and typing ftp 127.0.0.1. If it asks for
username it means that server works properly.
Attacking unprotected FTP server
1. Create a local copy of Brutus utility from ISO
2. Launch BrutusA2.exe utility
3. Set your attack parameters:
a. Target – 127.0.0.1
b. Type – FTP
4. Press "Start"
5. If attack finishes note elapsed time and attempts count.
6. Navigate to c:\inetpub\logs\logfiles\ftpsvc and open the logfile. Try to identify attack
evidence. Note that IIS log files use UTC time not local one.
Protecting your FTP Server
1. Launch IIS Manager
2. In the left pane select your server name
3. Double click "FTP Logon Attempt Restrictions" in the central pane
4. Select "Enable FTP Logon Attempt Restrictions" and change the time period to 120
seconds
5. Leave default values and press "Apply" in the right pane
Attacking protected FTP server
6. Launch BrutusA2.exe utility
7. Set your attack parameters:
a. Target – 127.0.0.1
b. Type – FTP
88 | P a g e
8. Press "Start"
9. Observe the result of an attack
10. Try to repeat steps you used to verify FTP configuration:
a. Launch cmd.exe
b. Type "ftp 127.0.0.1" and press Enter
c. Could you see the difference?
89 | P a g e
Lab 22: Authorization, Authentication and Access
Machines used in this Lab: DC, WEBB
Disable IE ESC mode
1. On WEBB, log on as CQURE\Administrator // Passw0rd
2. launch Server Manager and select Local Server in the left pane.
3. Find the IE Enhanced Security Configuration entry in the main pane and switch it to
disabled for admins and users.
Turn off the Web site cache for the shared documents folder
1. On WEBB, in Internet Information Services (IIS) Manager, in the Connections pane,
ensure WEBB | Sites | HR | docs is expanded, and then click shared.
2. In the details pane, in the HTTP Features section, double-click HTTP Response
Headers.
3. In the Actions pane, click Add.
4. The Add Custom HTTP Response Header dialog box appears. In the Name field, type
Cache-Control.
5. In the Value field, type no-cache and then click OK.
Sign into the Raccoons Bank Web site and retrieve the confidential memo
1. In Internet Information Services (IIS) Manager, in the Connections pane, click HR.
2. In the Actions pane, click Browse *:80 (http).
3. The Windows Internet Explorer window opens. Click Shared Documents.
4. In the Email field, type [email protected].
5. In the Password field, type Passw0rd.
6. Click Login.
7. If you get the AutoComplete Passwords dialog box, click No.
90 | P a g e
8. Click Confidential Memo. Notice that the image representing the Confidential Memo
appears.
9. Click the Back button.
10. Click Signout.
Bypass the Web site forms authentication
1. In Internet Explorer, browse to http://hr.cqure.tec/docs/shared/Raccoons_memo.jpg.
Notice that the image representing the Confidential Memo appears.
Question: Why is the confidential memo being displayed even after the user logs out?
Answer: The Web site and directory are not fully protected by forms authentication.
2. Click the Back button.
Modify the applicationHost.config to unlock the URL Authorization <configSections>
section by changing the override mode default to allow
1. On WEBB in Windows Explorer, browse to C:\windows\system32\inetsrv\config.
2. In the details pane, double-click applicationHost.config. Unlock the URL Authorization
section by changing the override mode default to 'allow'. Do this by modifying the
authorization section indicated on the next step.
3. Find the <configSections>section. Find: <section name="authorization"
overrideModeDefault="Allow" /> And replace it with:
<section name="authorization"
type="System.WebServer.Configuration.UrlAuthorizati onSection, System.ApplicationHost,
Version=7.0.0.0, culture=neutral, PublicKeyToken=31 bf3856ad364e35"
overrideModeDefault="Allow" />
91 | P a g e
Modify the applicationHost.config <applicationPools> section to change the Classic .NET
application pool to Integrated mode
1. Change the Classic .NET application pool to Integrated mode by finding the
<applicationPools>
section and replacing:
<add name="Classic .NET AppPool" managedPipelineMod e="Classic" />
With:
<add name="Classic .NET AppPool" managedPipelineMod e="Integrated" />
Modify the applicationHost.config file to disable all other authentication types except for
anonymous
1. Find the <authentication>section.
2. Append:
enabled="false"
To:
clientCertificateMappingAuthentication, digestAuthe ntication,
iisClientCertificateMappingAuthentication, and wind owsAuthentication
Modify the applicationHost.config file to protect all content by removing the
managedHandler precondition from the <system.webServer> section
1. Remove the preconditions for Forms Authentication and Default Authentication from
the modules section. Do this by finding the <system.webServer> section, and then
modifying the lines indicated on the next steps.
2. Replace:
92 | P a g e
<add name="FormsAuthentication" type="System.Web.Se curity.FormsAuthenticationModule"
preCondition="managedHandler" />
With:
<add name="Forms Authentication" type="System.Web.S ecurity.FormsAuthenticationModule"
/>
3. Replace
<add name="Default Authentication"
type="System.Web.Security.DefaultAuthenticationModu le" preCondition="managedHandler"
/>
With:
<add name="Default Authentication"
type="System.Web.Security.DefaultAuthenticationModu le" />
4. On the File menu, click Save.
5. Close Notepad.
Reconfigure the authorization and authentication so that the protected content uses
forms authentication
1. In Windows Explorer, browse to D:\AllFiles\Step6\Labfiles\RaccoonsHRSite.
2. In the details pane, double-click Web.Config.
3. The Notepad window opens. Find the line <authorization>section.
4. Add the line <allow users="[email protected]" />, above the line <!--<deny users="?"
/>-->.
5. Remove the commenting brackets from the line <!--<deny users="?" />-->, changing it
to<deny users="?" />.
6. On the File menu, click Save.
7. Close Notepad.
93 | P a g e
8. In Internet Information Services (IIS) Manager, in the Connections pane, click shared.
9. In the details pane, in the Security section, double-click Authentication.
10. Click Anonymous Authentication.
11. In the Actions pane, click Disable.
Test and validate the new Web site configuration
1. In Internet Explorer, in the Email field, type [email protected].
2. In the Password field, type Passw0rd.
3. Click Login.
4. Click Confidential Memo.
5. Click the Back button.
6. Click Signout.
7. In Internet Explorer, browse to http://hr.cqure.tec/docs/shared/Raccoons_memo.jpg.
Notice that you are redirected to the login page and that proper authentication is now
required to access the Raccoons Memo file.
94 | P a g e
Lab 23: IIS Hardening
Machines used in this Lab: DC, NODE1
IIS platform is much bigger than it looks. It has many security features implemented on the
platform basics and many features to be configured when configuring the Web Site settings. In
the lab you will configure the security settings for the platform and for the Web Site.
Starting your lab environment
1. Launch DC and wait until it starts, logon as CQURE\Administrator with password
Passw0rd
2. Launch NODE1 machine and logon as CQURE\Administrator with password Passw0rd
Verifying existing configuration
1. Switch to DC machine
2. Start Internet Explorer
3. Type http://NODE1.CQURE.TEC in the address field and verify if web server on node 1
is working correctly
4. Type https://NODE1.CQURE.TEC in the address field and verify if web server on node 1
is working correctly with SSL
5. Install the NMAP application and then start NMAP Zenmap GUI from desktop.
6. Type NODE1.CQURE.TEC in the target field
7. Select Quick scan as a profile
8. Click Scan
9. Verify open ports
Remove IPv6 bindings
If your server will not serve content to IPv6 clients (which is the most common scenario) you
should remove binding to this protocol.
1. Switch to NODE1
95 | P a g e
2. Start cmd.exe
3. Type ipconfig and try to identify IPv6 addresses.
4. Type ncpa.cpl
5. Right click Ethernet and select properties
6. Uncheck checkbox next to Internet Protocol Version 6 (TCP/IPv6)
7. Click OK
8. Right click Ethernet and select Disable and then Enable it.
9. Close Network Connections window
10. In the cmd.exe console type ipconfig to verify there's no IPv6 addresses
Configuring firewall
1. Stay on NODE1
2. Start cmd.exe
3. Type wf.msc to launch firewall management console
4. Select Inbound rules from the left pane
5. You may sort rules list by Enabled column for easier identification of enabled rules
6. Disable IPv6 Rule
a. Find Core Networking – IPv6 (IPv6-In) rule
b. Right click it
c. Select Disable from context menu
7. Disable all other rules such except:
a. World Wide Web Services (HTTP Traffic-In)
b. World Wide Web Services (HTTPS Traffic-In)
8. Switch to DC machine
9. Start NMAP Zenmap GUI from desktop
10. Type NODE1.CQURE.TEC in the target field
11. Select Quick scan as a profile
12. Click Scan
13. Verify open ports
96 | P a g e
Encrypting traffic with https
2. Switch to NODE1
3. Launch Internet Information Services (IIS) Manager
4. Select NODE1 from the left pane
5. Double click on Server Certificates
6. Click Create Self-Signed Certificate from the right pane
7. Type NODE1.CQURE.TEC as a friendly name and click OK
8. Expand Sites in the left pane and select Default Web Site
9. Click Bindings… in the right pane. Click Add…
10. Create new binding
a. Type: https
b. IP Address: All Unassigned
c. Port: 443
d. SSL Certificate: NODE1.CQURE.TEC
11. Close site bindings window
12. Switch to DC machine
13. Start Internet Explorer
14. Type https://NODE1.CQURE.TEC in the address field and verify if web server on node 1
is working correctly with SSL
15. Click Continue to this website
16. Click on the red icon next to the address bar in Internet Explorer
17. Click View certificates
18. Switch to Details tab
a. Is the Subject field valid for this website?
b. Are Valid from and Valid to fields correct?
19. Switch to Certification Path tab
a. Is this certificate trusted?
20. Click OK to close certificate properties window
21. What should change before you use such configuration in production environment?
97 | P a g e
Removing features
1. Switch to NODE1
2. Close all open windows and applications
3. Start Server Manager
4. Add Roles.
5. Click Remove Role Services in the Web Server (IIS) section
6. Uncheck Directory Browsing – it allows you to browse website directories when you do
not specify document name in the URI and usually is not necessary.
7. Click Next then Remove and Close
Adding features
1. Switch to NODE1
2. Close all open windows and applications
3. Start Server Manager
4. Add Role.
5. Click Add Role Services in the Web Server (IIS) section
6. Check following options under Security section:
a. Windows Authentication
b. URL Authorization
c. IP and Domain Restrictions
7. Click Next then Install and Close
Configuring IP restrictions
1. Switch to NODE1
2. Launch Internet Information Services (IIS) Manager
3. Expand NODE1 and Default Web Site in the left pane and select test1 virtual directory
4. Double click IP Address and Domain Restrictions icon
5. Click Add Deny Entry from the right pane
6. Enter domain controllers IP Address (10.10.10.10) as a value to deny
7. Switch to DC machine
98 | P a g e
8. Start Internet Explorer
9. Type http://NODE1.CQURE.TEC and then http://NODE1.CQURE.TEC/test1
a. What happens? What is verified first: IP restrictions or user account? Does it make
sense?
Adding other security modules
1. Switch to NODE1
2. Close all open windows and applications
3. Launch Internet Information Services (IIS) Manager
4. Select Default Web Site from the left pane
5. Open IP and Domain Restrictions module
6. Click Edit Dynamic Restriction Settings in right pane
7. Check Deny IP addresses based on the number of requests over a period of time
option
8. Type 10 as a number of requests and 10000 as time period
9. Click Apply on the right pane
10. Click Default Web Site from the left pane
11. Switch to DC machine
12. Start Internet Explorer
13. Type http://NODE1.CQURE.TEC in the address field and verify if page opens
14. Click refresh button (next to address field) several times and count refreshes until it
stops working. Is the count what you expected? Why?
99 | P a g e
Lab 24: IIS under attack
Machines used in this Lab: DC, NODE1/WEBA/WEBB
Internet Information Services is a great web platform that can host websites created with many
different technologies. IIS have been improved year by year ending up with the great functionality
with good performance and well-designed security concepts. IIS when being under attack
monitors traffic in a very efficient way – the goal of this exercise is to understand how to get access
to this information and how to test platform performing several performance attacks.
Starting your lab environment
1. Launch DC VM and wait until it starts
2. Logon as CQURE\Administrator with password Passw0rd
3. Launch NODE1 machine
4. Logon as CQURE\Administrator with password Passw0rd
Preparing stress tool
1. Switch to DC machine
2. Mount provided ISO file and find the document named scenario1.txt Copy it to the
desktop.
3. Review scenario1.txt file. It contains data used to generate http traffic.
4. Install WCAT
a. Launch wcat.amd64.msi
b. Press Next
c. Accept license agreement and press Next
d. Click Complete
e. Click Install
f. Click Continue and Finish
g. Review instructions and close notepad window
100 | P a g e
5. Launch cmd.exe
6. Change working directory - type: cd "C:\Program Files\wcat"
7. Copy scenario file - type: copy "%userprofile%\desktop\scenario1.txt" "C:\Program
Files\wcat"
8. Set cscript as default script host- type: cscript //H:Cscript
9. Install wcat client – type: wcat.wsf -terminate -update -clients localhost
10. Launch wcat – type: wcat -run -s NODE1.CQURE.TEC -v 1 -t scenario1.txt
a. If you think that generated traffic is too low you can increase the value specified
after –v parameter
11. Do not close command prompt window. It allows you to easily re-launch wcat utility
Using logparser
1. Switch to NODE1 machine
2. Log on as CQURE\Administrator // Passw0rd
3. Install IIS Server Role
4. Mount provided ISO file and find the file named LogParser.msi.
5. Launch LogParser.msi
6. Click Next
7. Accept license terms and click Next
8. Click Complete
9. Click Install
10. Wait until installation finishes and click Finish
11. Launch Log Parser 2.2
12. Review LogParser help displayed on the screen and try to create some queries:
a. Count entries in logs: logparser –i:IISW3C "SELECT count(*) FROM
C:\inetpub\logs\LogFiles\W3SVC1\*.log"
b. Count http errors: logparser -i:IISW3C "SELECT count(*) FROM
C:\inetpub\logs\LogFiles\W3SVC1\*.log WHERE sc-status<>200"
101 | P a g e
c. Details of http errors: logparser -i:IISW3C "SELECT top 10 sc-status, date,
time, cs-uri-stem FROM C:\inetpub\logs\LogFiles\W3SVC1\*.log WHERE sc-
status<>200"
d. Processing times: logparser -i:iisw3c "SELECT TOP 10 cs-uri-stem AS Url,
MIN(time-taken) as [Min], AVG(time-taken) AS [Avg], max(time-taken) AS
[Max], count(time-taken) AS Hits FROM
C:\inetpub\logs\LogFiles\W3SVC1\*.log GROUP BY Url ORDER BY [Avg]
DESC"
e. List top 20 longest requests: logparser -i:IISW3C "SELECT top 20 cs-uri-
stem,date,time,time-taken FROM C:\inetpub\logs\LogFiles\W3SVC1\*.log
ORDER BY time-taken DESC"
13. Remember that IIS stores time in UTC time zone so it may be different than your time
Using performance monitor
1. Switch to NODE1
2. Launch cmd.exe and type: perfmon
3. Select Performance Monitor entry in the left pane
4. Click on the green plus sign on the toolbar and add counters:
a. Web Service\Anonymous Users/sec
b. Web Service\Bytes Total/sec\_Total
c. Web Service\Current Connections\_Total
d. Web Service\Not Found Errors/sec\_Total - this counter is useful if you'd like
to detect automated scanning scripts.
e. Network interface\Bytes Received/sec\<All Instances> - you can delete
unused network interface cards later
f. Network interface\Bytes Sent/sec\<All Instances> - you can delete unused
network interface cards later
5. Look if perfmon notifies anything other than zero
6. Switch to DC
102 | P a g e
7. Launch Internet Explorer, open NODE1.CQURE.TEC website and press Ctrl+F5 several
times
8. Switch to NODE1
9. Freeze perfmon using Pause button on the toolbar
10. Observe performance counter values. They are important because they should be a
baseline for admin. It is easier to detect attacks if Administrator knows everyday
behavior of his server
11. Un-freeze perfmon
12. Switch to DC and re-launch wcat
13. Switch to NODE1 and observe perfmon counters
14. Remember about these tips:
a. You can highlight perfmon graphs using Ctrl+H shortcut. It is extremely useful if
you have more than 5 counters active
b. Suggested set of counters is optimized for attacks detection. Perfmon is also
very useful for everyday performance monitoring of web applications.
c. If some counters are useless – just delete them. You can also add new counters
any time.
d. You can double click any counter and change his scale. It allows you to monitor
values that are constantly below or above display scale like Bytes Total/sec
e. Look at IIS hardening lab and consider using Dynamic IP Restrictions for
preventing some types of attacks.
Using traces
1. Switch to NODE1
2. Launch Server Manager
3. Add Role.
4. Right click Add Role Services in the Web Server (IIS) section in the right pane
5. Check Tracing option in the Health and Diagnostics section
6. Click Next
7. Click Install and then Close
103 | P a g e
8. Launch Internet Information Services (IIS) Management
9. Expand Sites in the left pane and select Default Web Site entry
10. Double click Failed Request Tracing Rules in the central pane
11. Click Add in the right pane
12. Leave default All content (*) entry selected and click Next
13. Clear all checkboxes except Status code and enter 404 then press Next. This error code
means page not found
14. Leave default providers selected and press Finish
15. Click Edit Site Tracing in the right pane
16. Select Enable and remember location for traces. Then press OK
17. Switch to DC machine
18. Open Internet Explorer and enter URL: NODE1.CQURE.TEC/fakepath
19. Look if new files appeared in C:\inetpub\logs\FailedReqLogFiles\W3SVC1
20. Double click last one of XML files created
21. Click Add and add about:blank if asked about security settings by Internet Explorer
22. Review trace data using Request Summary, Request Details (with sub-tabs) and
Compact View tab. Remember that trace for non-existing URL is very simple. It gives
some idea about level of details but in real life scenarios may be more complicated.
Logging for IIS can provide a lot of information about how website behaves under certain
conditions. Logs can be converted to many formats, including output from the Performance
Monitor that shows you for example, network bandwidth usage graph.
When you finish the lab, revert the virtual machines to their initial state. To do this, from NODE1
Virtual Machine window click Media Menu and choose “Apply Snapshot”.
104 | P a g e
Lab 25: Logging
Machines used in this Lab: DC, WEBB
Examine and configure logging options
1. On WEBB, in Internet Information Services (IIS) Manager, in the Connections pane,
click WEBB.
1. In the details pane, in the Health and Diagnostics section, double-click Logging.
2. Notice that the Log File Rollover Schedule is set for Daily.
3. Select Use local time for file naming and rollover.
4. In the Actions pane, click Apply.
Test the logging operations
1. In Internet Explorer, click the Refresh button.
2. In Windows Explorer, browse to C:\ inetpub\logs\LogFiles\W3SVC1.
3. In the details pane, double-click the newest log file. Notice the most recent log entries
at the bottom of the log. Notice that the log entries include a number of lines with the
word “GET.”
Question: What does the word “GET” mean in this log file?
Answer: The GET commands indicate requests from the client to the Web server to retrieve the
Web pages and images.
105 | P a g e
Lab 26: Delegation and Remote Administration
Machines used in this Lab: DC, WEBB
Start the DC virtual machine and log on as CQURE\Administrator
Start the WEBB virtual machine and log on as CQURE\Administrator
Configure WEBB for remote administration
1. On WEBB, Open | Administrative Tools | Internet Information Services (IIS) Manager.
1. In the Internet Information Services (IIS) Manager connections pane, click
WEBB(CQURE\Administrator).
2. In the details pane, in the Management section, double-click Management Service.
3. Select Enable remote connections.
4. Click Windows credentials or IIS Manager credentials.
5. In the Actions pane, click Apply.
6. Click Start.
Test WEBB remote administration
1. On DC, Open and click Server Manager. In the Server Manager console pane, click
Roles.
2. Right-click Roles, and then click Add Roles.
3. The Add Roles Wizard appears. Click Next.
4. In the Roles box, select Web Server (IIS).
5. The Add Roles Wizard dialog box appears. Click Add Required Features.
6. Click Next twice.
7. In the Role services box, clear all check boxes except for IIS Management Console.
8. Click Next, and then click Install.
9. When the installation completes, click Close.
10. Open | Administrative Tools| Internet Information Services (IIS) Manager.
106 | P a g e
11. In the details pane, click Connect to a server.
12. The Connect to Server wizard appears. In the Server name field, type WEBB, and then
click Next.
13. On the Provide Credentials page, in the User name field, type
14. In the Password field, type Passw0rd, and then click Next.
15. The Server Certificate Alert dialog box appears. Click Connect.
16. The Specify a Connection Name dialog box appears. Click Finish.
17. In the Connections pane, expand WEBB | Sites and then click Default Web Site.
Question: Is the IIS Management Service available for configuration remotely?
Answer: No, this service can only be configured locally
18. In the details pane, in the IIS section, double-click Default Document.
19. Click index.htm.
20. In the Actions pane, click Move Up.
21. The Default Document dialog box appears. Click Yes.
22. In the Actions pane, click Move Up.
In order to proceed to the next Lab don't revert WEBB.
107 | P a g e
Lab 27: Configuring Delegated Administration
Machines used in this Lab: DC, WEBB
Configure delegated administration for the Human Resources site
1. On WEBB, Open | Computer and then browse the lab files in Step6.
2. Right-click RaccoonsHRSite, and then click Properties, Sharing and then Advanced
Sharing.
3. Check Share this folder checkbox and then click Permissions
4. Allow everyone full control and click OK twice
5. Click Close
6. Open Internet Information Services (IIS) Manger. Go to Management Service feature
and verify if management service is running and remote connections are enabled.
7. In the Internet Information Services (IIS) Manger Connections pane, expand Sites,
and then click HR.
8. In the details pane, in the Management section, double-click IIS Manager Permissions.
9. In the Actions pane, click Allow User.
10. The Allow User dialog box appears. In the Windows field, type Herbert and then click
OK.
11. Add Herbert as a user that can Modify the content of the HR application folder.
Share the Raccoons Sales Web Site
1. In Windows Explorer, browse to Step6
2. Right-click RaccoonsSalesSite, and then click Properties, Sharing and then Advanced
Sharing
3. Check Share this folder checkbox and then click Permissions
4. Allow everyone full control and click OK twice
5. Click Close
108 | P a g e
(Steps 1-20 described below are optional. You got the experience with the delegation based on
the steps above. Part below is just the extension for another approach based on file editing and
using shares.)
Configure delegated administration for the Sales site
1. Open, and click Run, then type Notepad, and then press ENTER.
2. The Notepad window opens. On the File menu, click Open.
3. The Open dialog box appears. In the Text Documents list, click All Files.
4. Browse to C:\windows\system32\intesrv\config.
5. Click applicationHost.config, and then click Open.
6. Scroll down to the <authentication>tag in the <security> section and delete the
following text for the Sales site:
<anonymousAuthentication enabled="true" userName="I USR" />
<basicAuthentication enabled="false" />
<clientCertificateMappingAuthentication />
<digestAuthentication />
<iisClientCertificateMappingAuthentication />
<windowsAuthentication />
7. On the File menu, click Save.
8. On the File menu, click Open.
9. The Open dialog box appears. Browse to Labfiles (Step 6).
10. Click EnableAnonymousAuthentication.txt, and then click Open.
11. On the Edit menu, click Select All.
12. On the Edit menu, click Copy.
13. On the File menu, click Open.
14. The Open dialog box appears. In the Text Documents list, click All Files.
15. Browse to C:\windows\system32\intesrv\config.
16. Click applicationHost.config, and then click Open.
17. Scroll to the end of the applicationhost.config file and put the cursor on the line before
</configuration>.
109 | P a g e
18. On the Edit menu, click Paste.
19. On the File menu, click Save.
20. Close Notepad.
Test delegated administration for the Human Resources and Sales sites
1. Switch to WEBA.
2. Log on as CQURE\herbert with a password of Passw0rd.
3. Open Internet Information Services (IIS) Manager.
4. In the details pane, click Connect to a site.
5. The Connect to Site dialog box appears. In the Server name field, type WEBB.
6. In the Site name field, type HR, and then click Next.
7. The Provide Credentials page appears. In the User name field, type [email protected].
8. In the Password field, type Passw0rd and then click Next.
9. The Server Certificate Alert dialog box appears. Click Connect.
10. The Specify a Connection Name dialog box appears. In the Connection Name field, type
Human Resources Site and then click Finish.
11. In the Connections pane, click Start Page.
12. In the details pane, click Connect to a site.
13. The Connect to Site dialog box appears. In the Server name field, type WEBB.
14. In the Site Name dialog box, type Sales, and then click Next.
15. The Provide Credentials page appears. In the User name field, type
16. In the Password field, type Passw0rd, and then click Next.
17. The Connect to Site dialog box appears with an error stating that the user is not
authorized to connect to the specified computer.
Question: Why does this error occur?
Answer: This error occurs because Herbert was not granted IIS Manager permission on the Sales
site.
110 | P a g e
18. Click OK.
19. Click Cancel.
20. Close Internet Information Service (IIS) Manager.
21. The Internet Information Service (IIS) Manager dialog box appears, asking if you want
to save changes. Click No.
(Steps 22-45 are optional. You got the experience with the delegation based on the steps above.
Steps is just the extension for another approach based on file editing and using shares.)
22. Switch User.
23. Log on as CQURE\betsy with a password of Passw0rd.
24. Click Start, and click Run, then type Notepad, and then press Enter.
25. The Notepad window opens.
26. On the File menu, click Open.
27. The Open dialog box appears. Browse to Step6
28. Click Disable Authentications, and then click Open.
29. On the Edit menu, click Select All.
30. On the Edit menu, click Copy.
31. On the File menu, click Open.
32. The Open dialog box appears. In the File name field, type
\\WEBB\RaccoonsSalesSite\Web.Config and then click Open.
33. Scroll to the end of the Web.Config file and put the cursor on the line before
</configuration>.
34. On the Edit menu, click Paste.
35. On the File menu, click Save.
36. Close Notepad.
37. Open Internet Explorer.
38. The Windows Internet Explorer window opens. Browse to http://sales.CQURE.TEC.
39. Notice error 401 indicating that the user does not have permission to view this page.
111 | P a g e
Question: Why does the server report this error?
Answer: The server reports a 401 error because both Anonymous Authentication and Windows
Authentication have been disabled. The web server is unable to service a request for a web page
if no means for authentication are configured.
40. Click Start, and click Run, then type Notepad, and then press Enter.
41. The Notepad window opens.
42. On the File menu, click Open.
43. The Open dialog box appears. In the File name field, type
\\WEBB\RaccoonsHRSite\Web.Config and then click Open.
44. The Network Error dialog box appears. Click See details and note the resulting error and
notice that it says access is denied.
45. Click Cancel twice and then close Notepad.
In order to proceed to the next Lab don't revert WEBB.
112 | P a g e
Lab 28: Configuring Feature Delegation
Machines used in this Lab: DC, WEBB
Configure feature delegation for the Human Resources and Sales sites
1. On WEBB, in the Internet Information Services (IIS) Manger Connections pane, click
WEBB.
2. In the details pane, in the Management section, double-click Feature Delegation.
3. Click Error Pages.
4. In the Actions pane, click Read/Write.
Test feature delegation for the Human Resources site
1. On DC � Switch User,
2. Log on as CQURE\Herbert with a password of Passw0rd.
3. Open Administrative Tools| Internet Information Services (IIS) Manager.
4. The User Account Control dialog box appears. In the Password field, type Passw0rd, and
then click OK.
5. In the details pane, click Connect to a site.
6. The Connect to Site dialog box appears. In the Server name field, type WEBB.
7. In the Site Name dialog box, type HR, and then click Next.
8. The Provide Credentials page appears. In the User name file, type [email protected].
9. In the Password field, type Passw0rd, and then click Next.
10. The Server Certificate Alert dialog box appears. Click Connect.
11. The Specify a Connection Name dialog box appears. In the Connection Name field,
type Human Resources Site and then click Finish.
12. In the Connections pane, click Human Resources Site.
13. In the details pane, in the IIS section, double-click Error Pages.
14. Right-click the line beginning with 404, and then click Edit.
15. The Edit Custom Error Page dialog box appears. Click Execute a URL on this site.
113 | P a g e
16. In the URL (relative to site root) field, type /ErrorPages/custom404.htm and then click
OK.
17. Open Internet Explorer.
18. The Internet Explorer window opens. Browse to
http://hr.CQURE.TEC/missingpage.htm.
19. Note that the custom error page is displayed.
In order to proceed to the next Lab revert WEBB to default state.
114 | P a g e
Lab 29: Automating webserver management
Machines used in this Lab: DC, WEBB
Verifying address resolution
1. On the DC machine open cmd.exe and try to ping www.contoso.com
2. If the name is not recognized:
a. Open DNS Management Console and expand "Forward Lookup Zones" and
then "contoso.com".
b. Right-click the zone and select "New Alias (CNAME)".
c. Type "www" as alias name and "webb.cqure.tec" as FQDN for target host.
d. Click OK
e. Return to the cmd.exe window and type "ipconfig /flushdns" to clean the name
resolution cache.
f. Ping www.contoso.com and verify if name is resolved correctly.
3. Ping test123.acme.net
4. If the name is not recognized:
a. Open DNS Management Console and expand "Forward Lookup Zones" and
then "acme.net".
b. Right-click the zone and select "New Alias (CNAME)".
c. Type "*" as alias name and "webb.cqure.tec" as FQDN for target host.
d. Click OK
e. Return to the cmd.exe window and type "ipconfig /flushdns" to clean the name
resolution cache.
f. Ping test123.acme.net and verify if name is resolved correctly.
PowerShell loop
22. Switch to WEBB machine
23. Log on as Administrator
115 | P a g e
24. Launch PowerShell ISE
25. Create a new script by pressing Ctrl+N
26. Test simple loop by typing in the upper pane:
for ($i=10001; $i -le 10100; $i++) {Write-Host ("app{0}" -f $i)}
and press F5
27. Does it work as expected?
Creating website
1. In the PowerShell ISE create new script by pressing Ctrl+N
2. Type in the upper pane:
New-Website -Name "pstest" -HostHeader "pstest.acme.net" -PhysicalPath
"$env:systemdrive\inetpub\wwwroot\acme"
and press F5
3. Do you know why "$env:systemdrive" syntax was used?
4. Launch Internet Information Services (IIS) Manager
5. Verify if "pstest" site was created correctly
6. Do you expect that typing http://pstest.acme.net in your web browser will work OK?
Adding the new binding to a website
1. In the PowerShell ISE create new script by pressing Ctrl+N
2. Type in the upper pane:
New-Webbinding -Name "pstest" -Protocol "https" -Port 443 -HostHeader
"pstest.acme.net" -SslFlags 3
and press F5
3. Switch to Internet Information Services (IIS) Manager
4. Verify if "pstest" site has two bindings – one for http and one for https with SNI and CCS
options enabled
5. Do you expect that typing https://pstest.acme.net in your web browser will work OK?
116 | P a g e
Removing website
1. In the PowerShell ISE create new script by pressing Ctrl+N
2. Type in the upper pane:
Remove-Website -Name "pstest"
and press F5
3. Switch to Internet Information Services (IIS) Manager
4. Verify if "pstest" site was deleted.
Combining scripts together
1. In the PowerShell ISE create new script by pressing Ctrl+N
2. Type in the upper pane:
for ($i=10001; $i -le 10100; $i++)
{
New-Website -Name ("app{0}" -f $i) -HostHeader ("app{0}.acme.net" -f $i) -PhysicalPath
"$env:systemdrive\inetpub\wwwroot\acme"
New-Webbinding -Name ("app{0}" -f $i) -Protocol "https" -Port 443 -HostHeader
("app{0}.acme.net" -f $i) -SslFlags 3
}
and press F5
3. Switch to Internet Information Services (IIS) Manager and verify if sites are created
properly
4. You can browse any of your new websites by selecting website name in the left pane and
then clicking on the "Browse..." icon in the right pane
Cleaning app* sites
1. In the PowerShell ISE create new script by pressing Ctrl+N
2. Type in the upper pane:
Remove-Website –Name "app10*"
and press F5
117 | P a g e
Generating scripts
1. Launch Internet Information Services (IIS) Manager
2. Select any of websites in the left pane
3. Double click "Directory Browsing" icon in the central pane and verify (in the right pane) if
it is disabled
4. Click on the website name again
5. Double click "Configuration editor" in the central pane
6. In the "Section" listbox select the system.webServer/directoryBrowse entry
7. Look at two settings available: enabled and showFlags
8. Change the value for "enabled" to "True"
9. Click "Generate Script" in the right pane
10. Switch to "PowerShell" tab
11. Copy all text and paste it into a new tab in PowerShell ISE. Do not press F5 yet.
12. Switch to Internet Information Services (IIS) Manager and click "Close" and then "Cancel"
in the right pane
13. Verify if directory browsing is still disabled
14. Start the script in the PowerShell ISE by pressing F5
15. Verify directory browsing configuration in Internet Information Services (IIS) Manager
118 | P a g e
Lab 30: Command-line and Scripting for IIS
Machines used in this Lab: DC, WEBB
Start the WEBB virtual machine and log on as CQURE\Administrator
Use PowerShell to identify all services
1. On WEBB, open Windows PowerShell.
2. At the Windows PowerShell prompt, type get-service and then press Enter. Notice the
status, name, and display name of each service.
Use PowerShell to identify running services that start with a “w”
1. Type get-service -include w* | sort-object -property status and then press Enter.
2. Notice the list of services that begin with a “w” with the “stopped” services listed first.
3. Type stop-service -service name w3svc and then press Enter.
4. Type get-service -service name w3svc and then press Enter
5. Start the w3svc service using PowerShell.
6. Type start-service -service name w3svc and then press Enter.
7. Type get-service -service name w3svc and then press Enter.
List PowerShell.exe process using the get-wmiobject cmdlet
1. Type Get-WmiObject -query "Select * From Win32_Process Where Name =
'powershell.exe'"and then press Enter.
2. Notice the detailed information for the powershell.exe process.
Question: What operating system is listed in the details?
Answer: Microsoft Windows Server 2012.
Load Microsoft.Web.Administration.dll
119 | P a g e
1. On WEBB, in PowerShell, type
[System.Reflection.Assembly]::LoadFrom("C:\windows\system32\inetsrv\Microsoft
.Web.Administration.dll") and then press Enter.
2. Notice the GAC, version and location for the Microsoft.Web.Administration.dll, which
signifies the DLL file was loaded.
3. Type (New-Object Microsoft.Web.Administration.ServerManager).Sites and then
press Enter.
4. Notice the detailed information for the sites on the server.
5. Type (New-Object Microsoft.Web.Administration.ServerManager).Sites | For Each-
Object {$_.Name} and then press Enter.
6. Notice the names of the Websites on the server.
7. Type function findsite {$name=$args[0]; ((New-Object
Microsoft.Web.Administration.ServerManager).Sites | Where-Object {$_.Name -
match $name}); }and then press Enter.
Question: This command line didn't return any values. What did it do?
Answer: This command line created the command findsite, which integrates the
Microsoft.Web.Administration module into an easy-to-use single command.
1. Type findsite default* and then press Enter.
2. Notice the detailed information for the default Website.
3. Type (findsite default*).ID and then press Enter.
4. Notice the ID for the default Website: 1.
5. Type (findsite default*).Stop() and then press Enter.
6. Notice the status for the default Website is now “stopped”.
7. Type (findsite default*).Start() and then press Enter.
8. Notice the output is “unknown”.
Question: Why does the command return an output value of “unknown”?
120 | P a g e
Answer: Because it attempted to start the default Web site without first checking to see if it was
stopped or checking the result.
9. Type (findsite default*).State and then press Enter.
10. Notice the status for the default Website is now “started”.
Results: After this exercise, you should have successfully used Microsoft.Web.Administration to
gather Website information and created a function to start and stop the default Website.
Create Microsoft.PowerShell profile script to automatically load assemblies
1. On WEBB, in PowerShell, type if (test-path $profile) {echo "Path exists."} else {new-
item -path $profile –itemtype file-force}; notepad $profile and then press Enter.
2. The Notepad window opens. Type the following:
echo "Microsoft IIS Environment Loader"
echo "Copyright 2006 Microsoft Corporation. All rig hts reserved."
echo "Loading IIS Managed Assemblies"
$inetsrvDir = (join-path -path $env:windir -childPa th "\system32\inetsrv\")
Get-ChildItem -Path (join-path -path $inetsrvDir -c hildPath "Microsoft*.dll") |
For Each-Object {[System.Reflection.Assembly]::Load From((join-path -path $inetsrvDir -
childPath $_.Name))}
echo "Assemblies loaded."
3. On the File menu, click Save.
4. Minimize but do not close Notepad.
5. In Windows PowerShell, type get-executionpolicy and then press Enter.
6. Notice the execution policy is set to “restricted”.
7. Type set-ExecutionPolicy Unrestricted and then press Enter.
8. In Notepad, at the end of the script, type, new-variable iismgr -value (New-Object
Microsoft.Web.Administration.ServerManager) -scope "global".
9. On the File menu, click Save.
121 | P a g e
10. Minimize but do not close Notepad.
11. Close Windows PowerShell and then reopen it.
12. Notice the script information that now executes when you open PowerShell.
13. Type $iismgr.Sites and then press Enter.
14. Notice the site information that is displayed.
15. Close Windows PowerShell.
1. Browse to Step7\Scripts.
2. Right-click iis.type.ps1xml, and then click Edit.
3. The Notepad window opens. Review the code.
4. On the File menu, click Save As.
5. The Save As dialog box appears. In the Save as type list, click All Files.
6. Browse to C:\windows\System32\WindowsPowerShell\v1.0 and then click Save.
7. Close Notepad.
8. Restore Notepad, at the end of the script, type the following:
new-variable iissites -value (New-Object
Microsoft.Web.Administration.ServerManager).Sites - scope "global" new-variable
iisapppools -value (New-Object
Microsoft.Web.Administration.ServerManager).Applica tionPools -scope "global" update-
typedata -append (join-path -path $PSHome -childPat h "iis.types.ps1xml")
9. On the File menu, click Save.
10. Close Notepad.
11. Open Windows PowerShell 1.0 | Windows PowerShell.
12. The Windows PowerShell window opens. Type $iissites.Find("^Default*")and then
press Enter.
13. Notice the details for the default Website are listed.
1. In Windows Explorer, browse to
Step7\Scripts\CreateWebsite\CreateWebsite\CreateWebsite.
2. Double-click CreateWebsite.cs.
122 | P a g e
3. The Notepad window opens. Review the code, and then close Notepad.
4. In Windows Explorer, browse to Step
7\Scripts\CreateWebsite\CreateWebsite\CreateWebsite \bin\Debug.
5. Right-click CreateWebsite.exe, and then click Copy.
6. Browse to C:\and then click Paste.
7. In Windows PowerShell, type c:\CreateWebsite.exe and then press Enter.
8. Type $iissites.Find("^NewSite*") and then press Enter.
9. Notice the details for the new Website are listed.
123 | P a g e
Lab 31: Manage IIS tasks using WMI and AppCmd
Machines used in this Lab: DC, WEBB
Use AppCmd to identify tasks running on the Web server
1. On WEBB, Open Command Prompt.
2. Type cd c:\windows\system32\inetsrv and then press Enter.
3. Type appcmd list wp and then press Enter.
4. Notice this command lists the current running worker processes. If the command doesn’t
list any results, there aren’t any worker processes running.
5. Type appcmd list apppool and then press Enter.
6. Notice the currently running application pools are listed.
7. Type appcmd list apppool /xml | appcmd recycle apppool /in and then press Enter.
8. Notice the message is displayed ““DefaultAppPool” successfully recycled”.
9. Type appcmd list app /site.name:"NewSite" /xml | appcmd set app /in
/applicationPool:NewAppPool and then press Enter
10. Notice the following is displayed “APP object “NewSite/” changed”.
Store configuration information to file, and then restore the configuration information
1. Type appcmd list config "Default Web Site/" /section:caching /xml /config >
config.xml and then press Enter.
2. Type appcmd set config "Default Web Site/" /in < config.xml and then press Enter.
3. Notice the configuration changes were applied to the Default Web Site.
Use WMI to list the Default Web Site on the Web server
1. Open Notepad and then press Enter.
2. The Notepad window opens. Type:
Set oIIS = GetObject("winmgmts:root\WebAdministrati on")
Set oSite = oIIS.Get("Site.Name='Default Web Site'" )
124 | P a g e
WScript.Echo "Retrieved an instance of Site"
WScript.Echo "Name: " & oSite.Name
WScript.Echo "ID: " & oSite.ID
3. On the File menu, click Save.
4. The Save As dialog box appears. In the File name field, type C:\GetSite.vbs.
5. In the Save as type list, click All Files, and then click Save.
6. Close Notepad.
7. From the command prompt, type cd \, and then press Enter.
8. Type cscript //h:cscript, and then press Enter.
9. Notice the default script has been set to “cscript.exe”.
10. Type getsite.vbs, and then press Enter.
11. Notice the Web site name and ID are displayed.
125 | P a g e
Lab 32: Tuning IIS
Machines used in this Lab: DC, WEBA
Start the DC virtual machine
Start the WEBA virtual machine and log on as CQURE\Administrator
ASP.NET and Dynamic Content Compression features
1. On WEBA, go to roles management, right-click Web Server (IIS), and then click Add
Role Services. Verify if ASP.NET 4.5 is installed.
2. In the Performance section, select Dynamic Content Compression.
3. Click Next and then click Install.
4. When the installation completes, click Close.
5. In the details pane, in the Role Services section, notice that ASP.NET and Dynamic
Content Compression is listed as Installed.
6. Open Internet Information Services (IIS) Manager.
7. In the Connections pane, expand WEBA | Sites and then click Default Web Site.
8. In the Actions pane, click View Applications.
9. Click Add Application.
10. The Add Application dialog box appears. In the Alias field, type SalesSupport.
11. Next to the Physical path field, click the Browse (...) button.
12. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and then
click Make New Folder.
13. Type SalesSupport and then click OK.
14. Click OK.
15. Open Computer and then browse to Step10\SalesSupport.
16. Select all, then right-click and click Copy.
17. Browse to C:\inetpub\wwwroot\SalesSupport, right-click, and then click Paste.
126 | P a g e
Deploy a second copy of the SalesSupport application named SalesSupport2 using Xcopy
1. Open Command Prompt.
2. Type cd \inetpub\wwwroot and then press Enter.
3. Type md SalesSupport2 and then press Enter.
4. Type xcopy /e SalesSupport\*.* SalesSupport2.
5. Notice that 36 files are copied.
6. At the command prompt locate the labfiles location.
7. Enter the following path: Step10\SalesSupport2 and then press Enter.
8. Type xcopy /e *.* c:\inetpub\wwwroot\salessupport2 and then press Enter.
9. When prompted to overwrite files, press A for all.
10. In Internet Information Services (IIS) Manager, in the Connections pane, click Default
Web Site.
11. In the Actions pane, click View Applications. Click Add Application.
12. The Add Application dialog box appears. In the Alias field, type SalesSupport2.
13. Next to the Physical path field, click the Browse (...) button.
14. The Browse For Folder dialog box appears. Browse to
C:\inetput\wwwroot\SalesSupport2, and then click OK twice.
Create and assign an application pool for SalesSupport2 and test functionality
1. In the Connections pane, click Application Pools.
2. In the Actions pane, click Add Application Pool.
1. The Add Application Pool dialog box appears. In the Name field, type SalesSupport2
and then click OK.
3. In the Connections pane, expand Default Web Site and then click SalesSupport2.
4. In the Actions pane, click Basic Settings.
5. The Edit Application dialog box appears. Click Select.
2. The Select Application Pool dialog box appears. In the Application pool list, click
SalesSupport2, and then click OK twice.
6. Open Internet Explorer.
127 | P a g e
7. The Windows Internet Explorer window opens. Browse to
http://localhost/salessupport.
8. Notice that the Raccoons Bank Sales Support page loads successfully.
9. In Internet Explorer, browse to http://localhost/salessupport2.
10. Notice that the Raccoons Bank Sales Support page version 2.0 loads successfully.
Use Performance Monitor to measure performance
1. On WEBA, open Reliability and Performance Monitor.
2. In the console pane, click Performance Monitor.
3. In the details pane, right-click the graph, and then click Remove All Counters.
4. The Performance Monitor Control dialog box appears. Click OK.
5. Above the graph, click the Add button (green plus).
6. The Add Counters dialog box appears. In the Available counters list, scroll down, and
then expand Web Service.
7. Click Bytes Sent/sec.
8. In the Instances of selected object field, click <All instances>.
9. Click Add, and then click OK.
10. With Reliability and Performance monitor running, in Internet Explorer, browse to
http://localhost/salessupport/test.aspx.
11. After the page loads, click Refresh several times rapidly. Notice that the dynamically
generated time updates each time you refresh.
12. Close Internet Explorer.
13. In Reliability and Performance Monitor, notice that the graph reflects the throughput.
Note that you can right-click the graph and then click Scale Selected Counters to get a
better representation. You may need to do this a couple of times to get a zoomed in
view of the data.
128 | P a g e
Configure Output Caching
1. In Internet Information Services (IIS) Manager, in the Connections pane, expand
WEBA(CQURE)| Sites | Default Web Site and then click SalesSupport.
2. In the details pane, in the IIS section, double-click Output Caching.
3. In the Actions pane, click Add.
4. The Add Cache Rule dialog box appears. In the File name extension field, type .aspx.
5. Select Kernel-mode caching.
6. Click At time intervals, and then delete the existing text and type 00:00:10.
7. Click OK.
8. Open Internet Explorer, and browse to http://localhost/salessupport/test.aspx.
9. Click Refresh several times rapidly for at least 30 seconds.
10. Notice that the time updates only every 10 seconds after the first couple of loads and
that the subsequent loads are much faster.
11. In Internet Explorer, browse to http://localhost/salessupport2/test.aspx.
12. Click Refresh several times rapidly.
13. Notice that the time updates with each load.
14. In Reliability and Performance monitor, compare the two peaks for throughput on the
graph. Notice that the first peak has higher throughput than the second.
Configure Compression
1. In Internet Explorer, browse to http://localhost.
2. Click Refresh several times rapidly.
3. In Reliability and Performance Monitor, note the throughput on the graph.
4. In Internet Information Services (IIS) Manager, in the Connections pane, click Default
Web Site.
5. In the details pane, in the IIS section, double-click Compression.
6. Clear the Enable static content compression check box.
7. In the Actions pane, click Apply.
8. In Internet Explorer, browse to http://localhost.
129 | P a g e
9. Click Refresh several times rapidly.
10. In Reliability and Performance Monitor, note the throughput on the graph. There should
not be much change for static compression.
Question: Why does the graph show little or no change?
Answer: Static compression is cached. Only the first page load requires processing the
compression.
11. In Internet Explorer, browse to http://localhost/SalesSupport/test.aspx.
12. Click Refresh several times rapidly.
13. In Reliability and Performance Monitor, note the throughput on the graph.
14. In Internet Information Services (IIS) Manager, in the details pane, select Enable
dynamic content compression.
15. In the Actions pane, click Apply.
16. In Internet Explorer, browse to http://localhost/SalesSupport/test.aspx.
17. Click Refresh several times rapidly.
18. Close Internet Explorer.
19. In Reliability and Performance Monitor, note the throughput on the graph. The
throughput has decreased because dynamic compression negates dynamic output
caching.
Configure connection limit throttling
1. Open Internet Explorer, and browse to http://localhost.
2. Right click the IIS tab, and then click New Tab.
3. In the new tab, browse to http://localhost.
4. Repeat to create another new tab, and then browse to http://localhost.
5. You should have three tabs open. Right-click one of the tabs, and then click Refresh All.
6. Notice that all of the tabs refresh successfully.
7. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs.
130 | P a g e
8. In Internet Information Services (IIS) Manager, in the Connections pane, click Default
Web Site.
9. In the Actions pane, click Limits.
10. The Edit Web Site Limits dialog box appears. Select Limit number of connections.
11. In the Limit number of connections field, type 1.
12. Click OK.
13. Open Internet Explorer, and browse to http://localhost in three tabs.
14. In Internet Explorer, right-click one of the tabs, and then click Refresh All.
15. Notice that at least one of the tabs now reports Service Unavailable.
16. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs.
Use Reliability and Performance Monitor to measure resource usage
1. On WEBA, open Internet Explorer, and browse to http://localhost/salessupport.
2. Open a second tab and browse to http://localhost/salessupport2.
3. In Reliability and Performance Monitor, in the console pane, click Reliability and
Performance.
4. In the details pane, expand Memory.
5. Click the Image column heading to sort by image name, and then scroll down to
w3wp.exe.
6. Notice that there are two instances running. Note the amount of memory being used by
each in the Commit (KB) and Working Set (KB) columns.
7. In Internet Information Services (IIS) Manager, in the Connections pane, click
Application Pools.
8. In the details pane, click SalesSupport2.
9. In the Actions pane, click Recycle.
10. In Reliability and Performance Monitor, notice that one of the w3wp.exe processes
consumes less memory.
11. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs.
131 | P a g e
Assign SalesSupport and SalesSupport2 to the same application pool
1. In Internet Information Services (IIS) Manager, in the Connections pane, click
SalesSupport2.
2. In the Actions pane, click Basic Settings.
3. The Edit Application dialog box appears. Click Select.
4. The Select Application Pool dialog box appears. In the Application pool list, click
DefaultAppPool.
5. Click OK twice.
6. In the Connections pane, click Application Pools.
7. In the details pane, click SalesSupport2.
8. In the Actions pane, click Remove.
9. The Confirm Remove dialog box appears. Click Yes.
10. Open Internet Explorer, and browse to http://localhost/salessupport.
11. Open a second tab and browse to http://localhost/salessupport2.
12. In Reliability and Performance Monitor, notice that is now only one w3wp.exe
process and less total memory consumed.
In order to proceed to the next Lab don’t revert WEBA.
132 | P a g e
Lab 33: Web Farms
Machines used in this Lab: DC, WEB2, NODE4
Start the DC virtual machine
Start the NODE4 virtual machine and log on as CQURE\Administrator
Start the WEB2 virtual machine and log on as CQURE\Administrator
Backup the Web site, Web application, and config files to the D: drive
1. On NODE4, Open Computer, and then browse to C
2. In the File menu, click New | Folder.
3. Type WebSiteBackup, and then press Enter.
4. Right click the new folder and share it by selecting Properties, Sharing, Advanced
Sharing. Configure Share rights to allow write by clicking on Permissions button and
selecting "Full Control".
5. Browse to\\NODE4\WebSiteBackup.
6. Browse to C:\inetpub\wwwroot.
7. In the details pane, select all, right-click, and then click Copy.
8. Browse to \\NODE4\WebSiteBackup, right-click and then click Paste.
9. Notice that the Web site files are now backed up to this shared folder.
Restore the Web site, Web application, and config files from the shared drive
1. On WEB2, open Internet Information Services (IIS) Manager.
2. In the Connections pane, expand WEB2 | Sites, and then click Default Web Site.
3. In the Actions pane, click Browse *:80 (http).
4. The Microsoft Internet Explorer window opens. Notice that the IIS default page is
displayed.
5. Open Computer, and then browse to C:\inetpub\wwwroot.
133 | P a g e
6. Notice that the folder contains the IIS default Web site files, iisstart.htm, png files, and
the aspnet_client folder.
7. Browse to the networked computer NODE4.
8. If the NODE4 computer is not displayed in the details pane, network discovery may be
turned off. Click the notice bar, and then click Turn on network discovery and file sharing.
9. Browse to\\NODE4\WebSiteBackup.
10. In the details pane, select all, right-click and then click Copy.
11. Browse to C:\inetpub\wwwroot, right-click and then click Paste.
12. If a Copy File dialog box appears, indicating that you are about to overwrite any files or
folders, click Copy and Replace.
13. If a Confirm Folder Replace dialog box appears, indicating that you are about to
overwrite a folder, click Yes.
14. Notice that the new Web site files are now copied to this location.
15. In Internet Explorer, click the Refresh button.
16. Notice that the Raccoons Bank Web site has been deployed on the second Web server.
Question: What process on the Web server led to the Raccoons Bank Web site being displayed
instead of the IIS default Web site?
Answer: After the Raccoons Bank Web site files were copied to the second Web server, the
default file default.aspx superseded the file iisstart.htm.
134 | P a g e
Lab 33: Shared Configuration
Machines used in this Lab: DC, NODE4, WEB2
Export and Enable Shared Configuration
1. On NODE4, Open Computer, and then browse to C
2. In the File menu, click New | Folder.
3. Type Export, and then press Enter.
4. Right click the new folder and share it by selecting Properties, Sharing, Advanced
Sharing. Configure Share rights to allow write by clicking on Permissions button and
selecting "Full Control".
5. Open Internet Information Services (IIS) Manager.
6. In the Connections pane, click NODE4.
7. In the details pane, in the Management section, double-click Shared Configuration.
8. In the Actions pane, click Export Configuration.
9. The Export Configuration dialog box appears, allowing you to export the local
configuration files, settings, and encryption keys. In the Physical path field, type
\\NODE4\Export.
10. In the Encryption keys password and Confirm Password fields, type Passw0rd.
11. Click OK.
12. The Export Configuration dialog box appears indicating that the files were exported
successfully. Click OK.
13. In the details pane, select Enable shared configuration.
14. In the Physical Path field, type \\NODE4\Export.
15. In the User name field, type CQURE\Administrator.
16. In the Password and Confirm Password fields, type Passw0rd.
17. In the Actions pane, click Apply.
18. The Encryption Keys Password dialog box appears for you to enter the encryption key.
In the Enter encryption key Password field, type Passw0rd.
135 | P a g e
19. Click OK.
20. The Shared Configuration dialog box appears, indicating that the current encryption
keys were backed up. Click OK.
21. The Shared Configuration dialog box appears, indicating that IIS Manager and
Management service must be restarted for these changes to be completed. Click OK.
22. Close Internet Information Services (IIS) Manager.
23. Open Internet Information Services (IIS) Manager.
24. In the Connections pane, click NODE4.
25. In the details pane, in the Management section, double-click Management Service.
26. In the Actions pane, click Start.
Add the second Web server to use the Shared Configuration
1. On WEB2, in Internet Information Services (IIS) Manager, in the Connections pane,
click WEB2.
2. In the details pane, in the Management section, double-click Shared Configuration.
3. Select Enable shared configuration.
4. In the Physical Path field, type \\NODE4\Export.
5. In the User name field, type CQURE\Administrator.
6. In the Password and Confirm Password fields, type Passw0rd.
7. In the Actions pane, click Apply.
8. The Encryption Keys Password dialog box appears. In the Enter encryption key
Password field, type Passw0rd. Click OK.
9. The Shared Configuration dialog box appears, indicating that the current encryption
keys were backed up. Click OK.
10. The Shared Configuration dialog box appears, indicating that IIS Manager and
Management service must be restarted for these changes to be completed. Click OK.
11. Close Internet Information Services (IIS) Manager.
12. Open| Internet Information Services (IIS) Manager.
13. In the Connections pane, click WEB2.
136 | P a g e
14. In the details pane, in the Management section, double-click Management Service.
15. In the Actions pane, click Start.
Test the Shared Configuration
1. On NODE4, in Internet Information Services (IIS) Manager, in the Connections pane,
click NODE4.
2. In the details pane, in the IIS section, double-click Default Document.
3. In the Actions pane, click Add.
4. The Add Default Document dialog box appears to allow us to add a default document
to test the shared configuration. In the Name field, type test.html and then click OK.
5. On WEB2, in Internet Information Services (IIS) Manager, in the Connections pane,
click WEB2.
6. In the details pane, in the IIS section, double-click Default Document.
7. Notice that the default document test.html has been added to the top of the list for the
second Web server as well,
Question: Why has the default document test.html has been added to the top of the list for the
second Web server as well?
Answer: The default document test.html has been added to the top of the list for the second
Web
because both servers are using shared configuration.
137 | P a g e
Lab 35: Web Deploy
Machines used in this Lab: DC, WEBA
Installing the remote service during the installation of Web Deploy on WEBA.
If you have not yet downloaded the Windows Installer file for Web Deploy, see ISO image
delivered by trainer and follow the next steps. After you start the installation, return to this topic
and follow these steps.
1. On the Welcome to the Microsoft Web Deployment Tool Setup Wizard page, click
Next.
2. On the End-User License Agreement page, select the I accept the terms in the license
agreement box, and then click Next.
3. On the Choose Setup Type page, click Custom.
4. On the Custom Setup page, click the Remote Agent Service down arrow, select Will be
installed on local hard drive, and then click Next.
5. Click Install.
6. Click Finish.
7. After you install the remote service, make sure that service is started, if necessary type:
net start msdepsvc.
8. By default, the remote service uses port 80. If necessary, you can enable this port
through the firewall by running netsh firewall add portopening TCP 80
WdeployAgent at an administrative command prompt.
To use the Web Deployment Agent Service remotely
(also called the Remote Agent Service), the following conditions must be true.
1. You have installed the Web Deployment Tool on the remote computer.
138 | P a g e
2. You have enabled port 80 through the firewall on the remote computer. By default,
the remote agent listens on port 80. If you are using a custom port setting, you must
enable the custom port through the firewall instead.
3. You have started the Web Deployment Agent Service (MsDepSvc) on the remote
computer..
4. You are a member of the administrator’s group on the remote computer, or you
specify administrator credentials in the Web Deploy command by using the
computerName=<serverName>, userName=<username>,password=<password>
syntax described in the Usage section.
5. You use an elevated command prompt to run the Web Deploy command.
Note: To use the remote service at the Web Deploy command line, add the computerName
provider setting to the source or destination provider by using the syntax:
,computerName=<host>. <host> is the name of the remote server. Only one destination
computer can be specified in a Web Deploy command.
The following example shows how you can use the computerName provider setting to return
metabase information from a remote computer named Server1. Notice that there is no space
after the comma.
msdeploy -verb:dump -source:metakey=lm/w3svc/1,computerName=Server1
Web Deploy converts the computer name into the default Web Deploy URL. For example,
computerName=Server1 will become http://Server1/MsDeployAgentService. If the remote
service is running with a custom port or URL, you must specify the full URL.
Example:
Use the remote service on Server1 and Server2 to update the contents of a directory on
Server2.
139 | P a g e
msdeploy -verb:sync -
source:contentpath=c:\abc,computerName=Server1,username=admin,password=pass -
dest:contentpath=c:\def,computerName=Server2,username=admin,password=pass
Using the Web Deployment Tool
1. Open IIS Manager and expand the default web site in the left pane and select
SalesSupport application
2. Click "Export Application..." in the right pane
3. Click "Advanced settings"
4. Set the password for security settings to Passw0rd
5. Click OK and then Next. Click Next.
6. Enter the path and name for your package. You can store it on your desktop. Click Next.
7. Verify summary and detailed status and click Finish
8. Remove SalsesSupport App (right click the name in the left pane and select "Remove")
9. Remove c:\inetpub\wwwroot\salessuport directory from your disk
10. Browse the content of a zip file you created on your desktop and observe how
application data was stored
11. Refresh the view in IIS Manager and verify if application was actually deleted
12. In the IIS Manager select the default web site in the left pane
13. Click "Import Application..." in the right pane
14. Enter the package path and click Next
15. Click "Advanced Settings" and enter the decrypt password for secure data
16. Click "OK" and then "Next"
17. Accept the default name and press "Next"
18. Verify summary and detailed status and click Finish
19. Verify if your application opens correctly in the web browser.
140 | P a g e
Lab 36: Configuring Network Load Balancing
Machines used in this Lab: DC, NODE4, WEB2
Create a new Network Load Balancing cluster
1. On NODE4 from Server Manager install Network Load Balancing Feature, after that
open Network Load Balancing Manager.
2. In the console pane, right-click Network Load Balancing Clusters and then click New
Cluster.
3. The New Cluster: Connect dialog box appears. Start the process by connecting to the
Network Load Balance host computer. In the Host field, Type NODE4, and then click
Connect.
1. Make sure the Local Area Connection interface with Interface IP address 10.10.10.104
is highlighted, and then click Next.
4. The New Clusters: Host Parameter page shows the dedicated IP addresses and the initial
host state. Click Next.
5. The New Clusters: Cluster IP Addresses page allows you to add cluster IP addresses that
are shared by every member of the cluster. Click Add.
2. The Add IP Address dialog box appears, allowing you to add IPv4 or IPv6 addresses to
the cluster. In the Add IPv4 address field, type 10.10.10.27.
6. In the Subnet mask field, type 255.255.255.0, and then click OK.
7. Make sure the newly added cluster IP address is highlighted. Click Next.
8. The New Clusters: Cluster Parameters page allows you to modify the operation mode
of the cluster IP addresses. In the Full Internet name field, type cluster.CQURE.TEC.
9. Click Multicast. Click Next.
10. The New Clusters: Port Rules page allows you to add, edit, and remove cluster IP
address port rules. Click Finish. Wait for the operation to complete before continuing.
141 | P a g e
Add the second host to the Network Load Balancing cluster
1. In the console pane, right-click cluster.CQURE.TEC and then click Add Host to Cluster.
2. The Add Host to Cluster: Connect dialog box appears. Add the second host computer.
In the Host field, Type WEB2, and then click Connect. Wait for the operation to
complete before continuing.
3. Make sure the Local Area Connection interface with Interface IP address 10.10.10.202
is highlighted, and then click Next.
4. The New Clusters: Host Parameter page shows the dedicated IP addresses and the
initial host state. Make sure that the Priority (unique host identifier) is 2, and then click
Next.
5. The New Clusters: Port Rules page allows you to add, edit, and remove cluster IP
address port rules. Click Finish. Wait for the operation to complete before continuing.
Add the second server to the Network Load Balancing cluster
1. On WEB2, Click Start, click Administrative Tools, and then click Network Load
Balancing Manager.
2. The Network Load Balancing Manager window opens and loads the current cluster. The
Warning dialog box appears, presenting a warning about running NLB in Unicast mode.
Click OK.
Verify Network Load Balancing using NLB commands
1. Open Command Prompt.
2. Type NLB query 10.10.10.27 and then press Enter.
3. Notice that the NLB command indicates that host 2 has entered a converging state with
the cluster.
4. On NODE4, Open Command Prompt.
5. Type NLB query 10.10.10.27and then press Enter.
6. Notice that the NLB command indicates that host 1 has entered a converging state with
the cluster.
142 | P a g e
7. Type NLB display and then press Enter.
8. The results show very detailed information about the cluster and its current state. Scroll
to the top of the displayed information to examine the Configuration section.
9. Close each of the running virtual machines. Do not save changes so they are reset to
default for the next lab.
143 | P a g e
Lab 37: Troubleshooting IIS
Machines used in this Lab: DC, NODE5
Start the DC virtual machine and log on as CQURE\Administrator
Start the NODE5 virtual machine and log on as CQURE\Administrator
On NODE5, browse to http://localhost/raccoons. Notice the Server Error: 401 – Unauthorized
message.
Examine the log file
1. Open Computer and then browse to C:\inetpub\logs\LogFiles\W3SVC1.
2. Double-click the most recent log file.
3. The Notepad window opens. Scroll to the far right and examine the last entries in the log
file. Notice that the status is 401 and sub status is 2.
4. Close Notepad.
Enable Detailed Error Messages
1. Open Internet Information Services (IIS Manager).
2. In the Connections pane, expand NODE5 | Sites | Default Web Site and then click
Raccoons.
1. In the details pane, in the IIS section, double-click Error Pages.
2. In the Actions pane, click Edit Feature Settings.
3. The Edit Error Pages Settings dialog box appears. Click Detailed errors for local
requests and custom error pages for remote requests, and then click OK.
Reproduce the issue and examine the detailed error
1. In Internet Explorer, browse to http://localhost/raccoons.
2. Notice the detailed error message reports HTTP Error 401.2 - Unauthorized.
144 | P a g e
3. Scroll down to Most likely causes. Notice the first cause is No authentication protocol
(including anonymous) is selected in IIS.
Resolve the issue and test functionality
1. In Internet Information Services (IIS) Manager, click Raccoons.
2. In the details pane, in the IIS section, double-click Authentication.
3. Notice that all authentication methods are Disabled.
4. In the details pane, click Basic Authentication.
5. In the Actions pane, click Enable.
6. In the details pane, notice that Basic Authentication is Enabled, and all other
authentication methods are Disabled.
7. In Internet Explorer, browse to http://localhost/raccoons.
8. Notice that you are prompted for credentials. For User name, type Yvonne.
9. For Password type Passw0rd and then click OK.
10. Notice that the Raccoons application now loads without error.
11. Close Internet Explorer.
145 | P a g e
Lab 38: Troubleshooting Authorization
Machines used in this Lab: DC, NODE5
Browse to http://localhost/raccoons2
1. On NODE5, in Internet Explorer, browse to http://localhost/raccoons2.
2. Notice that you are not prompted for credentials and the page loads without error.
3. Close Internet Explorer.
Enable Failed Request Tracing and add a rule to trace successful requests
1. In Internet Information Services (IIS) Manager, in the Connections pane, click Default
Web Site.
2. In the Actions pane, click Failed Request Tracing.
3. The Edit Web Site Failed Request Tracing Settings dialog box appears. Select Enable,
and then click OK.
4. In the Connections pane, click Raccons2.
5. In the details pane, in the IIS section, double-click Failed Request Tracing Rules.
6. In the Actions pane, click Add.
7. The Add Failed Request Tracing Rule dialog box appears. Click Next.
8. Under Status code(s), type 200, and then click Next.
Question: Why do we use status code 200 for this issue?
Answer: Status code 200 is used for a successful page load in IIS. Since the page is loading
without error, we must use the status code 200 to trace the issue.
9. Under Providers, clear ASP and ISAPI Extension. Leave ASPNET and WWW Server
checked.
10. Click Finish.
146 | P a g e
Reproduce the issue and examine the Failed Request Tracing log
1. In Internet Explorer, browse to http://localhost/raccoons2.
2. In Windows Explorer, browse to c:\inetpub\logs\FailedReqLogFiles\W3SVC1.
3. Double-click fr000001.xml.
4. If prompted to add the site to the Trusted sites zone, click Add twice and then click
Close.
5. Under Request Summary, notice that Authentication is anonymous.
6. Click the Compact View tab.
7. Scroll down and examine the lines that begin with AUTH_SUCCEEDED and USER_SET.
Notice that the authorized user is “”. Close Internet Explorer.
Question: What did we learn from the Failed Request Tracing log?
Answer: Anonymous users are being allowed to access the site. Since anonymous authentication
happens successfully, users are not being prompted to enter credentials.
Resolve the issue and verify functionality
1. In Internet Information Services (IIS) Manager, in the Connections pane, click
Raccoons2.
2. In the details pane, double-click Authorization Rules.
3. Notice that Anonymous Users are Allowed.
4. In the details pane, in the IIS section, click Anonymous Users.
5. In the Actions pane, click Remove.
6. The Confirm Remove dialog box appears. Click Yes.
7. In the Connections pane, click Raccoons2.
8. In the details pane, in the IIS section, double-click Authentication.
9. Notice that both Anonymous Authentication and Basic Authentication are Enabled.
10. Click Anonymous Authentication.
11. In the Actions pane, click Disable.
12. In Internet Explorer, browse to http://localhost/raccoons2.
147 | P a g e
13. Notice that you are prompted for credentials. For User name, type Yvonne.
14. For Password, type Passw0rd and then click OK.
15. Notice that the Raccoons2 application loads without error.
16. Close Internet Explorer and open it again to create a new session.
17. Browse to http://localhost/raccoons2.
18. When prompted for credentials, leave both fields blank and click OK three times.
19. Notice that you get a 401 – Unauthorized message.
148 | P a g e
Lab 39: Troubleshooting Communication
Machines used in this Lab: DC, NODE5
Reproduce the issue
1. On DC, browse to http://NODE5/netapp/content. Notice the 500 – Internal server
error message.
Verify communication with the Web server
1. Open Command Prompt.
2. Type ping NODE5 and then press Enter.
3. Notice that the ping succeeds indicating that DC and NODE5 are communicating.
4. On NODE5, in Internet Information Services (IIS) Manager, in the Connections pane,
click NODE5.
5. In the details pane, in the IIS section, double-click Error Pages.
6. In the Actions pane, click Edit Feature Settings.
7. The Edit Error Pages Settings dialog box appears. Click Detailed errors, and then click
OK.
8. In Internet Explorer, browse to http://localhost/netapp/content.
9. Notice the 500.19 error.
10. Next to Config Error, notice the message Cannot read configuration file because the
network path is not found.
11. Next to Config File, notice the path for the server name.
Correct the problem and verify functionality
1. Internet Information Services (IIS) Manager, in the Connections pane, expand
NetApp and then click Content.
2. In the Actions pane, click Advanced Settings.
149 | P a g e
3. The Advanced Settings dialog box appears. In the Physical Path field, modify the path
to read \\NODE5\content, and then click OK.
4. In Internet Explorer, browse to http://localhost/netapp/content.
5. Notice that the IIS Welcome page appears and there is no error message.
150 | P a g e
Lab 40: Troubleshooting Configuration
Machines used in this Lab: DC, NODE5
Reproduce the issue and examine the detailed error message
1. On NODE5, in Internet Explorer, browse to http://localhost/pics/logo.jpg.
2. Notice the HTTP Error 404.4 – Not Found message.
3. In the Most likely causes section, notice that the most likely cause is The file extension
for the requested URL does not have a handler configured to process the request on the
Web server.
Examine and correct the web.config file
1. In Windows Explorer, browse to C:\Pics.
2. Double-click web.config.
3. On the Windows dialog, click Select a Program from a list of installed programs, and
then click OK. Click Notepad, and then click OK.
4. The Notepad window opens. Notice that the <handlers>section contains a line for
handling static files.
5. Notice that the path attribute is set to “*.jgp”. Modify the line so that the path attribute
correctly reads “*.jpg”.
6. On the File menu, click Save.
7. Close Notepad.
8. In Internet Explorer, browse to http://localhost/pics/logo.jpg.
9. Notice that the Raccoons Bank logo now appears successfully.
Close each of the running virtual machines and revert them to default state.
151 | P a g e
Lab 41: Application Initialization (Optional)
Machines used in this Lab: DC, NODE1
The IIS 8.0 Application Initialization feature enables website Administrators to configure IIS 8.0
to proactively perform initialization tasks for one or more web applications. While an application
is being initialized, IIS 8.0 can also be configured to return static content as a placeholder or
"splash page" until an application has completed its initialization tasks. The Application
Initialization feature is configured through a combination of global and application-specific rules
that tell IIS 8.0 how and when to initialize web applications. The Application Initialization feature
also supports integration with the IIS Url Rewrite Module to support more complex handling of
placeholder content while an application is still initializing.
1. Log in as Administrator//Passw0rd on NODE1.
2. Open Server Manager and run Add Role wizard.
3. From the configuration of the Web Server role, pick Application Initialization:
152 | P a g e
Note: The Application Initialization feature can be configured in two places: the machine-wide
applicationHost.config file, and the application-level web.config file. Configuration in the
applicationHost.config file contains "global" application initialization settings, while an
application-level web.config file contains "local" application initialization settings.
In this walkthrough, you will configure a sample application to always be initialized when the
application pool associated with the application starts up. Since application pool behaviors
can only be configured in applicationHost.config, running application initialization whenever
an application pool starts up is considered part of the "global" application initialization
settings.
Setting up the Sample ASP.NET Application
Note: The following steps assume your server already has both IIS 8.0 installed and ASP.NET 4.5
enabled for use in IIS 8.0.
1. Attach appinit.iso to NODE1. The sample ASP.NET application is contained in the
appinit.zip file.
2. Unzip the file to the wwwroot folder on NODE1, application should be copied to the
following path: "c:\inetpub\wwwroot\appinit".
3. Now it is time to configure the folder as an ASP.NET application in IIS 8.0. The screenshot
below shows the appinit sample application configured as an application in IIS 8.0. Also
notice that the application is assigned to the ".NET v4.5" application pool.
153 | P a g e
Install the Url Rewrite Module
The sample application makes use of the Url Rewrite module for advanced integration with the
Application Initialization feature. You need to install the Url Rewrite module on your server; you
will find the urlrewrite2.exe in the same ZIP file with application. It can be also downloaded from:
http://www.iis.net/download/URLRewrite.
Configure the Url Rewrite Module
1. Once the Url Rewrite module is installed on your web server, you need to modify the IIS
applicationHost.config file to allow usage of the SKIP_MANAGED_MODULES server
variable supported by the Application Initialization feature.
2. Open up the machine-wide applicationHost.config file in a text editor such as notepad.
The applicationHost.config file is located at C:\Windows\System32\inetsrv\config.
154 | P a g e
3. Scroll down the file and locate the security section. This section starts with the Xml
element: <security>.
4. Type in the following Xml elements before the <security> element:
<rewrite>
<allowedServerVariables>
<add name="SKIP_MANAGED_MODULES" />
</allowedServerVariables>
</rewrite>
5. Save the changes to the applicationHost.config file.
Modifications in applicationHost.config
1. Open up the applicationHost.config file located at %WINDIR%\system32\inetsrv\config
in Notepad - run the text editor with the "Run as Administrator" option.
2. Find the <applicationPools> configuration section, and then look for the application
pool entry with a name of ".NET v4.5".
3. Modify the application pool entry so that the application pool is always running. For
applications where you want global application initialization to occur, you normally want
the associated application pool to be started and running. The bolded attribute in the
configuration snippet shows what to add to the configuration entry.
<add name=".NET v4.5" startMode="AlwaysRunning" managedRuntimeVersion="v4.0" />
4. Scroll down a little more in applicationHost.config to the <sites> configuration element.
Within that section there will be an <application> entry for the sample application you
configured earlier. The application is called "appinit", and has a path attribute value of
"/appinit". Modify the <application> entry by adding the bolded preloadEnabled
attribute as shown in the configuration snippet and then save your changes.
<application path="/appinit" preloadEnabled="true" applicationPool=".NET v4.5">
5. Setting preloadEnabled to "true" tells IIS 8.0 that it sends a "fake" request to the
application when the associated application pool starts up. That is why in the previous
step we set the application pool's startMode to "AlwaysRunning".
Note: With the combination of the application pool always running, and the application itself
being marked to always receive a fake request, whenever the machine restarts and/or the
155 | P a g e
World Wide Web service is recycled, IIS 8.0 ensures that the application pool instance is
running and that the application "/appinit" is always sent a fake request to trigger the
application to start up.
Modifications in the application's web.config
1. Using a second instance of Notepad, open up the application level web.config file
located in the following location - run the text editor with the "Run as Administrator"
option.
C:\inetpub\wwwroot\appinit
2. The web.config file has a few configuration sections already pre-populated, but
commented out. Uncomment the configuration snippet shown that is inside of the
<system.webServer> configuration section. This snippet is just below the comment
"Exercise 1 - Step 1" in the web.config file. Then save your changes.
<applicationInitialization
remapManagedRequestsTo="Startup.htm"
skipManagedModules="true" >
<add initializationPage="/default.aspx" />
</applicationInitialization>
3. The applicationInitialization element tells IIS that it should issue a request to the
application's root Url ("/" in this example) in order to initialize the application. While IIS
waits for the request to "/" to complete, it will serve "Startup.htm" to any active browser
clients. "Startup.htm" is the "splash page" for the application.
Run the application
1. From an elevated command prompt window, recycle the World Wide Web Service with
the command shown below:
net stop w3svc & net start w3svc
2. Using Internet Explorer, navigate to the following Url:
http://localhost/appinit/default.aspx
3. The browser returns the static "Startup.htm" page with a grey background for the first
few seconds because that is the "splash page" that has been configured in web.config.
156 | P a g e
Note: You can continue refreshing the page in your web browser and observe that about eight
seconds later (simulated with a thread sleep in the sample application's global.asax) you receive
the "real" content for default.aspx with a white background. This indicates that application
initialization completed.
Configuring overlapped process recycling
IIS 8.0 integrates global application initialization with overlapped process recycling by
performing application initialization in an overlapped process in the background. When IIS
detects that an active worker process is being recycled, IIS does not switch active traffic over to
the new recycled worker process until the new worker process finishes running all application
initialization Urls in the new process. This ensures that customers browsing your website don't
see application initialization pages once an application is live and running.
1. Go back to the instance of Notepad that has applicationHost.config. Modify the
application pool entry for ".NET v4.5" to look like the configuration snippet shown below:
<add name=".NET v4.5"
startMode="AlwaysRunning"
managedRuntimeVersion="v4.0" >
<recycling logEventOnRecycle="Schedule">
<periodicRestart requests="30" />
</recycling>
</add>
2. Save your changes. The <recycling> element tells IIS to recycle the worker process every
30 HTTP requests.
Run the application a second time
1. From an elevated command prompt window, recycle the World Wide Web Service with
the command: net stop w3svc & net start w3svc
2. Using a new instance of Internet Explorer, once again navigate to:
http://localhost/appinit/default.aspx
3. Note that that the "Startup.htm" splash page with the grey background is showing.
4. Open Task Manager and make sure the Processes tab is showing. Sort the process list by
name until you see one instance of w3wp.exe running. That instance is the worker
process that is currently running the "appinit" ASP.NET application.
157 | P a g e
3. Refresh the browser a few times until the content from the real default.aspx page is
being returned. You know that the application is running the "real" default.aspx page
when the background changes to white.
4. Arrange the windows on your screen so that you can see both Task Manager and the
browser.
5. Switch back to the browser and refresh the page at least 30 times, this causes IIS to
recycle the application pool. You can stop refreshing the page when you see a second
instance of w3wp.exe show up in the Task Manager process list as shown below:
158 | P a g e
6. The screenshot shows the second instance of w3wp.exe has started due to the process
recycling limit set earlier.
7. You can continue to periodically refresh the browser window for the next ten seconds or
so. Note that default.aspx continues to run. When the overlapped recycling completes,
one w3wp.exe instance disappears from the Task Manager Process window.
Throughout the duration of the overlapped recycling, you continue to see the content of the
"real" default.aspx served, even though application initialization was configured for the
application and was running the initialization Url in the background in the new instance of
w3wp.exe.
159 | P a g e
Lab 42: Url Rewrite and Application Initialization (Optional)
Machines used: DC, NODE1
By default, application initialization only enables you to specify a single "splash page" Url to
display while an application is initializing. However the Application Initialization feature supports
a few server variables that can be used to control request processing while an application
initializes. This enables you to create declarative rules using the Url Rewrite Module containing
more complex mappings to pre-generated static content.
In this walkthrough, you replace the remapManagedRequestsTo attribute with a set of Url
Rewrite rules that accomplish the same end result.
Modifications in applicationHost.config
1. Using the instance of Notepad that has applicationHost.config open, revert both the
application pool and the application elements to turn off all global application
initialization processing. The global settings are removed in this step since the remainder
of this walkthrough focuses on the configured Application Initialization behavior.
2. The applicationHost.config entries for the application pool and the application are as
shown below.
Application pool configuration entry:
<add name=".NET v4.5" managedRuntimeVersion="v4.0" />
Application configuration entry:
<application path="/appinit" applicationPool=".NET v4.5">
3. Save your changes when you are done!
4. From an elevated command prompt window, recycle the World Wide Web Service with
the command: net stop w3svc & net start w3svc
Modifications to application level web.config
1. Using the instance of Notepad that has the application-level web.config open, remove
the remapManagedRequestsTo attribute from the <applicationInitialization> element.
The <applicationInitialization> configuration section should now look like this
configuration snippet.
160 | P a g e
<applicationInitialization skipManagedModules="true" >
<add initializationPage="/default.aspx" />
</applicationInitialization>
2. Because the <applicationInitialization> element no longer defines a Url to remap
requests to, add a set of Url Rewrite rules. Add a rewrite rule that explicitly maps
requests made to "default.aspx", as well as "/" to route to "Startup.htm". Two rules are
needed because the Url Rewrite Module doesn't "know" about how default documents
work. Since "/" equates to "default.aspx" in ASP.NET applications, you need two Url
Rewrite rules - one rule for each Url variation.
The new rules are shown in bold below. Alternatively you can uncomment the pre-populated Url
Rewrite rules under the "Exercise 2 - Step 2 Mapping Requests to the Home Page" comment in
the web.config file.
<rewrite>
<rules>
<rule name="Home Page-Expanded" stopProcessing="true">
<match url="default.aspx" />
<conditions>
<add input="{APP_WARMING_UP}" pattern="1" />
</conditions>
<action type="Rewrite" url="Startup.htm" />
</rule>
<rule name="Home Page-Short" stopProcessing="true">
<match url="^$" />
<conditions>
<add input="{APP_WARMING_UP}" pattern="1" />
</conditions>
<action type="Rewrite" url="Startup.htm" />
</rule>
</rules>
</rewrite>
3. Some items to note about these rules:
a. First, the stopProcessing attribute is set to "true" on the <rule /> elements. This
is necessary to add a catch-all Url Rewrite rule later, and for requests to
default.aspx or "/" that you don't want the catch-all rule to run.
161 | P a g e
b. Second, note that we have a Url Rewrite condition in the <conditions /> element.
This condition effectively says "only apply rule when the application is in an
initializing state". The server variable "APP_WARMING_UP" is set by IIS to a value
of "1" when application initialization is active and IIS is still processing all of the
initialization Urls.
c. Third, note that the action has been defined to rewrite the active request to
instead run "Startup.htm". This rule has the effect of telling IIS to pass the request
on to the static file handler which then renders the static page Startup.htm.
4. Add a catch-all rewrite rule. When using the Url Rewrite Module in conjunction with
application initialization, a catch-all rule that fires if none of the previous rules match is
needed. Add the bolded rule shown below to the rewrite section as the catch-all rule.
Alternatively you can uncomment the pre-populated catch-all rule in web.config that is
located under the "Exercise 2 - Step 2 Setting Up a Catch-All Rule" comment in the
web.config file.
<rewrite>
<rules>
<rule name="Home Page-Expanded" stopProcessing="true">
<match url="default.aspx" />
<conditions>
<add input="{APP_WARMING_UP}" pattern="1" />
</conditions>
<action type="Rewrite" url="Startup.htm" />
</rule>
<rule name="Home Page-Short" stopProcessing="true">
<match url="^$" />
<conditions>
<add input="{APP_WARMING_UP}" pattern="1" />
</conditions>
<action type="Rewrite" url="Startup.htm" />
</rule>
<rule name="All Other Requests">
<match url=".*" />
<conditions>
<add input="{APP_WARMING_UP}" pattern="1" />
</conditions>
<serverVariables>
162 | P a g e
<set name="SKIP_MANAGED_MODULES" value="0" />
</serverVariables>
<action type="Rewrite" url="{URL}" />
</rule>
</rules>
</rewrite>
4. Save your changes.
5. The new rule matches against any Url that reaches it and tells IIS to continue processing
the request that was made to the inbound Url. The rule also sets a server variable called
"SKIP_MANAGED_MODULES" to a value of "0" - which equates to "false". This setting
tells IIS that it should treat the rewritten request from Url Rewrite the same way as if the
request had normally arrived off the wire.
Run the application
1. From an elevated command prompt window, recycle the World Wide Web Service with
the command: net stop w3svc & net start w3svc
2. Using a new instance of Internet Explorer, once again navigate to:
http://localhost/appinit/default.aspx
Note: Even though Url Rewrite rules are now used to define the splash page logic, you still
see the same behavior from the first walkthrough. The Startup.htm page with the grey
background is displayed initially. If you refresh the browser periodically, about eight seconds
later you again see the page background switch to white, indicating that the "real"
default.aspx page is being served now that application initialization is complete.
(Optional) Lab: Complex Splash Page Rules
The previous walkthroughs use application initialization as a straight-forward mapping of Url "X"
to Url "Y". In this walkthrough, you are going to implement a more complex application
initialization scenario.
1. In your browser navigate to both of the following Urls:
a. http://localhost/appinit/ImageHandler.ashx?image=Lighthouse
b. http://localhost/appinit/ImageHandler.ashx?image=Tulips
163 | P a g e
2. These Urls are examples of dynamically generated static content. For this sample
application, the code inside of ImageHandler.ashx looks at the querystring key "image".
If the value of that querystring is either "Lighthouse" or "Tulips" the ASP.NET handler
transmits the corresponding JPG that is located in the App_Data folder.
Note: Since the image handler is just returning images, you want to be able to continue to
return an appropriate image even during application initialization. Although the mechanics of
serving these images uses managed code, you may want to quickly serve up pre-generated
images to customers even if the underlying ASP.NET application is taking a long time to
startup and initialize itself.
Modifications to application level web.config
1. Using the instance of Notepad that has application-level web.config open, add another
Url Rewrite rule before the final catch-all rule. The new snippet to add is shown below.
Alternatively you can uncomment the pre-populated image handler rule in web.config
that is located under the "Exercise 3 - Step 1 Complex Splash Page Rules" comment in
the web.config file.
<rule name="Image Handler Remapping" stopProcessing="true">
<match url="ImageHandler.ashx" />
<conditions>
<add input="{APP_WARMING_UP}" pattern="1" />
<add input="{QUERY_STRING}" pattern="image=([A-Za-z]+)&?" />
</conditions>
<action type="Rewrite" url="Images/{C:1}_static.jpg" appendQueryString="false" />
</rule>
2. Save your changes.
Note: Just as with the rewrite rules for default.aspx and "/", this rule has the stopProcessing
attribute set to "true" to ensure that requests to ImageHandler.ashx don't accidentally
fallthrough to the final catch-all rewrite rule during application initialization.
For requests to "ImageHandler.ashx," the rewrite rule uses a regular expression capture group
to extract the requested image from the query-string. The match pattern definition
pattern="image=([A-Za-z]+)&?" tells IIS to extract the value of the "image" query-string
164 | P a g e
variable. That value is then used in the url attribute of the action attribute:
url="Images/{C:1}_static.jpg".
The url attribute on the action element tells the Url Rewrite module to rewrite
ImageHandler.ashx requests to instead point at files in the Images subdirectory of the
application. Furthermore the query-string value that was captured by the regular expression is
used to help form the name of the file that will ultimately be served from the Images
subdirectory. For example, a request to ImageHandler.ashx?image=Tulips will be rewritten to
Images/Tulips_static.jpg.
3. If you browse to the inetpub\wwwroot\appinit directory using Windows Explorer and
look in the Images subdirectory, you see two files: one representing the "static" version
of Tulips.jpg, and the other representing the "static" version of Lighthouse.jpg. These
static images act as pre-generated content that can be served while the application
initializes.
Run the application
1. From an elevated command prompt window, recycle the World Wide Web Service with
the command: net stop w3svc & net start w3svc
2. Using Internet Explorer navigate to either:
a. http://localhost/appinit/ImageHandler.ashx?image=Lighthouse
b. http://localhost/appinit/ImageHandler.ashx?image=Tulips
3. Notice how the images returned in either case include a watermark indicating these are
the "static" pre-generated versions of the images. The watermark is text in the upper
portion of the image saying "This image is the static version of...."
4. If you refresh your browser about 10 seconds later, you see the returned image content
change to the "real" content being served by the ImageHandler.ashx handler. The
watermark disappears, which indicates that the content is now being dynamically
generated by the ASP.NET handler since the application has completed initialization.
165 | P a g e
5. Note: If Internet Explorer appears to not be refreshing, click either the "broken
document" icon in the address bar or the refresh icon to force Internet Explorer to reload
the page.
Lab summary
The IIS 8.0 Application Initialization feature gives developers and Administrators the ability to
return static content to browsers while IIS is initializing a "cold" application. Serving static content
immediately to browsers gives customers a better user experience. Instead of cold-start
applications resulting in a blank browser page or a spinning wait icon, the Application Initialization
feature can be used to serve relevant static content while the underlying application completes
expensive initialization processing.
The initialization process can occur automatically whenever a web server is brought online or
recycled. For scenarios where server Administrators don't want to greedily initialize applications,
the initialization process can instead be triggered on-demand when the first request arrives at a
"cold" application.
For both global and local application initialization the Url Rewrite module can be integrated to
provide richer and more complex initialization rules. Using Url Rewrite rules integrated with the
Application Initialization feature it is possible to serve different types of pre-generated static
content for different Urls and virtual paths while IIS continues to start-up an application in the
background.
166 | P a g e
Lab 43: IIS Backup – Web Deploy
1. Launch your IIS8_WEBB server and verify you have some sites and applications.
2. Install WebDeploy 3.0 package using typical settings (you will find it in the ISO file).
3. Open IIS Management Console and verify if you have "deployment" links in the action
pane when you click on the server, the site or the application.
4. Select your web server name in the left pane.
5. Click on the "Export server package" link in the right pane and save the "server.zip"
package using default settings.
6. Remove some of your websites and then app pools.
7. Select your web server name in the left pane.
8. Click on the "Import server package" link in the right pane and save the "server.zip"
package using default settings. You need to accept a warning message. Please read it
before accepting.
9. Verify if your app pools, sites and applications were restored correctly and can be open.
10. Launch cmd.exe.
11. Navigate to C:\Program Files\IIS\Microsoft Web Deploy V3
12. Type: msdeploy -verb:sync -source:appHostConfig="Your Site Name" -
dest:archivedir=c:\archive -enableLink:appPool
13. Optionally you can configure https binding and try to backup certificates by adding "-
enableLink:CertificateExtension" to the previous command.
14. Optionally you can replace your destination (type: archivedir, value: c:\archive) with type
"package" and value "c:\archive.zip".
15. Delete your site and associated app pools.
16. Try to restore your backup using command: msdeploy -verb:sync -
source:archivedir=c:\archive -dest:appHostConfig="Restored WebSite" -
enableLink:appPool
17. Go to you App Pools and find a pool associated with more than zero applications
18. Try to delete such pool. Is this possible? Why?
19. Navigate to C:\Program Files\IIS\Microsoft Web Deploy V3
20. Type: msdeploy -verb:delete -dest:appPoolConfig="your pool name"
21. Verify if your poll was actually deleted.
22. Try to launch your web application.
23. Use your backup to re-create your website with linked App Pools.
167 | P a g e
Lab 44: JavaScript Profiling (Optional)
1. On your host machine launch Internet Explorer browser and navigate to
http://ie.microsoft.com/testdrive/Performance/BrickBreaker
2. Click on the first tile in the "Level Selection" window
3. Press F12 to start F12 Developer Tools
4. Switch to "Profiler" tab and click "Start profiling"
5. Return to Internet Explorer window and play a game for some time
6. Switch to F12 console and click "Stop profiling"
7. Switch current view to "Call tree"
8. Expand nodes renderAll – renderAll – next – checkCollision – elementsInRect –
elementsOfClass – hasCssClass
9. Notify the count of hasCssClass function calls. Why it makes sense to start improvement
from this function?
10. Double click hasCssClass function name to switch to the "Script" tab
11. Right click function name and select "Insert breakpoint" from the context menu
12. Click "Start debugging" button on the toolbar
13. Click on the first tile in the Internet Explorer "Level Selection" window and start playing
14. Wait until execution stops on the breakpoint.
15. Click "Locals" over the right pane and lok inside local objects. Click "Call stack" and check
how function was called.
16. Click "Breakpoints" over the right pane and de-select your breakpoint.
17. Click "Watch" over the right pane and add "Balls" to the watch list. Expand the object
properties and find Balls[0].speed
18. Right click the value and edit it. Change the value to 1.
19. Press F5 to continue. Intentionally miss the first ball and launch another one. Note the
difference.
20. Discuss how F12 may help you in troubleshooting performance problems in modern web
applications.
168 | P a g e
Lab 45: Network traffic monitoring (Optional)
1. Launch IE browser and navigate to http://gizmodo.com/
2. Make sure you have no Tracking Protection enabled - the "no parking" sign next to the
URL must be gray.
3. Press F12.
4. Switch to "Network" tab and press "Start capturing".
5. Return to your browser and open gizmodo.com page again and wait until it fully loads.
6. Switch to F12 tool and press "Stop capturing"
7. Sort by "URL" column and try to determine an amount of websites used to display the
webpage.
8. Sort by "Result" column and try to find 304 pages. What does it mean? Does it affect
performance?
9. Double click any entry to switch to detailed view.
169 | P a g e
CQURE Academy says thank you!
Thank you for attending IIS training. We hope it was useful and that you feel that your IIS skills
are on the higher level!
CQURE Team wish you all the best in your future engagements with IIS.
Please note that this training is a part of CQURE Academy and you are eligible to receive the
certificate of Certified Security Professional.
Do not forget to check our website: http://cqure.pl for new and existing training and
consultancy offers. You will find there useful tools as well.
Your opinion is extremely important for us. Please complete the 1 minute survey on
http://stderr.pl/surveys