Monthly Archives: August 2010

IIS Application Pools for ASP.NET Apps

Posted on by
Reply

IIS Application Pools allow for grouping of similar or related applications to facilitate easy management and configuration. Each application assigned to an application pools (or app pool) is isolated from other apps so that issues in one pool do not impact apps in other pools. Applications which have similar performance profiles or which belong to the same department in the business can be grouped together.

IIS 7 automatically creates serveral application pools, including the default app pool which is used  when you create a new application. When you create  a new application, it is automatically  assigned to the default application pool (DefaultAppPool), and a previously deployed app can have its application pool changed (for a varierty of reasons such as to enable it to use a newer version of the .NET framework). Application pools can be created and managed  using IIS . In the IIS Management Console expand the server and select Application Pools. This lists the app pools currently set up on the server as shown below:

IIS Application Pools

Application pools set up in IIS

The application pool listing displays most of the key characteristics of each app pool:

  • Name : The name of the application pool which cannot be changed after it has been created.
  • Status : Whether the application pool is running or stopped.
  • .NET Framework Version : The .NET Framework version  which will  execute the code.
  • Managed Pipeline Mode : IIS  supports Integrated and Classic pipeline modes for handling requests.
  • Identity : The Windows account which runs the apps  in the pool.
  • Applications : The number of applications running in the pool.

Creating a New Application Pool

Create a custom application pool by  clicking the  Add Application Pool link from the right hand panel of the Application Pools screen.
Continues…

Pages: 1 2

Install an SSL Certificate using IIS 7

Posted on by
Reply

To install an SSL in IIS , you first  need to issue a certificate for your web server. For this purpose you have to select the webserver root node in the navigation tree of the management console, and select the Server Certificates feature, as shown below:

SSL Certificate IIS

After selecting Sever Certificates, the IIS management console lists all the server certificates installed on the web server (see below). The first thing to note is that  in IIS 7   you can install multiple server certificates on one web server, which can be used for multiple websites set up  on the web server (previous IIS versions allowed you to install only one server certificate per web server).

SSL Certificate IIS
In the Server Certificates feature details view in the IIS Management Console, the task pane on the right side  shows the necessary task(s) for installing server certificates. You can create a certificate request automatically that you can then use to requesting a new certificate at a CA. To create a new request, click the Create Certificate Request task link on the  pane,  this creates the same Base64-encoded request as  in previous versions of IIS. Use this Base64-encoded request file for submitting your request at the CA. After retrieving the certificate from the CA, you complete the running request by clicking the Complete Certificate Request  link. Thus you can both request and configure an SSL certificate for a standalone webserver. If you need to request an SSL  certificate for your own CA, use the Online Certification Authority wizard by clicking the Create Domain Certificate link. This certificate will then be configured in your own CA and will be used for signing certificates issued by this CA.

This process is quite laborious if you are a developer who just wants to test SSL with your own web apps. Therefore, IIS 7  ships with an additional option – creating a self-signed certificate for just your own machine. Just click the Create a Self-Signed Certificate link in the console and all you will need to specify  is a friendly name which will be displayed in the listing. The wizard creates a certificate by using the cryptographic functions of your local machine and automatically installs the certificate in your web server. 
Continues…

Pages: 1 2

Windows Server File Level Security

Posted on by
Reply

Files on Windows Server are only as secure as their permissions. Thus, it is essential to know that Windows Server 2008 R2 does not give the Everyone group full control over NTFS-level and share-level. Additionally, important   system files and directories are secured to prevent  unauthorized access. This is a definite improvement over previous versions of Windows Server, but  a solid understanding of file-level security is still  important to fully ensure the security of files on Windows Server.

Understanding NT File System (NTFS) Security

Windows Server 2008 R2 ships with the latest revision of NTFS (NT File System). Each object which is referenced in NTFS, including files and folders, is marked by an ACE (access control entry) that physically limits the users that can access a resource. NTFS permissions use this concept to control the read, write, and other access type permissions on files. File servers should avail of NTFS-level permissions, and all directories should have their file-level permissions examined to ascertain if there are holes in the NTFS permission set. Modifying NTFS permissions in Windows Server 2008 R2 is a simple process; simply follow the below steps:

  1. Right-click the file or folder to which the security will be applied, and select Properties.
  2. Click the Security tab.
  3. Click  Advanced.
  4. Click  Change Permissions .
  5. Uncheck   Include Inheritable Permissions from This Object’s Parent .
  6. When prompted about the use of parent permissions click Remove.
  7. When in the Advanced dialog box, click Add to grant access to the users and/or groups  who require access to the files or folders.
  8. Check  Replace All Child Object Permissions with Inheritable Permissions from This Object checkbox. Click OK.
  9. When prompted regarding replacing security on child objects, hit Yes to replace the child object security.
  10. Click OK, and finally click OK again to close Properties.

Share-Level Security Versus NTFS Security

Previous versions of Windows Server security used share-level permissions that were independently set. Continues…

Pages: 1 2

Windows Intune Review

Posted on by
Reply

Windows Intune is a new product from Microsoft which is designed for system admins to manage and secure PC’s across an enterprise.

Windows Server administrators have numerous tools to manage a network of Servers (for example security patches etc  can be managed in-house using WSUS), however for the managing individual PC’s spread across multiple locations in the  enterprise.

Intune is a cloud based solution, allowing  administrators to logon to the Intune online portal and manage remote PC’s. Note that every remote PC which is being administered from Intune will need to have the Intune client installed.

Intune can performance the below roles:

  • Manage Updates :  Manage the deployment of the Windows OS updates and service packs to remote PCs.
  • Protect PCs from malware : Helps safeguard the enterprises PCs from the latest threats with  centralized protection built using the Microsoft Malware Protection Engine, Microsoft Forefront Endpoint Protection and Microsoft Security Essentials.
  • Proactively monitor PCs : Get alerts on updates and threats to proactively identify and resolve problems PCs.
  • Provide remote assistance : Resolve PC issues using remote assistance.
  • Track hardware and software inventory : Track the hardware and software assets used in the enterprise to efficiently manage your assets, licenses, and compliance.
  • Set global security policies : Centrally manage updates as well as  firewall and malware protection settings across the enterprise even on remote machines outside the corporate network.

Requirements are quite minimal, for client PCs XP or higher is required and for administrators to access the online portal a browser support Silverlight 2 is required.

Getting Started Using Windows Intune

The first screen you are presented with after logging into the Intune online portal is the Overview screen which provides a summary of the PC system status’ across the enterprise.

Windows Intune

Windows Intune Overview Page

Clicking on the Computers link on the left gives a listing of the computers which are being administered using Windows Intune. PCs can also be grouped for the purposes of administration.

Windows Intune

Windows Intune Computers Listing


Selecting one of the computers in the listing provides the full details of the hardware and software specs of the  PC as well as the system updates applied.

Windows Intune

PC System Details

Across the enterprises PCs Intune will show a listing of all the software products installed.

Windows Intune

Listing of Software Installed across all the enterprise’s PCs

From the Intune online portal admins can assign updates for distribution to PC’s connected to Intune. Click on security updates for a listing of all updates for the various Windows OSs on the PC’s connected via Intune.  The patches can be reviewed and the Approved for distribution to PCs.

Windows Intune

Intune provides in-built protection against malware (such as trojans, spyware, rootkits and virsuses) using the Microsoft Malware Protection Engine.  PCs will automatically be protected with no intervention required from the administrator via Intune. In the event an attack is detected the malware engine will attempt to block the attack and report the events on Alerts Overview page of the Intune portal.

Security policies can be set for managed PCs using the Policy Overview page. A security policy allows  you to create new policy settings based on simple template based configurations. The template agent allows administrators to  create standard policies to configure security updates, firewall policies and malware protection.

A common issue for administrators is diagnosing and fixing issues on remote PCs. Windows Intune allows admins to remotely access, diagnose and fix problems on PCs managed by Intune.

The Windows Intune Center which will be installed on client PCs allows the admin to remotely take control of the client desktop (after the client grants permission) via Microsoft Easy Assist.

In addition the PC user will also be able to check the status of Windows Updates and scan their PC or attached storage for malware from their native Windows Intune Center.

Windows Intune Center
Microsoft Windows Intune Center

Overall, Intune is a capable offering from Microsoft. It will offer admins a simple and efficient way to manage a PCs across and enterprise. However the product does still have some shortcomings such as the lack of an ability to manage software application distributions and versioning across managed PCs.