Install an SSL Certificate using IIS 7

To install an SSL in IIS , you first  need to issue a certificate for your web server. For this purpose you have to select the webserver root node in the navigation tree of the management console, and select the Server Certificates feature, as shown below:

SSL Certificate IIS

After selecting Sever Certificates, the IIS management console lists all the server certificates installed on the web server (see below). The first thing to note is that  in IIS 7   you can install multiple server certificates on one web server, which can be used for multiple websites set up  on the web server (previous IIS versions allowed you to install only one server certificate per web server).

SSL Certificate IIS
In the Server Certificates feature details view in the IIS Management Console, the task pane on the right side  shows the necessary task(s) for installing server certificates. You can create a certificate request automatically that you can then use to requesting a new certificate at a CA. To create a new request, click the Create Certificate Request task link on the  pane,  this creates the same Base64-encoded request as  in previous versions of IIS. Use this Base64-encoded request file for submitting your request at the CA. After retrieving the certificate from the CA, you complete the running request by clicking the Complete Certificate Request  link. Thus you can both request and configure an SSL certificate for a standalone webserver. If you need to request an SSL  certificate for your own CA, use the Online Certification Authority wizard by clicking the Create Domain Certificate link. This certificate will then be configured in your own CA and will be used for signing certificates issued by this CA.

This process is quite laborious if you are a developer who just wants to test SSL with your own web apps. Therefore, IIS 7  ships with an additional option – creating a self-signed certificate for just your own machine. Just click the Create a Self-Signed Certificate link in the console and all you will need to specify  is a friendly name which will be displayed in the listing. The wizard creates a certificate by using the cryptographic functions of your local machine and automatically installs the certificate in your web server. 

Windows Server File Level Security

Files on Windows Server are only as secure as their permissions. Thus, it is essential to know that Windows Server 2008 R2 does not give the Everyone group full control over NTFS-level and share-level. Additionally, important   system files and directories are secured to prevent  unauthorized access. This is a definite improvement over previous versions of Windows Server, but  a solid understanding of file-level security is still  important to fully ensure the security of files on Windows Server.

Understanding NT File System (NTFS) Security

Windows Server 2008 R2 ships with the latest revision of NTFS (NT File System). Each object which is referenced in NTFS, including files and folders, is marked by an ACE (access control entry) that physically limits the users that can access a resource. NTFS permissions use this concept to control the read, write, and other access type permissions on files. File servers should avail of NTFS-level permissions, and all directories should have their file-level permissions examined to ascertain if there are holes in the NTFS permission set. Modifying NTFS permissions in Windows Server 2008 R2 is a simple process; simply follow the below steps:

  1. Right-click the file or folder to which the security will be applied, and select Properties.
  2. Click the Security tab.
  3. Click  Advanced.
  4. Click  Change Permissions .
  5. Uncheck   Include Inheritable Permissions from This Object’s Parent .
  6. When prompted about the use of parent permissions click Remove.
  7. When in the Advanced dialog box, click Add to grant access to the users and/or groups  who require access to the files or folders.
  8. Check  Replace All Child Object Permissions with Inheritable Permissions from This Object checkbox. Click OK.
  9. When prompted regarding replacing security on child objects, hit Yes to replace the child object security.
  10. Click OK, and finally click OK again to close Properties.

Share-Level Security Versus NTFS Security

Previous versions of Windows Server security used share-level permissions that were independently set. Continues…

Windows Intune Review

Windows Intune is a new product from Microsoft which is designed for system admins to manage and secure PC’s across an enterprise.

Windows Server administrators have numerous tools to manage a network of Servers (for example security patches etc  can be managed in-house using WSUS), however for the managing individual PC’s spread across multiple locations in the  enterprise.

Intune is a cloud based solution, allowing  administrators to logon to the Intune online portal and manage remote PC’s. Note that every remote PC which is being administered from Intune will need to have the Intune client installed.

Intune can performance the below roles:

  • Manage Updates :  Manage the deployment of the Windows OS updates and service packs to remote PCs.
  • Protect PCs from malware : Helps safeguard the enterprises PCs from the latest threats with  centralized protection built using the Microsoft Malware Protection Engine, Microsoft Forefront Endpoint Protection and Microsoft Security Essentials.
  • Proactively monitor PCs : Get alerts on updates and threats to proactively identify and resolve problems PCs.
  • Provide remote assistance : Resolve PC issues using remote assistance.
  • Track hardware and software inventory : Track the hardware and software assets used in the enterprise to efficiently manage your assets, licenses, and compliance.
  • Set global security policies : Centrally manage updates as well as  firewall and malware protection settings across the enterprise even on remote machines outside the corporate network.

Requirements are quite minimal, for client PCs XP or higher is required and for administrators to access the online portal a browser support Silverlight 2 is required.

Getting Started Using Windows Intune

The first screen you are presented with after logging into the Intune online portal is the Overview screen which provides a summary of the PC system status’ across the enterprise.

Windows Intune

Windows Intune Overview Page

Clicking on the Computers link on the left gives a listing of the computers which are being administered using Windows Intune. PCs can also be grouped for the purposes of administration.

Windows Intune

Windows Intune Computers Listing

Selecting one of the computers in the listing provides the full details of the hardware and software specs of the  PC as well as the system updates applied.

Windows Intune

PC System Details

Across the enterprises PCs Intune will show a listing of all the software products installed.

Windows Intune

Listing of Software Installed across all the enterprise’s PCs

From the Intune online portal admins can assign updates for distribution to PC’s connected to Intune. Click on security updates for a listing of all updates for the various Windows OSs on the PC’s connected via Intune.  The patches can be reviewed and the Approved for distribution to PCs.

Windows Intune

Intune provides in-built protection against malware (such as trojans, spyware, rootkits and virsuses) using the Microsoft Malware Protection Engine.  PCs will automatically be protected with no intervention required from the administrator via Intune. In the event an attack is detected the malware engine will attempt to block the attack and report the events on Alerts Overview page of the Intune portal.

Security policies can be set for managed PCs using the Policy Overview page. A security policy allows  you to create new policy settings based on simple template based configurations. The template agent allows administrators to  create standard policies to configure security updates, firewall policies and malware protection.

A common issue for administrators is diagnosing and fixing issues on remote PCs. Windows Intune allows admins to remotely access, diagnose and fix problems on PCs managed by Intune.

The Windows Intune Center which will be installed on client PCs allows the admin to remotely take control of the client desktop (after the client grants permission) via Microsoft Easy Assist.

In addition the PC user will also be able to check the status of Windows Updates and scan their PC or attached storage for malware from their native Windows Intune Center.

Windows Intune Center
Microsoft Windows Intune Center

Overall, Intune is a capable offering from Microsoft. It will offer admins a simple and efficient way to manage a PCs across and enterprise. However the product does still have some shortcomings such as the lack of an ability to manage software application distributions and versioning across managed PCs.

Using Windows Server Update Services – WSUS

Once WSUS has been installed, the organization must decide on how to use WSUS to configure the the updates for the client servers under its control. Organizations which don’t use  Active Directory or group policies will have to manually configure every client server’s settings with the location of the  WSUS server. This can be done either through using a local policy or manually through the Registry settings.

However, in most circumstances the organization will be using Active Directory  and can configure all clients.

Configuring WSUS Clients via Group Policy

A group policy in an  Active Directory environment can be used to configure the Automatic Updates client which is included with all current versions of Windows. In Windows Server 2008 R2 the domain controllers automatically contain the correct Windows Update Group Policy extension, and a group policy can be defined by following the below steps :

  1. Launch Group Policy Management (available at  - Start >All Programs > Administrative Tools > Group Policy Management).
  2. Navigate to the unit in your organization which will have the group policy applied, rightclick  on the name of the  unit, and then select Create a GPO in This Domain, and Link It Here.
  3. Add a name for the new  GPO (there is also an  option to start from the existing settings of a current GPO). Click OK.
  4. Right-click  the your new  GPO and then select Edit to start the Group Policy Management Editor and then expand it to  Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
  5. Double-click on the Configure Automatic Updates setting.
  6. Set the group policy which is to be enabled, and then configure the automatic updating sequence as required. The three options (2, 3, 4)  enable different degrees of client intervention. To enable client-independent installation select option 4 (Auto-download and schedule the install)..
  7. Next, schedule the interval at which  updates will be installed and note that  some updates will require a  reboot.
  8. Select Next Setting for more configuration options.
  9. Click Enabled to set the location of your organization’s WSUS server – it is recommended to enter the  fully qualified domain name of the server. Enter both settings (normally the same server), and then hit OK to save the Group Policy settings. Then click Next Setting. (Note that organizations who elect  to use a custom web IIS website will have to use Port 8530 for client access to WSUS, in which case enter the web location appended with port number, for example, for both settings.
  10. Set the interval at which the  the client will check for updates, and then click Next Setting.
  11. Review all the remaining option settings and configure them as required. Then click OK.
  12. Repeat the above 12 steps  additional organizational units.

Depending on which settings are chosen by the Registry or group policy,  clients which  are managed by WSUS will automatically download updates throughout the day and then install the updates at a specified time.  Client servers which  are configured to use WSUS for updates will not be prompted to configure their Automatic Update settings, which will be  grayed out to avoid  changes from being made. Users without local admin access will not be able to  make any changes to the installation schedule, although local admins users are able to  postpone forced installs.
It is normally considered best practice to  allow servers to control the download and install schedule, but force all clients to do both download and installation automatically.

Windows Server Update Services – Installing WSUS

A major issue with security on Windows Server installations is the difficulty in keeping all servers up to date with the latest security patches and fixes. The Windows Update service which allowed for automatically download and installation of security fixes is really only suitable for smaller enterprises, large enterprises with numerous Windows Server installations do not wish to run the bandwidth and overhead of having each server run its own individual update. Windows Server Update Services (WSUS) is a free download from Microsoft which effectively gives enterprise their own, independent of the Windows Update server. Clients then connect to the central intranet Windows Server Update Services (WSUS) server for all security patches and OS updates.

Windows Server Update Services (WSUS) Requirements

It is optimal to install WSUS on a dedicated server, but it can also be installed on a Windows Server 2008 R2 server that is running other tasks, provided the  server is running Internet Information Services (IIS). The below is the minimum requirements for WSUS:

  • Windows Server 2003 SP1 or higher
  • Background Intelligent Transfer Service (BITS)
  • Internet Information Services (IIS)
  • Windows Internal Database role or, alternatively  SQL Server 2005 (or higher) installed locally or on a remote server
  • .NET Framework 2.0 or higher

Installing WSUS on  Windows Server 2008 R2

WSUS installation is a simple process as it is installed as a server role from Server Manager. The below steps install Windows Server Update Services plus all required components.
To complete the initial installation of WSUS, follow these steps:

  1. Launch the Server Manager.
  2. On the Roles Summary pane, select Add Roles to launch the wizard and click Next.
  3. Select Windows Server Update Services, and then click Next.
  4. Next, the Add Role Services and Features Required for Windows Server Update Services window will prompt you  for additional components to be installed, if necessary. The required components are the  IIS web server and management tools, the Windows Process Activation Service Process Model, and the .NET framework. Once this is complete, click Add Required Role Services to continue and then lick Next.
  5. Read the Introduction to Web Server (IIS) overview (if necessary) and then click Next.
  6. Hit Next to select the default role services to install for IIS.
  7. Read the Introduction to Windows Server Update Services overview(if necessary) and then click Next.
  8. After reading the summary of installation selections,  click Install.
  9. The Server Manager will show “Searching for Updates” and “Downloading” while it connects to the Microsoft’s server and downloads   WSUS. It will also install IIS and the Windows Process Activation Service, if required.
  10. The Windows Server Update Services Setup Wizard will be shown displays as the installation progresses. Click Next.
  11. Read and accept the license agreement for WSUS, and then click Next.
  12. If alerted that Report Viewer 2005 is not installed just click Next to continue with the installation (note that some reports will be unavailable without Report Viewer installed).
  13. Select the Store Updates Locally check box, and then enter a location  to store them. This location needs be sufficient to hold a large number of downloadable patches. Click Next.
  14. Select Install the Windows Internal Database on This Computer, or alternatively, Use an Existing Database Server on a Remote Computer if you wish to use a remote SQL Server.
  15. Select to Use the Existing IIS Web Site and then click Next to continue with the installation.
  16. Review the security settings on the Ready to Install page and then Click Next.
  17. The installation then completes in the Server Manager and, once the Finish button is clicked, the WSUS Configuration Wizard is shown. Review the information and then click Next.
  18. Click Next to sign up to the Microsoft Update Improvement Program.
  19. Select Synchronize from Microsoft Update, and then click Next.
  20. If necessary, configure your proxy server settings  and then click Next.
  21. Click on Start Connecting to save your settings and download update information. This process can  take several minutes. Then click Next.
  22. Select the preferred update language(s), and then click Next.
  23. Select the products which you want to have updates for, and click Next.
  24. Select the classifications of the updates that you wish to  download, and click Next.
  25. Set the schedule that you want WSUS to automatically synchronize with  the Microsoft Update servers or alternatively you can select Synchronize Manually. Click Next.
  26. Make sure that Begin Initial Synchronization is selected, and then click Finish.
  27. Finally, review the installation results, click Close, and then close the Server Manager.

Windows Server Update Services is  administered   from the WSUS MMC which is the main location for all the configuration settings for WSUS and is its only administrative console. WSUS MMC is located  at Administrative Tools > Microsoft Windows Server Update Services 3.0 SP1, or can directly accessed from Server Manager.

PowerShell Remoting

A major drawback of PowerShell 1.0 was the lack of a method to execute commands on a remote machine. PowerShell 2.0 addresses this with a new feature named remoting, which is designed to enable command (or script) execution on remote machines. Using PowerShell remoting, commands can be issued either synchronously or asynchronously and even scheduled or throttled.

Before using PowerShell remoting, you will first need the appropriate permissions to connect to the remote machine, then execute PowerShell, and finally execute the desired command or scripts. Additionally, the remote machine will need to have both PowerShell 2.0 and Windows Remote Management (WinRM) installed, and PowerShell will need to be configured for remoting. Note that the commands executed via remoting will be subject to the remote machine’s execution policies, preferences, and profiles.

Powershell Remoting Requirements

Before using PowerShell remoting, both the local and remote computers must have the below:

  • PowerShell 2.0 or later
  • .NET Framework 2.0 or later
  • Windows Remote Management (WinRM) 2.0 (this is part of Windows 7 and Windows Server 2008 R2. For previous versions of Windows, an integrated installation package needs to be downloaded and installed – the PowerShell 2.0 download includes this.).

Configuring Remoting

On  Windows Server 2008 R2, both PowerShell and WinRM are installed by default, however for security reasons, both PowerShell remoting and WinRM are initially configured to not allow remote connections. There are several methods to configure remoting:

The simplest method to enable PowerShell remoting is to execute the Enable-PSRemoting cmdlet:
PS C:\> enable-pssremoting
Once this is executed, the below tasks are performed by the  cmdlet:

  • Runs the Set-WSManQuickConfig cmdlet, which in turn executes the belows  tasks:
    • Starts up the WinRM service.
    • Sets the WinRM service startup type on the  to Automatic.
    • Creates a listener to listen for and accept requests on an IP address.
    • Enables a firewall exception for WS-Management communications.
  • Enables all the registered  PowerShell session configurations to receive instructions from  remote computers.
  • Registers the “Microsoft.PowerShell” session configuration (unless it has  already been registered).
  • Registers the “Microsoft.PowerShell32” session configuration on 64-bit systems (unless it has  already been registered).
  • Removes  “Deny Everyone” setting from the security descriptor for all  registered session configurations.
  • Finally, restarts  WinRM  to make the above changes effective.

Note that the Enable-PSRemoting cmdlet needs to be executed as an Administrator (using the Run As Administrator option).

Using PowerShell Remoting

The power PowerShell remoting is that any the cmdlets/scripts you used in PowerShell 1.0 are available everywhere (provided PowerShell is installed on the server).

Integrated Windows Firewall with Advanced Security in Windows Server 2008 R2

The integrated firewall that is included with Windows Server 2008 R2 vastly improved over previous versions integrated firewall which is turned on
by default. The firewall, which is administered from an MMC snap-in as shown below (that can be accessed at Start>All Programs>Administrative Tools>Windows Firewall with Advanced Security) and provides unprecedented security and control on a server.

Windows Firewall with Advanced Features MMC Snap in

The new  firewall with advanced security is n0w fully integrated into the Server Manager utility and also the Server Roles Wizard. If, for example,  an admin runs the Server Roles Wizard and elects to make the server a file server,   the ports and protocols which are required for file server access are only then opened on the server.

Most Windows Server admins instinctively disable software firewalls on servers, due to the numerous problems with this functionality in the past. This approach is, however,  not recommended in Windows Server 2008 R2  as the product is now tightly integrated with the firewall, and the firewall  provides  a much higher level of security than in previous versions of Windows Server .

Creating Outbound and Inbound   Rules with Windows Firewall

In some instances, when a third-party app isn’t integrated with Server Manager, or when the need arises to  to open specific individual ports, it may be necessary to create firewall rules to ensure individual services to run properly. Both inbound rules (ie addressing traffic coming to the server) and  outbound rules (ie addressing  the server’s outward communication) can be created with the Windows Firewall. These rules can be based on the below factors:

  • Program—A rules which allow  specific program executable access can be created. For example, you could specify that the c:\Program Files\XYZ Program\xyzprogram.exe file has full outbound access when it is running.  Windows Firewall  will then allow any type of connections that are made by that program full access. This is  useful in scenarios where a specific application server uses multiple varied ports, but the overarching  security of  firewall provides is still required.
  • Port—Entering a traditional TCP or UDP port in the Add Rules Wizard is supported which covers the traditional scenarios like the requirement to open  Port 8787 on the server.
  • Predefined—Windows Server also ships with  predefined rules, such as those which allow AD DS, DFS, BITS, HTTP, and numerous more. The advantage to using  these predefined rules is that Microsoft has performed all the work in advance, and it will be  much more straightforward to allow a specific service.
  • Custom—Custom rule types not covered in the other categories can also be created.

For example, the below steps shows how to create  an inbound rule to allow a custom app to use TCP Port 8787 for inbound communication:

  1. Start Windows Firewall MMC (Start > All Programs >Administrative Tools >  Windows Firewall with Advanced Security).
  2. Select  the Inbound Rules node in the node panel.
  3. On the Actions pane, select  New Rule link.
  4. In the Rule Type page on the New Inbound Rule Wizard select Port to create a rule based on the port, and the click Next.
  5. On the Protocol and Ports page  select TCP, and then enter 8787 in the Specific Local Ports field and then Click Next.
  6. Select Allow to enable the connection on the Action page. This Action page of the New Inbound Rule Wizard also enables a  rule to be configured which will only allow a connection   secured using IPSec technologies.
  7. On the Profile page  check all the three check boxes. This will enable an admin to specify that a rule will only apply when connected to specific networks. Then click Next.
  8. Enter a name for the rule, and then click Finish to complete the process.

You should review the rule settings in the Inbound Rules node which will provide a  quick-glance view of the rule settings. You may also include a rule within a rule group – this allows for multiple rules to be bound together for simple on/off application.
Integrated Windows Firewall is now a  vital part of the Windows Server security. The newly added ability to define rules based on factors such as profile, scope, IPSec status, etc positions the Windows Server as an OS with one of the highest  levels of integrated security.

IIS Express – Getting Started Tutorial

Note : The official name for the product is IIS Developer Express although it is often shortened to IIS Express (which is Microsoft’s internal code-name).

IIS Express is a new, lightweight version of IIS which is integrated into  WebMatrix (which is Mircosoft’s newly introduced web development environment, see WebMatrix Tutorial for an overview).  This tutorial introduces the user to the core features of IIS Express as well as it underlying technology. IIS Express does not ship with any management module such as the IIS Manager for IIS 7 and is managed from within WebMatrix or from the IIS Express icon in the task bar (integration with Visual Studio is planned for future releases).

IIS Express is a response to the issue of web developers having to master so many tools to build apps – Visual Studio, IIS Management Console, SQL Server Management Studio.  Microsoft’s plan is clearly to have a single simple tool which tightly integrates the coding tool, database management and web server management. Visual Studio does include an inbuilt web server which allows for quick testing of apps, however the inbuilt web server does not have any configuration options and is not fully compatible with IIS meaning that apps will need to be retested in the production environment. IIS Express promises a fully compatible and easy to configure testing environment for apps.

Under the Hood

An major difference between ‘classic’ IIS and IIS Developer Express is the that way worker processes are managed. In IIS   the  WAS (Windows Process Activation Service) silently activates and deactivates web apps and the admin has no direct control over this process. In IIS  Express, there is no automated WAS process and the user has full control and responsibility for  application activation and deactivation. Web sites can be launched from the  WebMatrix  development tool or from the command line (see below). Sites which are already running can be   terminated or relaunched using the IIS Express icon in the system tray.
IIS Express is actually just a thin wrapper around the  the Hostable Web Core (HWC) which is an IIS 7 API which can be used to run web applications and is essentially a web server without a user interface.

IIS Express Compatibility

IIS Express support all versions of the .NET framework from .NET 2.0 SP1 and up, the programming languages supported are Classic ASP, ASP.NET, and PHP (FastCGI is built in to IIS Express). In terms of OS’s supported it will work with any Windows operation system from XP onwards.

One key factor to note is that IIS Express is not intended for use on production servers (so it is not the IIS equivalent of the Windows Server Core). It is only intended for use on the local host and will not handle inbound traffic to the system (although it is possible in some scenarios to customize it for this purpose).

Installing IIS Express

Currently there is no separate download for IIS Express and it only comes as part of the installation of WebMatrix (which can be downloaded here). Simply install WebMatrix and IIS Express will be installed on your system.

Using IIS Express

Once WebMatrix has been installed, launch the tool and then either use a template or open a new site. Once you have a site loaded in WebMatrix, simply click the Run dropdown and select the browser to run the app in. IIS Express will then launch and run the app.

IIS Express

Once launched IIS Express is available in the system tray. There are only a limited number of options, primarily the ability to start and stop the apps:

Hyper-V Server Backup

Hyper-V complicates the backup process on a Windows Server 2008 R2 server. The major issue is whether to backup the host server which runs Hyper-V or backup the VMs (virtual machines) individually. Both options have their own advantages and disadvantages.

Hyper-V Host Server Backup

If you elect to backup the Hyper-V host server, it is normally possible  to include the VMs in the backups, which therefore protects the entire system with a single process. The Hyper-V VSS  (Volume Shadow Copy Service) Writer  makes it possible to backup VMs from the host system. If you wish to use Windows Server Backup for an entire Hyper-V server and its VMs, you will need to register the Hyper-V VSS Writer with the backup software by adding the below registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WindowsServerBackup\Application Support\{66841CD4-6DED-4F4B-8F17-FD23F8DDC3DE}

Subsequently, in the registry key, you need to  create a String Value with the below settings:

  • Name: Application Identifier
  • Type: REG_SZ
  • Value: Hyper-V


BitLocker ToGo Encryption for Windows Server 2008 R2

BitLocker ToGo encryption is a new feature that ships with Windows Server 2008 R2 which provides encryption for removable drives. This is a very important feature for backups as it ensures that backups are protected.

Before using BitLocker ToGo, you will need to add the BitLocker feature to Windows Server 2008 R2. From Server Manager, select the server then click Add Features from the Action menu which will open up the Add Features Wizard. From there, select BitLocker Drive Encryption and you will see the regular BitLocker designed for non-removable drives and uses a TPM (Trusted Platform Module) for encryption, and also the new BitLocker ToGo used for removable drives.

To add BitLocker Drive Encryption from PowerShell, use the below code from an elevated PowerShell command line:

Import-Module ServerManager
Add-WindowsFeature BitLocker

BitLocker ToGo can be managed by double-clicking the BitLocker Drive Encryption icon in the Control Panel. From there, to enable BitLocker ToGo on a removable drive, click Turn On BitLocker beside the drive icon.

The first time BitLocker or BitLocker ToGo is run on the server, you will see a warning message that this can impact performance, click Yes at this prompt and , the BitLocker Drive Encryption Wizard will start.

Firstly, select how to  unlock the drive by using either a password or  smart card. Next you will be offered a several methods for saving the recovery key, normally it is preferable to use all possible methods – save to a file and keep the file   safe, print the recovery key  and store the printout  in a safe location. Make sure you store the recovery key where it can be easily accessed when you need it.