Lab 8 DHCP and IIS

advertisement
Lab 8: DHCP and IIS
Oct 29, 2010
Part 1: Configuring Your Server as a DHCP Server
Dynamic Host Configuration Protocol (DHCP) can be installed manually or by using the Windows
Server 2003 Manage Your Server wizard. This section uses the wizard to complete the
installation.
To install DHCP using the Windows Server 2003 Manage Your Server Wizard
1. Under Server Role, click DHCP server, and then click Next.
2. Review the Summary of Selections, and then click Next to begin the installation.
3. When the New Scope Wizard appears, click Next to define a DHCP scope.
4. For Name, type Region-x HQ. Leave the description blank, and then click Next.
5. Enter a Start IP address and the End IP address as follows:
Student
Justin Benoit
Vlad Chernyavdkyy
Fred Chisholm
Josh Christensen
Clorice Fontaine
Ryan Gamblin
Eric Henderson
Jake Jesso
Adam Lucas
Jason MacDonald
Jayce MacDonald
Pat MacDonald
Bill MacEachern
Aaron Miller
Jamie Scott
Chad Shearer
Jonathan Wolfe
Liam Yuill
Server IP
IP range for DHCP
172.16.144.20
172.16.144.21
172.16.144.22
172.16.144.23
172.16.144.24
172.16.144.25
172.16.144.26
172.16.144.27
172.16.144.28
172.16.144.29
172.16.144.30
172.16.144.31
172.16.144.32
172.16.144.33
172.16.144.34
172.16.144.35
172.16.144.36
172.16.144.37
172.16.144.41-43
172.16.144.44-46
172.16.144.47-49
172.16.144.50-52
172.16.144.53-55
172.16.144.56-58
172.16.144.59-61
172.16.144.62-64
172.16.144.65-67
172.16.144.68-70
172.16.144.71-73
172.16.144.74-76
172.16.144.77-79
172.16.144.80-82
172.16.144.83-85
172.16.144.86-88
172.16.144.89-91
172.16.144.92-94
1
6. Click Next.
7. Exclusions will not be defined at this time. Click Next to continue the installation.
8. To accept the default Lease Duration, click Next.
9. To set DHCP Options, click Next.
10.
On the Router (Default Gateway) screen, type 172.16.144.250 for IP address, click
Add, and then click Next.
11.
For Parent Domain on the Domain Name and DNS Server screen, type
Region-x.NwTraders.com. For IP address, type 172.16.144.1, click Add, and then click
Next.
12.
Click Next as WINS Servers will not be utilized in this environment.
13.
Click Next to Activate Scope.
14.
Click Finish twice.
15.
Close the Manage Your Server screen.
Test your DHCP server
With multiple DHCP servers on the network, you will request a new DHCP lease:
1.
At the Command Prompt enter ipconfig /all. Note the IP address, Default Gateway and
DNS server:
Results of ipconfig /all…
2.
Enter ipconfig /release
3.
Enter ipconfig /renew
4.
Did you receive a new IP address? Are your gateway and DNS functioning properly?
2
PART 2: IIS 6 on Windows 2003 Server
You would not normally install your web server (and especially not your FTP server!) on a AD
Domain Controller but here goes…
The following instructions are from
http://www.windowsnetworking.com/articles_tutorials/Windows_2003/
IIS is not installed by default during a standard installation of Windows Server 2003, and if you
installed IIS using Manage Your Server as described in the previous article this installs the WWW
service but not the FTP service. To install Web Service and FTP service you have to use
Add/Remove Programs…Windows Components
Begin by opening Add or Remove Programs in Control Panel and selecting Add/Remove Windows
Components. Then select the checkbox for Application Server:
Click Details and select the checkbox for Internet Information Services (IIS):
3
Click Details and select the checkbox for File Transfer Protocol (FTP) Services.
Click OK twice and then Next to install the FTP service. During installation you''ll need to insert
your Windows Server 2003 product CD or browse to a network distribution point where the
Windows Server 2003 setup files are located. Click Finish when the wizard is done.
From the start menu…run…inetmgr to view your new application server. Do you have a Default
Web Site? A Default FTP site?
Add additional IP addresses to your Server.
These can be added to your network connection using the Advanced option on the TCP/IP
properties page.
4
Student
Justin Benoit
Vlad Chernyavdkyy
Fred Chisholm
Josh Christensen
Clorice Fontaine
Ryan Gamblin
Eric Henderson
Jake Jesso
Adam Lucas
Jason MacDonald
Jayce MacDonald
Pat MacDonald
Bill MacEachern
Aaron Miller
Jamie Scott
Chad Shearer
Jonathan Wolfe
Liam Yuill
IP Addresses
172.16.144.194-196
172.16.144.197-199
172.16.144.200-202
172.16.144.203-205
172.16.144.206-208
172.16.144.209-211
172.16.144.212-214
172.16.144.215-217
172.16.144.218-220
172.16.144.221-223
172.16.144.224-226
172.16.144.227-229
172.16.144.230-232
172.16.144.233-235
172.16.144.236-238
172.16.144.239-241
172.16.144.242-244
172.16.144.245-247
Creating Web Sites and FTP Sites in IIS6
Creating a Web Site
Sometime you need to have separate web sites (not just virtual directories on the same site). A
Windows Server you can have (a register for Domain Names) multiple web sites. The simplest
approach is to use a separate IP address to identify each web site on your machine. Let's say our
server has five IP addresses assigned to it from the range 172.16.144.220 through
172.16.144.224. (Remember, your server has four IPs in total and you will have to
make the adjustment in the lab to use your own server’s IP addresses) Before we
create a new Human Resources web site, let's first examine the Default Web Site. Open IIS
Manager in Administrative Tools, select Web Sites in the console tree, and right-click on Default
Web Site and open it's properties:
5
The IP address for the Default Web Site is All Unassigned. This means any IP address not
specifically assigned to another web site on the machine opens the Default Web Site instead. A
typical use for the Default Web Site is to edit it's default document to display general information
like a company logo and how to contact the Support Desk.
Let's use IP address 172.16.144.221 for the Human Resources site and make D:\HR the folder
where the home page for this site is stored. To create the HR site, right-click on the Web Sites
node and select New --> Web Site. This starts the Web Site Creation Wizard. Click Next and type
a description for the site:
Click Next again and specify 172.16.144.221 as the IP address for the site:
6
Click Next and specify D:\HR as the home folder for the site. We've cleared the checkbox to deny
anonymous access to the site because this is an internal intranet so only authenticated users
should be able to access it (public web sites generally allow anonymous access):
Click Next and leave only Read access enabled since the Human Resources site will initially only
be used to inform employees of company policies:
7
Click Next and then Finish to create the new web site:
Now let's create another intranet site, this time for Help Desk, which will use IP address
172.16.144.222 and home folder D:\Help. We'll create this one using a script instead of the GUI:
And here's the result:
8
The script we used here is Iisweb.vbs, one of several IIS administration scripts available when
you install IIS on Windows Server 2003. The basic syntax of this script is easy to figure out from
the previous screenshot, and a full syntax can be found here. Note that unlike the Web Site
Creation Wizard used previously. You can't use this script create a web site with anonymous
access disabled. So if you want to disable anonymous access you should do it by opening the
properties sheet for the Help Desk site, selecting the Directory Security tab, and clicking the Edit
button under Authentication and Access Control. This opens the Authentication Methods box
where you can clear the checkbox to disable Anonymous Access and leave Windows Integrated
Authentication as the only authentication method available for clients on your network:
Creating a Local Virtual Directory
Let's say Human Resources keeps their policies in a folder called D:\HR Policies on your web
server and you would like users to be able to use the URL http://172.16.11.221/policies when
they need to access these policies. To do this we need to create a virtual directory that
associates the /policies portion of the URL, called the alias for the virtual directory, with the
physical directory D:\HR Policies where these documents are actually located.
Let's do this now. Right-click on the Human Resources site and select New --> Virtual Directory
to start the Virtual Directory Creation Wizard. Click Next and type the alias for the virtual
directory:
9
Click Next and specify the physical folder on the local server to map to this alias:
Click Next and specify permissions (again we'll just leave Read enabled) and finish the wizard.
Here's the result:
10
Let's do something similar using another IIS script named Iisvdir.vbs, only we'll create a
/procedures virtual directory instead:
Open IIS Manager to display the new virtual directory:
Note the difference in the icons for the two virtual directories. That's because when the script
creates a virtual directory it also creates an application starting point for that directory, while the
wizard does not. This doesn't matter though, since for now we're only hosting static content in
these directories.
Creating a Remote Virtual Directory
Help Desk likes to do things differently than Human Resources does, and their user manual is
stored in HTML form in the share \\srv230\helpdesk on a network file server.
Note for Darlene: For the purpose of our lab you can find a share on
\\172.16.144.1\helpdesk
Let's create a remote virtual directory within the Help Desk site that associates the alias
/usermanual with this share. Right-click on the Help Desk site and select New --> Virtual
Directory to start the Virtual Directory Creation Wizard again, specify usermanual as the alias for
the directory, and type \\srv230\helpdesk as the UNC path to the share:
11
Click Next and a new screen appears prompting you to either specify credentials for accessing
the share or use the authenticated user's credentials for this purpose (we'll use the latter):
Click Next and finish the wizard. Let's look at the result:
12
The Iisvdir.vbs script can similarly be used for creating remote virtual directories.
Controlling Access to a Web Site
Now that we have a couple of web sites and virtual directories created, let's look at a few
administration tasks.
First let's look at how we can control access to our web sites. There are basically four ways you
can do this: NTFS Permissions, web permissions, IP address restrictions, and authentication
method. NTFS permissions is your front line of defense but it's a general subject that we can't
cover in detail here. Web permissions are specified on the Home Directory tab of your web site's
properties:
By default only Read permission is enabled, but you can also allow Write access so users can
upload or modify files on your site.
Script source access so users can view the code in your scripts (generally not a good idea), or
Directory browsing so users can view a list of files in your site (also not a good idea). Web
permissions apply equally to all users trying to access your site, and they are applied before
NTFS permissions are applied. So if Read web permission is denied but NTFS Read permission is
allowed, users are denied access to the site.
IP address restrictions can be used to allow or deny access to your site by clients that have a
specific IP address, have an IP address within a range of addresses, or have a specific DNS
domain name. To configure this, select the Directory Security tab and click the Edit button under
IP Address and Domain Name Restrictions. This opens the following dialog, which by default does
not restrict access to your site:
13
The main thing to watch for here is that denying access based on domain name involves reverse
DNS lookups each time clients try to connect to your web site, and this can significantly impact
the performance of your site.
The final way of controlling access to your sites is to use the Authentication Methods dialog box
we looked at previously:
In summary, the five authentication options displayed here are:





Anonymous access. Used mainly for web sites on public (Internet) web servers.
Integrated Windows authentication. Used mainly for web sites on a private intranet.
Digest authentication. Challenge/response authentication scheme that only works
with clients running Internet Explorer 5.0 or later.
Basic authentication. Older authentication scheme that transmits passwords over the
network in clear text, so use this only in conjunction with SSL.
.NET Passport authentication. Allows users to use their .NET Passport for
authentication.
14
Configuring Web Site Logging
Since web sites are prime targets for attackers, you probably want to log hits to your site to see
who's visiting it. By default IIS 6 logs traffic to all content as can be seen on the bottom of the
General tab of the properties for a web site or virtual directory:
The default logging format is the W3C Extended Log File Format, and clicking Properties indicates
new log files are created daily in the indicated directory. It's a good idea to specify that local time
be used for logging traffic as this makes it easier to interpret the logs:
The key of course is to review log files regularly to look for suspicious activity. IIS doesn't include
anything for this purpose, but the IIS 6.0 Resource Kit Tools does include version 2.1 of Microsoft
Log Parser, which can be used for analyzing IIS logs. You can download these tools here.
Configuring Web Site Redirection
15
Sometimes you need to take your web site down for maintenance, and in such cases it's a good
idea to redirect all client traffic directed to your site to an alternate site or page informing users
what's going on. IIS lets you redirect a web site to a different file or folder on the same or
another web site or even to an URL on the Internet. To configure redirection you use the Home
Directory tab and choose the redirection option you want to use:
NOTE from Darlene: For our lab you can redirect to https://172.16.144.1\sitedown
Stopping and Starting Web Sites
Finally, if sites become available you may need to restart IIS to get them working again.
Restarting IIS is a last resort as any users currently connected will be disconnected and any data
stored in memory by IIS applications will be lost. You can restart IIS using IIS Manager by rightclicking on the server node:
You can also do the same from the command-line using the Iisreset command:
16
Type iisreset /? for the full syntax of this command. You can also start and stop individual web
sites using IIS Manager or the Iisweb.vbs script. And you can stop or start individual IIS services
using the net commands, for example net stop w3svc will stop the WWW services only.
17
Creating an FTP Site
As with web sites, the simplest approach to identifying each FTP site on your machine is to
assign each of them a separate IP address, so let's say that our server has three IP addresses
(172.16.144.210, 172.16.144.211 and 172.16.144.212) assigned to it. Our first task will be to
create a new FTP site for the Human Resources department, but before we do that let''s first
examine the Default FTP Site that was created when we installed the FTP service on our
machine. Open IIS Manager in Administrative Tools, select FTP Sites in the console tree, and
right-click on Default FTP Site and select Properties:
Just like the Default Web Site, the IP address for the Default FTP Site is set to All Unassigned.
This means any IP address not specifically assigned to another FTP site on the machine opens
the Default FTP Site instead, so right now opening either ftp://172.16.11.210,
ftp://172.16.144.211 or ftp://172.16.144.212 in Internet Explorer will display the contents of the
Default FTP Site.
Let''s assign the IP address 172.16.144.210 for the Human Resources FTP site and make D:\HR
the folder where its content is located. To create the new FTP site, right-click on the FTP Sites
node and select New --> FTP Site. This starts the FTP Site Creation Wizard. Click Next and type a
description for the site:
18
Click Next and specify 172.16.144.210 as the IP address for the new site:
Click Next and select Do not isolate users, since this will be a site that anyone (including guest
users) will be free to access:
19
Click Next and specify C:\HR as the location of the root directory for the site:
Click Next and leave the access permissions set at Read only as this site will only be used for
downloading forms for present and prospective employees:
20
Click Next and then Finish to complete the wizard. The new Human Resources FTP site can now
be seen in IIS Manager under the FTP Sites node:
To view the contents of this site, go to a Windows XP desktop on the same network and open
the URL ftp://172.16.144.210 using Internet Explorer:
21
Note in the status bar at the bottom of the IE window that you are connected as an anonymous
user. To view all users currently connected to the Human Resources FTP site, right-click on the
site in Internet Service Manager and select Properties, then on the FTP Site tab click the Current
Sessions button to open the FTP User Sessions dialog:
Note that anonymous users using IE are displayed as IEUser@ under Connected Users.
Now let's create another FTP site using a script instead of the GUI. We''ll create a site called Help
and Support with root directory C:\Support and IP address 172.16.144.211:
22
Here's the result of running the script:
Controlling Access to an FTP Site
Just like for web sites, there are four ways you can control access to FTP sites on IIS: NTFS
Permissions, IIS permissions, IP address restrictions, and authentication method. NTFS
permissions are always your first line of defense but we can't cover them in detail here. IIS
permissions are specified on the Home Directory tab of your FTP site's properties sheet:
Note that access permissions for FTP sites are much simpler (Read and Write only) than they are
for web sites, and by default only Read permission is enabled, which allows users to download
files from your FTP site. If you allow Write access, users will be able to upload files to the site as
well. And of course access permissions and NTFS permissions combine the same way they do for
web sites.
Like web sites, IP address restrictions can be used to allow or deny access to your site by clients
that have a specific IP address, an IP address in a range of addresses, or a specific DNS name.
23
These restrictions are configured on the Directory Security tab just as they are for web sites, and
this was covered in the previous article so we won't discuss them further here.
FTP sites also have fewer authentication options than web sites, as can be seen by selecting the
Security Accounts tab:
By default Allow anonymous connections is selected, and this is fine for public FTP sites on the
Internet but for private FTP sites on a corporate intranet you may want to clear this checkbox to
prevent anonymous access to your site. Clearing this box has the result that your FTP site uses
Basic Authentication instead, and users who try to access the site are presented with an
authentication dialog box:
Note that Basic Authentication passes user credentials over the network in clear text so this
means FTP sites are inherently insecure (they don't support Windows integrated authentication).
24
So if you're going to deploy a private FTP site on your internal network make sure you close ports
20 and 21 on your firewall to block incoming FTP traffic from external users on the Internet.
Configuring FTP Site Logging
As with web sites, the default logging format for FTP sites is the W3C Extended Log File Format,
and FTP site logs are stored in folders named
%SystemRoot%\system32\LogFiles\MSFTPSVCnnnnnnnnnn
where nnnnnnnnnn is the ID number of the FTP site. And just as with web sites, you can use the
Microsoft Log Parser, part of the IIS 6.0 Resource Kit Tools, to analyze these FTP site logs.
Stopping and Starting FTP Sites
If an FTP site becomes unavailable you may need to restart it to get it working again, which you
can do using IIS Manager by right-clicking on the FTP site and selecting Stop and then Start.
From the command-line you can type net stop msftpsvc followed by net start msftpsvc or
use iisreset to restart all IIS services. Remember that restarting an FTP site is a last resort as
any users currently connected to the site will be disconnected.
25
Download