Upload
drea
View
46
Download
0
Tags:
Embed Size (px)
DESCRIPTION
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646). Chapter 9 Deploying IIS and Active Directory Certificate Services. Learning Objectives. Install, configure, and troubleshoot Microsoft Internet Information Services (IIS) - PowerPoint PPT Presentation
Citation preview
MCITP Guide to Microsoft Windows Server 2008 Server
Administration (Exam #70-646)
Chapter 9
Deploying IIS and Active Directory Certificate Services
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
2
Learning Objectives
• Install, configure, and troubleshoot Microsoft Internet Information Services (IIS)
• Install, configure, and troubleshoot Active Directory Certificate Services
Implementing Microsoft Internet Information Services
• Internet Information Services (IIS) – Included with Windows Server 2008– Offer a complete Web site
• Benefits– Fast– Use of software applications to coordinate with an IIS
server– Internet Server Application Programming
Interface (ISAPI)• Group of DLL (dynamic link library) files that are
applications and filtersMCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
3
Implementing Microsoft Internet Information Services (cont’d.)
• Web Server (IIS) role – Contains the World Wide Web services which are vital
for a Web site
• File Transfer Protocol (FTP) service– TCP/IP-based application protocol that handles file
transfers over a network
• Simple Mail Transfer Protocol (SMTP)– Works with e-mail services to accept incoming e-mail
from the Internet and forward it to the recipient
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
4
Implementing Microsoft Internet Information Services (cont’d.)
• Reasons Windows Server 2008 is a good candidate for a Web server– Privileged-mode architecture– Fault-tolerance capabilities– Compatible with small and large databases– Users can log into a database through the IIS Open
Database Connectivity (ODBC) drivers– Compatible with:
• Microsoft Point-to-Point Encryption (MPPE) security
• IP Security (IPsec)
• Secure Sockets Layer (SSL) encryption techniqueMCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
5
Implementing Microsoft Internet Information Services (cont’d.)
• IIS newly designed for Windows Server 2008 – Broken into modules or features (role services)– Install only the features you need
• Smaller attack surface
• More efficient
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
6
Implementing Microsoft Internet Information Services (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
7
Table 9-1 Internet Information Services features (role services)
Installing a Web Server
• Requirements– Windows Server 2008 installed on the computer to
host IIS– TCP/IP installed on the IIS host– Access to an Internet Service Provider (ISP)– Sufficient disk space for IIS and for Web site files – Method for resolving IP addresses to computer or
domain names• DNS and WINS
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
8
Installing a Web Server (cont’d.)
• Activity 9-1: Installing IIS– Objective: Learn how to install IIS
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
9
Internet Information Services (IIS) Manager
• Capabilities– Connect to a Web server– Manage a Web server– Manage ASP.NET– Manage authorization for users and for specific Web
server roles– Manage Web server logging– Compress Web server files– Manage code modules and worker processes– Manage server certificates– Troubleshoot a Web server
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
10
Internet Information Services (IIS) Manager (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
11
Figure 9-1 Using IIS ManagerCourtesy Course Technology/Cengage Learning
Creating a Virtual Directory
• Virtual directory – Physical folder or a redirection to a Uniform
Resource Locator (URL) that points to a folder– Can be accessed over the Internet, an intranet, or
VPN
• Reason for creating a virtual directory – Provide a shortcut path to specific IIS server content
• Steps to set up a virtual directory
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
12
Creating a Virtual Directory (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
13
Table 9-2 Virtual directory security options
Creating a Virtual Directory (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
14
Figure 9-2 Properties of a virtual directoryCourtesy Course Technology/Cengage Learning
Creating a Virtual Directory (cont’d.)
• Set up the virtual directory to be shared – So that users who need access to add contents to the
directory can do this over the network
• Activity 9-2: Create a Virtual Directory– Objective: Set up a virtual directory
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
15
Creating a Virtual Directory (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
16
Table 9-3 Virtual directory share permissions
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
17
Figure 9-3 Creating a virtual directoryCourtesy Course Technology/Cengage Learning
Managing and Configuring an IIS Web Server
• Manage IIS components including:– Application pools
• Group similar Web applications for management
– Sites• Manage multiple Web sites from one administrative
Web server
– SMTP E-mail• Manage Internet e-mail
– Certificates• Configure and monitor certificate security used with
other Web sites
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
18
Managing and Configuring an IIS Web Server (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
19
Figure 9-5 Application Pools in IIS MangerCourtesy Course Technology/Cengage Learning
Managing and Configuring an IIS Web Server (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
20
Table 9-4 Web site features to configure
Managing and Configuring an IIS Web Server (cont’d.)
• Activity 9-3: Configuring a Web Site– Objective: Learn basic Web site configuration
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
21
Figure 9-6 Enabling directory browsingCourtesy Course Technology/Cengage Learning
Troubleshooting a Web Server
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
22
Table 9-5 Troubleshooting IIS
Using Active Directory Certificate Services
• Public key infrastructure (PKI) – Linking a public key or a combination of public and
private keys to a user or network entity – Uses a certificate authority to issue public key-based
digital certificates to trustworthy network entities
• Certificate authority (CA) – Network entity or host that issues digital certificates of
trust verifying certificate holders’ legitimacy
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
23
Using Active Directory Certificate Services (cont’d.)
• Public key – Encryption method that uses a public key and private
key combination
• Asymmetric encryption– One key used to encrypt the data, and the other key
used to decrypt it
• Public key/private key method – Uses an encryption algorithm developed by Whitfield
Diffie and Martin Hellman
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
24
Using Active Directory Certificate Services (cont’d.)
• X.509 standards for digital certificates – Developed by International Organization for
Standardization (ISO)– Function as proof of identity for a specific network
entity
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
25
Using Active Directory Certificate Services (cont’d.)
• X.509 certificate contains:– Certificate format version– Certificate serial number– Signature algorithm identifier– Certificate authority (certificate issuer)– Length of time the certificate is valid– ID of the certificate holder– Public key data
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
26
Using Active Directory Certificate Services (cont’d.)
• Active Directory Certificate Services role – Available in Windows Server 2008 Standard,
Enterprise, and Datacenter Editions
• Online Responder Service– Determines the status of digital certifications– Uses the Online Certificate Status Protocol
(OCSP) to obtain and decode status information
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
27
Planning Active Directory Certificate Services
• Understand the four kinds of CAs that can be set up in a Microsoft server environment– Enterprise root CA– Enterprise subordinate– Standalone root– Standalone subordinate
• Root CA is always configured before any other CAs
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
28
Planning Active Directory Certificate Services (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
29
Figure 9-7 CA hierarchyCourtesy Course Technology/Cengage Learning
Planning Active Directory Certificate Services (cont’d.)
• Implement enterprise root CA and enterprise subordinates– Not standalone model
• Take into account the ways in which an organization can make most use of AD CS
• PKI with multiple subordinate CAs has built-in redundancy
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
30
Planning Active Directory Certificate Services (cont’d.)
• Role services for Active Directory Certificate Services:– Certificate Authority– Certification Authority Web Enrollment– Online Responder– Network Device Enrollment service
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
31
Certificate Services Roles
• Recommended to divide responsibilities for handling money and important security tasks in an organization
• AD CS enables dividing CA responsibilities into two roles: – CA administrator
• Person or persons who manage the CA server
– Certificate manager• Given to those who determine which users to enroll for
certificates and when to revoke certificates
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
32
Installing Active Directory Certificate Services
• Active Directory Certificate Services installed in the same way as other server roles – Using Server Manager
• Activity 9-4: Installing Active Directory Certificate Services– Objective: Learn how to install Active Directory
Certificate Services
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
33
Installing Active Directory Certificate Services (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
34
Figure 9-8 Configuring an enterprise CACourtesy Course Technology/Cengage Learning
Managing Active Directory Certificate Services
• Certification Authority tool tasks– Set up CA security– Assign certificate managers– Start or stop the CA– Back up the CA– Restore the CA– Renew a CA certificate– View revoked, issued, failed, and pending certificates
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
35
Managing Active Directory Certificate Services (cont’d.)
• Activity 9-5: Using the Certification Authority Tool– Objective: Learn how to use the Certification Authority
tool
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
36
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
37
Figure 9-11 Security tabCourtesy Course Technology/Cengage Learning
Using Autoenrollment
• Clients automatically enrolled for appropriate certificates as specified by certificate template
• Set up in a two-step process– Configure autoenrollment in a certificate template– Configure a group policy to enable autoenrollment
• Three levels of certificate templates – Level 1 does not support autoenrollment
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
38
Using Autoenrollment (cont’d.)
• Activity 9-6: Configuring a Certificate Template for Autoenrollment– Objective: Set up an existing certificate template for
autoenrollment
• Activity 9-7: Configuring a Group Policy for Autoenrollment– Objective: Set up the autoenrollment group policy
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
39
Using Autoenrollment (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
40
Figure 9-15 Configuring the autoenrollment policyCourtesy Course Technology/Cengage Learning
Using Credential Roaming
• When user logs into the network– Digital certificate information stored on the user’s
computer is automatically synchronized with the digital certification information for that user stored in Active Directory
• Configured as a group policy
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
41
Using Credential Roaming (cont’d.)
• Circumstances that launch synchronization through credential roaming– When the client or Active Directory synchronize group
policy settings– When digital certificate information is updated– When a user unlocks an account that has been
automatically locked
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
42
Using Credential Roaming (cont’d.)
• Activity 9-8: Configuring a Group Policy for Credential Roaming– Objective: Set up a
group policy for credential roaming
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
43
Figure 9-16 Enabling credential roamingCourtesy Course Technology/Cengage Learning
Network Device Enrollment Service
• Enables routers, switches, and other network devices to be enrolled for digital certificates through a CA
• Uses the Simple Certificate Enrollment Protocol (SCEP) and standardized X.509 digital certificates
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
44
Web Enrollment Service
• For organizations that enable users to access network resources through the Web– Rather than through user accounts
• Requires IIS be installed before installing Web Enrollment
• Clients must use Internet Explorer version 6 or higher
• Can be used only with Level 1 or 2 certificate templates
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
45
Online Responder Service
• Service relies on OCSP (Online Certificate Status Protocol) – Determine if a certificate is revoked
• One of two ways network applications determine which network entities have revoked certificates– Other way is to use certificate revocation lists (CRLs)
• Benefits– Faster determination and better security– Can be used in conjunction with CRLs
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
46
Online Responder Service (cont’d.)
• Benefits (cont’d.)– Can be used with Kerberos password security– Compatible with Web enrollment– Uses CryptoAPI 2.0 infrastructure to provide high
level of security
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
47
Certificate Revocation Lists
• List of certificates that have been revoked
• CRL issuer is a CA– CRL issued to client applications and devices which
cache the CRL for future reference until the next CRL is issued
• Default method for determining certificates that have been revoked
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
48
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
49
Figure 9-17 Extensions tabCourtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
50
Figure 9-18 Configuring the CRL publication interval and delta CRLsCourtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
51
Summary
• Implement Internet Information Services (IIS)– Create a Windows Server 2008 Web server– After installing a Web server, configure it to customize
features
• Public key infrastructure (PKI) – Use public and private keys through digital certificates – Ensure users can be trusted
• Active Directory Certificate Services (AD CS) – Implements a PKI using enterprise root and enterprise
subordinate certificate authorities
Summary (cont’d.)
• Certification Authority tool – Manage a CA
• Configure Network Device Enrollment Service for added security
• Credential roaming – Enables a user to log on from any computer and still
operate with the same digital certificates• Online Responder Service and CRLs– Provide information about revoked digital certificates
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
52