MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

MCITP Guide to Microsoft Windows Server 2008 Server

Administration (Exam #70-646)

Chapter 9

Deploying IIS and Active Directory Certificate Services

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

2

Learning Objectives

• Install, configure, and troubleshoot Microsoft Internet Information Services (IIS)

• Install, configure, and troubleshoot Active Directory Certificate Services

Implementing Microsoft Internet Information Services

• Internet Information Services (IIS) – Included with Windows Server 2008– Offer a complete Web site

• Benefits– Fast– Use of software applications to coordinate with an IIS

server– Internet Server Application Programming

Interface (ISAPI)• Group of DLL (dynamic link library) files that are

applications and filtersMCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

3

Implementing Microsoft Internet Information Services (cont’d.)

• Web Server (IIS) role – Contains the World Wide Web services which are vital

for a Web site

• File Transfer Protocol (FTP) service– TCP/IP-based application protocol that handles file

transfers over a network

• Simple Mail Transfer Protocol (SMTP)– Works with e-mail services to accept incoming e-mail

from the Internet and forward it to the recipient


4


• Reasons Windows Server 2008 is a good candidate for a Web server– Privileged-mode architecture– Fault-tolerance capabilities– Compatible with small and large databases– Users can log into a database through the IIS Open

Database Connectivity (ODBC) drivers– Compatible with:

• Microsoft Point-to-Point Encryption (MPPE) security

• IP Security (IPsec)

• Secure Sockets Layer (SSL) encryption techniqueMCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

5


• IIS newly designed for Windows Server 2008 – Broken into modules or features (role services)– Install only the features you need

• Smaller attack surface

• More efficient


6



7

Table 9-1 Internet Information Services features (role services)

Installing a Web Server

• Requirements– Windows Server 2008 installed on the computer to

host IIS– TCP/IP installed on the IIS host– Access to an Internet Service Provider (ISP)– Sufficient disk space for IIS and for Web site files – Method for resolving IP addresses to computer or

domain names• DNS and WINS


8

Installing a Web Server (cont’d.)

• Activity 9-1: Installing IIS– Objective: Learn how to install IIS


9

Internet Information Services (IIS) Manager

• Capabilities– Connect to a Web server– Manage a Web server– Manage ASP.NET– Manage authorization for users and for specific Web

server roles– Manage Web server logging– Compress Web server files– Manage code modules and worker processes– Manage server certificates– Troubleshoot a Web server


10

Internet Information Services (IIS) Manager (cont’d.)


11

Figure 9-1 Using IIS ManagerCourtesy Course Technology/Cengage Learning

Creating a Virtual Directory

• Virtual directory – Physical folder or a redirection to a Uniform

Resource Locator (URL) that points to a folder– Can be accessed over the Internet, an intranet, or

VPN

• Reason for creating a virtual directory – Provide a shortcut path to specific IIS server content

• Steps to set up a virtual directory


12

Creating a Virtual Directory (cont’d.)


13

Table 9-2 Virtual directory security options



14

Figure 9-2 Properties of a virtual directoryCourtesy Course Technology/Cengage Learning


• Set up the virtual directory to be shared – So that users who need access to add contents to the

directory can do this over the network

• Activity 9-2: Create a Virtual Directory– Objective: Set up a virtual directory


15



16

Table 9-3 Virtual directory share permissions


17

Figure 9-3 Creating a virtual directoryCourtesy Course Technology/Cengage Learning

Managing and Configuring an IIS Web Server

• Manage IIS components including:– Application pools

• Group similar Web applications for management

– Sites• Manage multiple Web sites from one administrative

Web server

– SMTP E-mail• Manage Internet e-mail

– Certificates• Configure and monitor certificate security used with

other Web sites


18

Managing and Configuring an IIS Web Server (cont’d.)


19

Figure 9-5 Application Pools in IIS MangerCourtesy Course Technology/Cengage Learning



20

Table 9-4 Web site features to configure


• Activity 9-3: Configuring a Web Site– Objective: Learn basic Web site configuration


21

Figure 9-6 Enabling directory browsingCourtesy Course Technology/Cengage Learning

Troubleshooting a Web Server


22

Table 9-5 Troubleshooting IIS

Using Active Directory Certificate Services

• Public key infrastructure (PKI) – Linking a public key or a combination of public and

private keys to a user or network entity – Uses a certificate authority to issue public key-based

digital certificates to trustworthy network entities

• Certificate authority (CA) – Network entity or host that issues digital certificates of

trust verifying certificate holders’ legitimacy


23

Using Active Directory Certificate Services (cont’d.)

• Public key – Encryption method that uses a public key and private

key combination

• Asymmetric encryption– One key used to encrypt the data, and the other key

used to decrypt it

• Public key/private key method – Uses an encryption algorithm developed by Whitfield

Diffie and Martin Hellman


24


• X.509 standards for digital certificates – Developed by International Organization for

Standardization (ISO)– Function as proof of identity for a specific network

entity


25


• X.509 certificate contains:– Certificate format version– Certificate serial number– Signature algorithm identifier– Certificate authority (certificate issuer)– Length of time the certificate is valid– ID of the certificate holder– Public key data


26


• Active Directory Certificate Services role – Available in Windows Server 2008 Standard,

Enterprise, and Datacenter Editions

• Online Responder Service– Determines the status of digital certifications– Uses the Online Certificate Status Protocol

(OCSP) to obtain and decode status information


27

Planning Active Directory Certificate Services

• Understand the four kinds of CAs that can be set up in a Microsoft server environment– Enterprise root CA– Enterprise subordinate– Standalone root– Standalone subordinate

• Root CA is always configured before any other CAs


28

Planning Active Directory Certificate Services (cont’d.)


29

Figure 9-7 CA hierarchyCourtesy Course Technology/Cengage Learning


• Implement enterprise root CA and enterprise subordinates– Not standalone model

• Take into account the ways in which an organization can make most use of AD CS

• PKI with multiple subordinate CAs has built-in redundancy


30


• Role services for Active Directory Certificate Services:– Certificate Authority– Certification Authority Web Enrollment– Online Responder– Network Device Enrollment service


31

Certificate Services Roles

• Recommended to divide responsibilities for handling money and important security tasks in an organization

• AD CS enables dividing CA responsibilities into two roles: – CA administrator

• Person or persons who manage the CA server

– Certificate manager• Given to those who determine which users to enroll for

certificates and when to revoke certificates


32

Installing Active Directory Certificate Services

• Active Directory Certificate Services installed in the same way as other server roles – Using Server Manager

• Activity 9-4: Installing Active Directory Certificate Services– Objective: Learn how to install Active Directory

Certificate Services


33

Installing Active Directory Certificate Services (cont’d.)


34

Figure 9-8 Configuring an enterprise CACourtesy Course Technology/Cengage Learning

Managing Active Directory Certificate Services

• Certification Authority tool tasks– Set up CA security– Assign certificate managers– Start or stop the CA– Back up the CA– Restore the CA– Renew a CA certificate– View revoked, issued, failed, and pending certificates


35

Managing Active Directory Certificate Services (cont’d.)

• Activity 9-5: Using the Certification Authority Tool– Objective: Learn how to use the Certification Authority

tool


36


37

Figure 9-11 Security tabCourtesy Course Technology/Cengage Learning

Using Autoenrollment

• Clients automatically enrolled for appropriate certificates as specified by certificate template

• Set up in a two-step process– Configure autoenrollment in a certificate template– Configure a group policy to enable autoenrollment

• Three levels of certificate templates – Level 1 does not support autoenrollment


38

Using Autoenrollment (cont’d.)

• Activity 9-6: Configuring a Certificate Template for Autoenrollment– Objective: Set up an existing certificate template for

autoenrollment

• Activity 9-7: Configuring a Group Policy for Autoenrollment– Objective: Set up the autoenrollment group policy


39

Using Autoenrollment (cont’d.)


40

Figure 9-15 Configuring the autoenrollment policyCourtesy Course Technology/Cengage Learning

Using Credential Roaming

• When user logs into the network– Digital certificate information stored on the user’s

computer is automatically synchronized with the digital certification information for that user stored in Active Directory

• Configured as a group policy


41

Using Credential Roaming (cont’d.)

• Circumstances that launch synchronization through credential roaming– When the client or Active Directory synchronize group

policy settings– When digital certificate information is updated– When a user unlocks an account that has been

automatically locked


42

Using Credential Roaming (cont’d.)

• Activity 9-8: Configuring a Group Policy for Credential Roaming– Objective: Set up a

group policy for credential roaming


43

Figure 9-16 Enabling credential roamingCourtesy Course Technology/Cengage Learning

Network Device Enrollment Service

• Enables routers, switches, and other network devices to be enrolled for digital certificates through a CA

• Uses the Simple Certificate Enrollment Protocol (SCEP) and standardized X.509 digital certificates


44

Web Enrollment Service

• For organizations that enable users to access network resources through the Web– Rather than through user accounts

• Requires IIS be installed before installing Web Enrollment

• Clients must use Internet Explorer version 6 or higher

• Can be used only with Level 1 or 2 certificate templates


45

Online Responder Service

• Service relies on OCSP (Online Certificate Status Protocol) – Determine if a certificate is revoked

• One of two ways network applications determine which network entities have revoked certificates– Other way is to use certificate revocation lists (CRLs)

• Benefits– Faster determination and better security– Can be used in conjunction with CRLs


46

Online Responder Service (cont’d.)

• Benefits (cont’d.)– Can be used with Kerberos password security– Compatible with Web enrollment– Uses CryptoAPI 2.0 infrastructure to provide high

level of security


47

Certificate Revocation Lists

• List of certificates that have been revoked

• CRL issuer is a CA– CRL issued to client applications and devices which

cache the CRL for future reference until the next CRL is issued

• Default method for determining certificates that have been revoked


48


49

Figure 9-17 Extensions tabCourtesy Course Technology/Cengage Learning


50

Figure 9-18 Configuring the CRL publication interval and delta CRLsCourtesy Course Technology/Cengage Learning


51

Summary

• Implement Internet Information Services (IIS)– Create a Windows Server 2008 Web server– After installing a Web server, configure it to customize

features

• Public key infrastructure (PKI) – Use public and private keys through digital certificates – Ensure users can be trusted

• Active Directory Certificate Services (AD CS) – Implements a PKI using enterprise root and enterprise

subordinate certificate authorities

Summary (cont’d.)

• Certification Authority tool – Manage a CA

• Configure Network Device Enrollment Service for added security

• Credential roaming – Enables a user to log on from any computer and still

operate with the same digital certificates• Online Responder Service and CRLs– Provide information about revoked digital certificates


52

Documents

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)