Download mypages.iit.edu

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts

Dynamic Host Configuration Protocol wikipedia, lookup

Cracking of wireless networks wikipedia, lookup

Server Message Block wikipedia, lookup

Games for Windows – Live wikipedia, lookup

Zero-configuration networking wikipedia, lookup

Microsoft Security Essentials wikipedia, lookup

Lag wikipedia, lookup

Hyper-V wikipedia, lookup

Remote Desktop Services wikipedia, lookup

Transcript
MCITP Guide to Microsoft
Windows Server 2008 Server
Administration (Exam #70-646)
Chapter 9
Deploying IIS and Active Directory
Certificate Services
Learning Objectives
• Install, configure, and troubleshoot Microsoft
Internet Information Services (IIS)
• Install, configure, and troubleshoot Active Directory
Certificate Services
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
2
Implementing Microsoft Internet
Information Services
• Internet Information Services (IIS)
– Included with Windows Server 2008
– Offer a complete Web site
• Benefits
– Fast
– Use of software applications to coordinate with an IIS
server
– Internet Server Application Programming
Interface (ISAPI)
• Group of DLL (dynamic link library) files that are
applications and filters
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
3
Implementing Microsoft Internet
Information Services (cont’d.)
• Web Server (IIS) role
– Contains the World Wide Web services which are
vital for a Web site
• File Transfer Protocol (FTP) service
– TCP/IP-based application protocol that handles file
transfers over a network
• Simple Mail Transfer Protocol (SMTP)
– Works with e-mail services to accept incoming e-mail
from the Internet and forward it to the recipient
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
4
Implementing Microsoft Internet
Information Services (cont’d.)
• Reasons Windows Server 2008 is a good candidate
for a Web server
–
–
–
–
Privileged-mode architecture
Fault-tolerance capabilities
Compatible with small and large databases
Users can log into a database through the IIS Open
Database Connectivity (ODBC) drivers
– Compatible with:
• Microsoft Point-to-Point Encryption (MPPE) security
• IP Security (IPsec)
• Secure Sockets Layer (SSL) encryption technique
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
5
Implementing Microsoft Internet
Information Services (cont’d.)
• IIS newly designed for Windows Server 2008
– Broken into modules or features (role services)
– Install only the features you need
• Smaller attack surface
• More efficient
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
6
Implementing Microsoft Internet
Information Services (cont’d.)
Table 9-1 Internet Information Services features (role services)
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
7
Installing a Web Server
• Requirements
– Windows Server 2008 installed on the computer to
host IIS
– TCP/IP installed on the IIS host
– Access to an Internet Service Provider (ISP)
– Sufficient disk space for IIS and for Web site files
– Method for resolving IP addresses to computer or
domain names
• DNS and WINS
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
8
Installing a Web Server (cont’d.)
• Activity 9-1: Installing IIS
– Objective: Learn how to install IIS
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
9
Internet Information Services (IIS)
Manager
• Capabilities
–
–
–
–
–
–
–
–
–
Connect to a Web server
Manage a Web server
Manage ASP.NET
Manage authorization for users and for specific Web
server roles
Manage Web server logging
Compress Web server files
Manage code modules and worker processes
Manage server certificates
Troubleshoot a Web server
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
10
Internet Information Services (IIS)
Manager (cont’d.)
Figure 9-1 Using IIS Manager
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
11
Creating a Virtual Directory
• Virtual directory
– Physical folder or a redirection to a Uniform
Resource Locator (URL) that points to a folder
– Can be accessed over the Internet, an intranet, or
VPN
• Reason for creating a virtual directory
– Provide a shortcut path to specific IIS server content
• Steps to set up a virtual directory
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
12
Creating a Virtual Directory (cont’d.)
Table 9-2 Virtual directory security options
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
13
Creating a Virtual Directory (cont’d.)
Figure 9-2 Properties of a virtual directory
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
14
Creating a Virtual Directory (cont’d.)
• Set up the virtual directory to be shared
– So that users who need access to add contents to the
directory can do this over the network
• Activity 9-2: Create a Virtual Directory
– Objective: Set up a virtual directory
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
15
Creating a Virtual Directory (cont’d.)
Table 9-3 Virtual directory share permissions
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
16
Figure 9-3 Creating a virtual directory
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
17
Managing and Configuring an IIS Web
Server
• Manage IIS components including:
– Application pools
• Group similar Web applications for management
– Sites
• Manage multiple Web sites from one administrative
Web server
– SMTP E-mail
• Manage Internet e-mail
– Certificates
• Configure and monitor certificate security used with
other Web sites
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
18
Managing and Configuring an IIS Web
Server (cont’d.)
Figure 9-5 Application Pools in IIS Manger
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
19
Managing and Configuring an IIS Web
Server (cont’d.)
Table 9-4 Web site features to configure
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
20
Managing and Configuring an IIS Web
Server (cont’d.)
• Activity 9-3: Configuring a Web Site
– Objective: Learn basic Web site configuration
Figure 9-6 Enabling directory
browsing
Courtesy Course Technology/Cengage
Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
21
Troubleshooting a Web Server
Table 9-5 Troubleshooting IIS
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
22
Using Active Directory Certificate
Services
• Public key infrastructure (PKI)
– Linking a public key or a combination of public and
private keys to a user or network entity
– Uses a certificate authority to issue public key-based
digital certificates to trustworthy network entities
• Certificate authority (CA)
– Network entity or host that issues digital certificates of
trust verifying certificate holders’ legitimacy
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
23
Using Active Directory Certificate
Services (cont’d.)
• Public key
– Encryption method that uses a public key and private
key combination
• Asymmetric encryption
– One key used to encrypt the data, and the other key
used to decrypt it
• Public key/private key method
– Uses an encryption algorithm developed by Whitfield
Diffie and Martin Hellman
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
24
Using Active Directory Certificate
Services (cont’d.)
• X.509 standards for digital certificates
– Developed by International Organization for
Standardization (ISO)
– Function as proof of identity for a specific network
entity
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
25
Using Active Directory Certificate
Services (cont’d.)
• X.509 certificate contains:
–
–
–
–
–
–
–
Certificate format version
Certificate serial number
Signature algorithm identifier
Certificate authority (certificate issuer)
Length of time the certificate is valid
ID of the certificate holder
Public key data
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
26
Using Active Directory Certificate
Services (cont’d.)
• Active Directory Certificate Services role
– Available in Windows Server 2008 Standard,
Enterprise, and Datacenter Editions
• Online Responder Service
– Determines the status of digital certifications
– Uses the Online Certificate Status Protocol (OCSP)
to obtain and decode status information
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
27
Planning Active Directory Certificate
Services
• Understand the four kinds of CAs that can be set up
in a Microsoft server environment
–
–
–
–
Enterprise root CA
Enterprise subordinate
Standalone root
Standalone subordinate
• Root CA is always configured before any other CAs
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
28
Planning Active Directory Certificate
Services (cont’d.)
Figure 9-7 CA hierarchy
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
29
Planning Active Directory Certificate
Services (cont’d.)
• Implement enterprise root CA and enterprise
subordinates
– Not standalone model
• Take into account the ways in which an organization
can make most use of AD CS
• PKI with multiple subordinate CAs has built-in
redundancy
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
30
Planning Active Directory Certificate
Services (cont’d.)
• Role services for Active Directory Certificate
Services:
–
–
–
–
Certificate Authority
Certification Authority Web Enrollment
Online Responder
Network Device Enrollment service
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
31
Certificate Services Roles
• Recommended to divide responsibilities for handling
money and important security tasks in an
organization
• AD CS enables dividing CA responsibilities into two
roles:
– CA administrator
• Person or persons who manage the CA server
– Certificate manager
• Given to those who determine which users to enroll for
certificates and when to revoke certificates
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
32
Installing Active Directory Certificate
Services
• Active Directory Certificate Services installed in the
same way as other server roles
– Using Server Manager
• Activity 9-4: Installing Active Directory Certificate
Services
– Objective: Learn how to install Active Directory
Certificate Services
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
33
Installing Active Directory Certificate
Services (cont’d.)
Figure 9-8 Configuring an enterprise CA
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
34
Managing Active Directory Certificate
Services
• Certification Authority tool tasks
–
–
–
–
–
–
–
Set up CA security
Assign certificate managers
Start or stop the CA
Back up the CA
Restore the CA
Renew a CA certificate
View revoked, issued, failed, and pending certificates
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
35
Managing Active Directory Certificate
Services (cont’d.)
• Activity 9-5: Using the Certification Authority Tool
– Objective: Learn how to use the Certification Authority
tool
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
36
Figure 9-11 Security tab
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
37
Using Autoenrollment
• Clients automatically enrolled for appropriate
certificates as specified by certificate template
• Set up in a two-step process
– Configure autoenrollment in a certificate template
– Configure a group policy to enable autoenrollment
• Three levels of certificate templates
– Level 1 does not support autoenrollment
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
38
Using Autoenrollment (cont’d.)
• Activity 9-6: Configuring a Certificate Template for
Autoenrollment
– Objective: Set up an existing certificate template for
autoenrollment
• Activity 9-7: Configuring a Group Policy for
Autoenrollment
– Objective: Set up the autoenrollment group policy
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
39
Using Autoenrollment (cont’d.)
Figure 9-15 Configuring the autoenrollment policy
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
40
Using Credential Roaming
• When user logs into the network
– Digital certificate information stored on the user’s
computer is automatically synchronized with the
digital certification information for that user stored in
Active Directory
• Configured as a group policy
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
41
Using Credential Roaming (cont’d.)
• Circumstances that launch synchronization through
credential roaming
– When the client or Active Directory synchronize group
policy settings
– When digital certificate information is updated
– When a user unlocks an account that has been
automatically locked
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
42
Using Credential Roaming (cont’d.)
• Activity 9-8: Configuring
a Group Policy for
Credential Roaming
– Objective: Set up a
group policy for
credential roaming
Figure 9-16 Enabling credential roaming
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
43
Network Device Enrollment Service
• Enables routers, switches, and other network
devices to be enrolled for digital certificates through
a CA
• Uses the Simple Certificate Enrollment Protocol
(SCEP) and standardized X.509 digital certificates
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
44
Web Enrollment Service
• For organizations that enable users to access
network resources through the Web
– Rather than through user accounts
• Requires IIS be installed before installing Web
Enrollment
• Clients must use Internet Explorer version 6 or
higher
• Can be used only with Level 1 or 2 certificate
templates
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
45
Online Responder Service
• Service relies on OCSP (Online Certificate Status
Protocol)
– Determine if a certificate is revoked
• One of two ways network applications determine
which network entities have revoked certificates
– Other way is to use certificate revocation lists (CRLs)
• Benefits
– Faster determination and better security
– Can be used in conjunction with CRLs
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
46
Online Responder Service (cont’d.)
• Benefits (cont’d.)
– Can be used with Kerberos password security
– Compatible with Web enrollment
– Uses CryptoAPI 2.0 infrastructure to provide high
level of security
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
47
Certificate Revocation Lists
• List of certificates that have been revoked
• CRL issuer is a CA
– CRL issued to client applications and devices which
cache the CRL for future reference until the next CRL
is issued
• Default method for determining certificates that have
been revoked
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
48
Figure 9-17 Extensions tab
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
49
Figure 9-18 Configuring the CRL publication interval and delta CRLs
Courtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
50
Summary
• Implement Internet Information Services (IIS)
– Create a Windows Server 2008 Web server
– After installing a Web server, configure it to customize
features
• Public key infrastructure (PKI)
– Use public and private keys through digital certificates
– Ensure users can be trusted
• Active Directory Certificate Services (AD CS)
– Implements a PKI using enterprise root and
enterprise subordinate certificate authorities
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
51
Summary (cont’d.)
• Certification Authority tool
– Manage a CA
• Configure Network Device Enrollment Service for
added security
• Credential roaming
– Enables a user to log on from any computer and still
operate with the same digital certificates
• Online Responder Service and CRLs
– Provide information about revoked digital certificates
MCITP Guide to Microsoft Windows Server 2008,
Server Administration (Exam #70-646)
52