Windows Server 2003 Network Infrastructure Part 2 Lab ...

Windows Server 2003

Network Infrastructure Part 2

Lab Manual

Presented by

© C o p y r i g h t 2 0 1 0 - I d e a D u d e s L L C

Table of Contents

Configuring Routing using Routing and Remote Access 3

Deploying IPSec through IPSec Policies 4

Configuring NAT 6

Configuring a VPN Server 7

Installing IIS 6.0 and Configuring Baseline Security 8

Securing Web Server 10

Configuring Applications on a Web Server 13

Securing Web Sites and Applications 15


Module 4 – Configuring Routing by Using Routing and Remote Access

Requirements

Computer Name IP Address Subnet Mask Default Gateway Preferred DNS

DC1 Finalvision.com

10.10.0.10 255.255.0.0 10.10.0.20 10.10.0.10

SRV1 SRV1

10.10.0.20 10.11.0.1

255.255.0.0 255.255.0.0

10.10.0.10 10.10.0.10

SVR2 10.11.0.30 255.255.0.0 10.11.0.1 10.10.0.10

Exercise 1: Configure Routing and Remote Access

1. On SRV1 logon to the FinalVision domain as Administrator 2. Open Routing and Remote Access from Administrative Tools Menu 3. Right-Click SRV1 and select Configure the Routing and Remote Access Server

Displays the Routing and Remote Access Server 4. Click Next 5. Configuration Click Custom Configuration 6. Click Next 7. Custom Configuration , select LAN Routing 8. Click Next 9. Click Finish 10. Click Yes

This will start the Routing and Remote Access Server

Exercise 2: Configure Static Routing

1. Expand the IP Routing 2. Right-Click Static Routes and select New Static Route 3. Select the Second Interface 4. Destination type 10.10.11.0 and Press Tab 5. Network Mask type 255.255.0.0 and Press Tab 6. Gateway type 10.11.0.1 7. Click OK 8. Log on to SRV2 with Administrator 9. Open a Command Prompt 10. Ping 10.10.0.10

This should succeed, you have create a static routed environment


Module 5 – Deploying IPSec Through IPSec Policies

Requirements


DC1 FinalVision.com GPMC installed

10.10.0.10 255.255.0.0 10.10.0.10

SRV1 SRV1

10.10.0.20 10.11.0.1

255.255.0.0 255.255.0.0

10.10.0.10 10.10.0.10

SVR2 10.10.0.30 255.255.0.0 10.10.0.10

Exercise 1: Install Telnet Service

1. On SRV1 logon to the FinalVision domain as Administrator 2. Go the Administrative Tools menu and Open Services 3. Find the Telnet Service 4. Right-Click the Telnet Service and select Properties 5. Change Startup Mode to Automatic 6. Click Apply 7. Right-Click the Telnet Service and Select Start 8. Do the same for SVR2 9. Click OK

Exercise 2: Create an IPSec Policy

1. On DC1 logon to the FinalVision domain as Administrator 2. Open GPMC console by navigating to Administrative Tools menu 3. Expand the Domains Container and select finalvision.com 4. Right-Click the finalvision.com node and choose Create A GPO and Link It Here 5. In the New GPO box type IPSec GPO and click OK 6. Right-Click IPSec Policy and click Edit 7. Expand the Windows Settings container 8. Expand the Security Settings container 9. Click the IPSec Security Policies 10. Right-Click the Details pane and select Create IPSec Policy 11. Starts the IPSec Security Policy Wizard 12. Click Next 13. IP Security Policy Wizard type Telnet Policy and click Next 14. Uncheck the Activate the default response rule box 15. Click Next


Exercise 3: Create an IPSec Policy Rule and Filter

1. Completing the IP Security Policy Wizard and click Finish 2. Telnet Policy Properties Click Add

Starts the Security Rule Wizard 3. Click Next 4. Tunnel Endpoint click Next 5. Select Local Area Network (LAN) and Click Next 6. Click Add 7. New IP Filter List type Encrypt Telnet Filter List and Click Add

IP Filter List opens 8. Click Next 9. IP Filter Description and Mirrored Property Click Next 10. IP Traffic Source page Click Next 11. IP Traffic Destination page Click next 12. IP Protocol Type page select TCP from the drop-down menu 13. IP Protocol Port page, select To This Port type 23 Click Next 14. Click Finish 15. IP Filter List dialog Click OK 16. IP Filter Lists area , select Encrypt Telnet Filter List option button and click Next 17. On the Filter Action page, read all of the text on the page, and then click Add

Exercise 4: Using the Filter Action Wizard

1. Filter Action select Request Security (Optional) 2. Authentication Method select Active Directory default (Kerberos V5 protocol) 3. Click Next 4. Click Finish 5. Click OK 6. Right-Click Telnet Policy and select Assign

Exercise 5: Testing New IPSec Policy

1. On SRV1 logon as Administrator 2. Open a Command Prompt 3. On SRV2 logon as Administrator 4. Open a Command Prompt on SRV1, SRV2 5. Type gpupate /force and Press Enter (repeat on each server) 6. On SRV1 Type telnet SRV2 7. Click Start, Run type MMC 8. Click File , Add Remove Snap-ins 9. Click Add 10. Click IpSec Monitor 11. Click OK 12. Click OK 13. Click IPSec Monitor 14. Click Active Policy

Notice the Telnet Policy is present


Module 6 – Configuring NAT

Requirements



10.10.0.10 255.255.0.0 10.10.0.10

SRV1 SRV1

10.10.0.20 10.11.0.1

255.255.0.0 255.255.0.0

10.10.0.10 10.10.0.10

SVR2 10.10.0.30 255.255.0.0 10.10.0.10

Exercise 1: Configure a NAT Server

1. On SRV1 logon to the FinalVision domain as Administrator 2. Open Routing and Remote Access Server and Right-Click select Configure And Enable Routing and Remote

Access 3. Routing and Remote Access Server Setup Wizard Click Next 4. Select Network Address Translation (NAT) 5. Select Second Network Interface Adapter on NAT Internet Connection 6. Uncheck Enable security on the selected interface by setting up Basic Firewall and Click Next 7. Click Finish

Exercise 1: Configure a NAT Client

1. On SRV2 logon to the FinalVision domain as Administrator 2. Change IP address configuration to DHCP 3. Open Command Prompt 4. Type ipconfig /release and Press Enter 5. Type ipconfig /renew and Press Enter


Module 8 – Configuring a VPN Server

Requirements



10.10.0.10 255.255.0.0 10.10.0.10

SRV1 SRV1

10.10.0.20 10.10.0.1

255.255.0.0 255.255.0.0

10.10.0.10 10.10.0.10

SVR2 10.10.0.30 255.255.0.0 10.10.0.10

Exercise 1: Configure a VPN Server

1. On SRV1 logon to the FinalVision domain as Administrator 2. Open Routing and Remote Access from Administrative Tools menu 3. Right-Click SRV1 and select Configure Routing and Remote Access 4. Routing and Remote Access Server Setup Wizard click Next 5. Select Remote access (dial-up or VPN) 6. Click Next 7. Select VPN 8. Click Next 9. Select Second Network Interface Card 10. Uncheck Enable security on the selected interface by setting up static packet filters 11. Click Next 12. IP Address Assignment Click Next 13. Managing Multiple Remote Access Servers Click Next 14. Click Finish 15. Click OK 16. Click Ports

Notice there are 128 for both PPTP and L2TP

Exercise 1: Configure a VPN Client

1. On SRV2 logon to the FinalVision domain as Administrator 2. Open Connect to from Start Menu 3. Right-Click and select OK 4. Double-Click on New Connection Wizard 5. New Connection Wizard Click Next 6. Select Connect to the network at my workplace 7. Click Next 8. Select Virtual Private Network connection 9. Connection Name type Final Vision VPN Connection and Click Next 10. Public Network, select Do not dial the initial connection 11. VPN Server Selection type 10.10.0.1 and click Next 12. Connection Availability Anyone’s use click Next 13. Click Finish 14. Enter your password 15. Click Connect 16. On SRV1 check Ports and you will see 1 VPN connection as PPTP


Module 9 – Installing IIS 6.0 and Configuring Baseline Security

Requirements



10.10.0.10 255.255.0.0 10.10.0.10

SRV1 SRV1

10.10.0.20 10.10.0.1

255.255.0.0 255.255.0.0

10.10.0.10 10.10.0.10

SVR2 10.10.0.30 255.255.0.0 10.10.0.10

Exercise 1: Installing IIS 6.0

1. On SRV2 logon to the FinalVision domain as Administrator 2. Open Add Remove Programs from Control Panel menu option 3. Click on Add/Remove Windows Components 4. Click on Application Server and click Details 5. Click on Internet Information Services (IIS) 6. Click Details 7. Click OK 8. Click OK 9. Click Next

Ensure you have Windows Server 2003 CD or i386 directory on the C Drive

Exercise 2: Verify the Installation

1. On SRV2 logon to the FinalVision domain as Administrator 2. Navigate to C:\Windows\system32 3. Notice inetsrv this is the IIS main directory 4. Navigate to C:\Inetpub 5. Enter Inetpub and you will see the AdminScripts and wwwroot folders 6. Open Administrative Tools , Internet Information Services Manager 7. Expand SVR2 8. Expand Web Sites 9. Expand Default Web Site

Exercise 3: Setting Up Baseline Security

1. Open Add/Remove Windows Components 2. Click Add or Remove Programs and click Add/Remove Windows Components 3. Select Security Configuration Wizard and click Next 4. Click Finish 5. Close Add or Remove Programs 6. Open Security Configuration Wizard from Administrative Tools menu 7. Click Next 8. Configuration Action click Next 9. Select Server Click Next 10. Click View Configuration Database 11. Take a look at each Server Role 12. When done close window 13. Click Next


14. Role-Based Service Configuration click Next 15. Verify Application Server is selected 16. Click Next 17. Select Client Features click Next 18. Select Administration and Other Options click Next 19. Select Additional Services click Next 20. Handling Unspecified Services click Next 21. Confirm Service Changes click Next 22. Network Security click Next 23. Registry Settings select Skip this section and then click Next 24. On the Audit Policy page select Skip this section and then click Next 25. Internet Information Service page click Next 26. Select Web Service Extensions for Dynamic Content ensure Active Service Pages, Internet Data Connecor,

Server Side Includes and WebDav are clear and click Next 27. On the IIS Settings Summary page click Next 28. Save Security Policy page click Next 29. Security Policy File Name type IISPolicy and click Next

IISPolicy file is located in the C:\Windows\security\msscw\Policies folder 30. Apply Security Policy , select Apply Now and then click Next 31. Applying Security Policy click Next 32. Completing the Security Configuration Wizard page, click Finish


Module 10 – Securing Web Server

Requirements

Computer Name IP Address Subnet Mask Default Gateway Preferred DNS DC1 FinalVision.com GPMC installed Certificate Services User1 User2 ExemptEmployees NonExemptEmployees

10.10.0.10 255.255.0.0 10.10.0.10

SRV1 SRV1

10.10.0.20 10.10.0.1

255.255.0.0 255.255.0.0

10.10.0.10 10.10.0.10

SVR2 10.10.0.30 255.255.0.0 10.10.0.10

Exercise 1: Configuring User Authentication for a Web Site

1. On SRV2 logon to the FinalVision domain as Administrator 2. Open Internet Information Services Manager from Administrative Tools menu 3. Expand SRV2, Right-Click Web Site folder and click Properties 4. Click Directory Security Tab 5. Click on Edit in the Authentication and access control section 6. Click the Basic Authentication check box 7. Click Yes on the warning

This transfer the password in clear text 8. Clear any other checkboxes in the Authentication Methods including Enable anonymous access 9. Select Default domain 10. Browse for Domain and select finalvision.com and click OK 11. Select the Realm box and select finalvision.com 12. Click OK 13. Click OK 14. Click OK 15. Click OK 16. Navigate to C:\Inetpub\wwwroot 17. Create a new text document call it home.htm 18. Put in the following

<h1>Welcome to Final Vision Home Website</h1>

19. Save the file 20. In the browser put in http://localhost/home.htm 21. Enter your username and password 22. Click OK 23. Close Internet Explorer

http://localhost/home.htm


Exercise 2: Encrypting Web Site Communications

1. Open Internet Information Servers (IIS 6.0) 2. Expand SRV2 3. Right-Click Default Website and Select Properties 4. Click Directory Security Tab 5. Click the Server Certificate 6. IIS Certificate Wizard Click Next 7. Create a new certificate click Next 8. Select Send the request immediately to an online certification authority and Click Next 9. Name and Security Setting in Name box type SRV1.finalvision.com Bit length is 1024 and click Next 10. In the Organization Information section, Organization type Final Vision Enterprises, in the Organizational

Unit box type Advertising and click Next 11. Your Site’s Common Name type SRV1.finalvision.com and click Next 12. In the Geographical Information section put the required information for Country/Region and

State/Province and in the City/Locality box and click Next 13. In the Certificate Request File Name type c:\certreq.txt then click Next 14. In the Request File Summary click Next 15. Completing the Web Server Certificate Wizard click Finish 16. In the Default Website Properties dialog box in Directory Security tab in the Secure Communications click

Edit 17. Select Require 128-bit encryption 18. Ensure that option for Accept client certificates is selected and then click OK 19. Click OK 20. Close IIS Manager 21. Type https://localhost/home.thm 22. Click OK 23. Enter your credentials click OK

Exercise 3: Configuring Authorization for a Web Site

1. Open Internet Information Servers (IIS 6.0) Manager 2. Right-Click the Default Website and select Properties 3. Click the Home Directory Tab 4. Ensure that checkboxes Read, Log Visits and Index this resource are selected 5. Default Web Site Properties dialog box, click OK 6. Right-click Default Web Site and click Permissions 7. Click Add Group or user names 8. Select Users, Computers, or Groups in the Enter the object names to select type ExemptEmployees OK 9. Click Add Group or user names c 10. Select Users, Computers, or Groups in the Enter the object names to select type NonExemptEmployees

OK 11. Select ExemptEmployees in the Allow column select checkboxes Read & Execute, List Folders Contents

and Read then click OK 12. Select NonExemptEmployees in the Deny column select checkboxes Full Control and then click OK 13. Close IIS Manager

https://localhost/home.thm


15. Type the URL https://SRV2/home.htm 16. Enter NonExemptEmployees and in the password enter the password then in OK 17. Type the URL https://SRV2/home.htm 18. Enter NonExemptEmployees and in the password enter the password then in OK


Module 11 – Configuring Applications on a Web Server

Requirements



10.10.0.10 255.255.0.0 10.10.0.10

SRV1 SRV1

10.10.0.20 10.10.0.1

255.255.0.0 255.255.0.0

10.10.0.10 10.10.0.10

SVR2 10.10.0.30 255.255.0.0 10.10.0.10

Exercise 1: Create an additional Web Site

1. Logon SRV2 with Administrator 2. On the desktop, right-click My Network Places and select Properties 3. In the Network Connections dialog box, double-click Local Area Connection 4. In the Local Area Connection Properties dialog box, in the This connection uses the following items

section, select Internet Protocol (TCP/IP) then click Properties 5. In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced 6. In the Advanced TCP/IP Settings, dialog box, in the IP Settings tab, in the IP addresses section, click Add 7. In the TCP/IP Address dialog box, in the IP address box, type 10.10.0.40, and then click Add 8. In the Advanced TCP/IP Settings dialog box, click OK 9. In the Internet Protocol (TCP/IP) Properties dialog box, click OK 10. In the Local Area Connection Properties dialog box, Click Close 11. In the Local Area Connection Status dialog box, Click Close 12. Close the Network Connections window 13. Open IIS Manager from Administrative Tools 14. Expand SRV2, right-click Web Sites, point to New, and then click Web Site 15. On the Welcome to the Web Site Creation Wizard page, click Next 16. On the Web Site Description page, in the Description box, type FinalVisionHR and then click OK 17. On the IP Address and Port Settings page, in the Enter the IP Address to use for this Web Site box, type

the IP address, 10.10.0.40 and click Next 18. On the Web Site Home Directory page, Next 19. On the Web Site Access Permission page, in the Allow the following permissions section, ensure that

checkboxes for Read and Run scripts (such as ASP) are selected, and then click Next 20. On the Web Site Creation Wizard page, click Finish


Exercise 2: Managing Server-Side Applications

1. Logon SRV2 with Administrator 2. Open Add/Remove Programs and click Add/Remove Windows Components 3. On the Windows Components page, in the Components box, ensure that Application Server is selected,

and then click Details 4. In the Subcomponents of Application Server section, select the checkbox for ASP.Net and then click OK 5. On the Windows Components page, Next 6. Click Finish 7. Close the Add or Remove Program window 8. Close the Control Panel window 9. Open IIS Manger window, expand SRV2, and then click Web Service Extensions 10. In the Web Service Extensions pane, verify that the status for ASP.NET v1.1.4322 is Allowed 11. Close the IIS Manager

Exercise 3: Managing Web Sites

1. Open IIS Manager from Administrative Tools menu expand SRV2 2. Expand the Web Sites folder, FinalVisionHR , Right-Click and then click Properties 3. In the FinalVisionHR Properties dialog box, click the Custom Errors tab 4. In the Custom Errors tab, in the Error messages for HTTP errors section

This is where you can substitute an Error page of your own 5. FinalVisionHR Properties , Click OK


Module 12 – Securing Web Sites and Applications

Requirements



10.10.0.10 255.255.0.0 10.10.0.10

SRV1 SRV1

10.10.0.20 10.10.0.1

255.255.0.0 255.255.0.0

10.10.0.10 10.10.0.10

SVR2 mimeEX.eee text file created in Inetpub\wwwroot

10.10.0.30 255.255.0.0 10.10.0.10

Exercise 1: Reducing the Attacker Surface of the Web Server

1. Logon SRV2 with Administrator 2. Open IIS Manager from Administrative Tools menu 3. In the Internet Information Services (IIS) Manager windows, expand SRV2 and click Web Service

Extensions 4. In the Web Services Extensions pane, in the Web Service Extension column, select Active Server Pages,

and then click Allow 5. Close Internet Explorer 6. In the Internet Explorer Address bar, type https://SRV2/home.htm 7. Enter your credentials 8. In the IIS Manager windows expand SRV2 and then expand Web Sites 9. Right-Click Default Web Site and then click Properties 10. In the Default Web Site Properties dialog box, in the HTTP Headers tab, in the MIME Types section, click

MIME Types 11. In the MIME Types dialog box, New 12. In the MIME Type dialog box, in the Extension box, type eee; in the MIME Type box, type text/plain and

then click OK 13. In the MIME Types dialog box click OK 14. In the Default Web Site Properties dialog click OK 15. Close IIS Manager 16. Open the Internet Explorer 17. Type https://SRV2/mimeEx.eee 18. Enter credentials

https://srv2/home.htm

https://srv2/mimeEx.eee


Exercise 2: Configure IIS 6.0 logs

1. Logon SRV2 with Administrator 2. Open IIS Manager from Administrative Tools menu 3. Expand Web Sites, right click FinalVisionHR and click Properties 4. In the FinalVisionHR Properties dialog box, ensure that Enable logging is selected, and the Active log

format list has W3C Extended Log File Format selected 5. In the FinalVision Properties dialog box , in the Enable logging section, click Properties 6. In the Logging Properties dialog box, on the General tab, in the New log schedule section, select the

option for When file size reaches, and type 10. 7. In the Logging Properties dialog box, in the Log File directory section click Browse 8. In the Browse for Folder dialog box, select Local Disk C: 9. Click Make New Folder, type the folder name as FinalVisionLog and then press Enter 10. Browse for Folder dialog box, Click OK 11. In the Logging Properties dialog box, click Advanced tab 12. On the Advanced tab, in the Extended logging options section, review the default fields that are saved 13. On the Advanced tab, in the Extended logging options section, select the checkboxes for Bytes Sent (sc-

bytes) and Bytes Received (cs-bytes) 14. In the Logging Properties dialog box, click OK 15. In the FinalVisionHR Properties dialog box, click OK 16. In the IIS Manager window, right-click the FinalVisionHR Web Site, and then click Browse

This creates an entry in the log file 17. Close the IIS Manager window 18. Open the C:\FinalVisionLog folder 19. Double-Click the extend1.log 20. Close Notepad 21. Close Windows Explorer

Exercise 3: Configure IIS 6.0 tracing

1. Open Notepad 2. Type IIS: Active Server Pages (ASP) 0 5 3. Save the File as ASPTrace in the C: Drive 4. Close ASPTrace.txt 5. Click Start and Click Run 6. Type cmd and Press Enter 7. Type logman start TraceASPFailRequest –pf C:\ASPTrace.txt –ets and Press Enter 8. Verify the trace details and you received the message “The command completed successfully” 9. Also, verify that the file TraceASPFailRequest.etl has been created at C:\ 10. To stop tracing process , at the command prompt, type logman stop TraceASPFailRequest –ets and Press

Enter 11. In the command prompt, type tracerpt TraceASPFailREquest.etl –o report and Press Enter 12. Close the command prompt 13. Open report in NotePad 14. Close Windows Explorer

Windows Server 2003 Network Infrastructure Part 2 Lab ...

Documents

Transcript of Windows Server 2003 Network Infrastructure Part 2 Lab ...