Web Server Product
A special case occurs when a Web hosting company hosts a number of different Web sites. Although these Web sites are implemented on the same network and often on the same server, they cannot be treated in the same way as multiple company Web sites implemented by the same organization, usually in the same domain. These are different Web sites associated with different organizations and hosted on standalone Web servers. If they are to use HTTPS, they each require one (or more) separate SSL certificates.
Datum is a Web-hosting organization that hosts a large number of 3. You want to set a .NET trust level of High for a specific application. You log on to the Web server, open IIS Manager, and navigate to the application you want to manage. What do you do next
The Web Server Certificate Wizard is launched from the Internet Services Manager console in Windows 2000 and the Internet Information Services (IIS) Manager console in Windows Server 2003. The following process installs a Web Server certificate 6. In the Web Server Certificate Wizard, click Next. Note By sending the request to an online CA, the enterprise CA decides whether to issue or deny the certificate request based on the permissions assigned to the Web Server certificate template. 9. On the Name and Security Settings page, in the Name box, type a description of the Web server, set the Bit Length to 1024, and click Next. Note In Windows Server 2003, you can choose which SChannel CSP to use for the Web Server certificate on the Name and Security Settings page. Note The default providers for Web Server certificates include the Microsoft RSA SChannel Cryptographic Provider and the Microsoft Diffie-Hellman Schannel Cryptographic Provider. Note For example, use www.example.com rather...
When you issue a Web Server certificate to a forest member using the Web Server Certificate Wizard, the certificate request is submitted in the security context of the user using the Web Server Certificate Wizard. The user running the wizard must belong to a group assigned Read and Enroll permissions for the Web Server certificate template. In addition, the user must be a member of the local Administrators group on the Web server to allow him or her to write certificate information into the computer's local store. Installation of the Web Server certificate in a forest environment is a two-step process 1. Request and install the Web Server certificate at the Web server. 2. Configure the Web server to enable SSL encryption for a Web site or virtual server.
You must install the Web server before you can install your ASP.NET applications. In addition to installing Windows Server 2003, you must install and configure IIS 6.0 on the Web server. You must also enable ASP.NET so that the Web server can run ASP.NET applications. Figure 2.2 illustrates the process for deploying the Web server. Figure 2.2 Deploying the Web Server Figure 2.2 Deploying the Web Server
Before you enable client access to the Web server, perform a complete image backup. The purpose of performing this image backup is to provide a point-in-time snapshot of the Web server. If you need to restore the Web server in the event of a failure, you can use this backup to restore the Web server to a known configuration. Important Do not continue unless you have a successful backup of the entire Web server. Otherwise, you can lose Web sites, applications, or data that you deployed to the Web server. For more information about how to back up the Web server, see Back Up and Restore the Web Server to a File or Tape in IIS Deployment Procedures in this book.
A common Web server deployment tactic is to arrange a Web site in a clustered configuration. In a clustered configuration, either a common disk exists between multiple servers or the servers host a common Web site through a Network Load Balancing (NLB) cluster. In either case, when users connect to a specific URL, they are redirected to any one of the cluster nodes. (See Figure 17-3.) Web Server Web Server Web Server Web Server Web Server Figure 17-3 Deploying a Web Server certificate to a clustered Web server When you implement SSL in a clustered configuration, each Web server in the cluster must have its own Web Server certificate. The only requirement is that the Web Server certificate's subject name is the DNS name used by Web clients to connect to the Web site. Important A common misconception is that the same certificate and private key pair must be deployed at each Web server in the cluster. Each node in the cluster does require its own certificate, but it is not necessary to...
You should back up a Web server before upgrading it or making configuration changes to it. A complete Web server backup includes all Web sites, applications, and data stored on the Web server. For example, before an upgrade, or before you enable client access to a target Web server, perform a complete image backup before you change any of the configuration settings on the existing Web server. The image backup provides a point-in-time snapshot of the Web server. If unforeseen problems occur during the upgrade or configuration process, you can use this backup to restore the Web server to a known configuration You should back up all boot and system volumes, including the System State, when you back up the Web server. To restore the Web server from a file or tape When the Web sites and applications running on the Web server require anonymous access, IIS must be configured with a user account specifically for anonymous access. This user account can be stored in the local account database...
When you implement SSL at a Web server, you must determine where you will obtain the Web Server certificate. The decision is most often based on whether the clients connecting to the Web server are internal or external. Internal clients are employees or partners of your organization who might or might not have computer accounts within your network. An external client is typically a customer that does business with you but does not have a user or computer account on your network. An organization typically chooses to issue Web Server certificates from a private CA when The organization wants to reduce the costs associated with issuing certificates to intranet Web servers, which only accept connections from employees or other trusted partners. In these circumstances, an organization can require employees or partners to trust the root CA of the organization's CA hierarchy. This eliminates the need to purchase Web Server certificates from a commercial organization only for internal use. An...
Procedure Requesting a certificate for a Web server Enabling SSL for a Web server involves the following steps Requesting a certificate for a Web server. Configuring the Web server to use SSL. To request a certificate for a Web server, perform the following steps 6. On the Welcome to the Web Server Certificate Wizard page, click Next. Procedure Configuring the Web server to use SSL To configure a Web server for use with SSL, perform the following steps
When you issue a Web Server certificate to a non-forest member, the certificate request cannot be submitted to the Windows Server 2003 CA directly. Instead, the certificate request must be saved to a PKCS 10 request file and then submitted to the CA by a member of the managing organization. Note This process is the same as when you submit a Web Server certificate request to a commercial CA organization, such as VeriSign or RSA. The only difference is in the certificate issuance, which varies depending on the type of CA used by the commercial CA. The installation of the Web Server certificate to a non-forest member is a four-step process 1. Generate a Web Server certificate request at the Web server. 2. Submit the Web Server certificate request to the CA. 3. Install the issued Web Server certificate at the Web server. 4. Configure the Web server to enable SSL encryption for a Web site or virtual directory. Note There is no difference in enabling SSL encryption at an IIS Web server when...
Microsoft Internet Security and Acceleration (ISA) Server with server publishing allows you to host a Web site behind a firewall. When you implement server publishing, all traffic that connects to the ISA Server's SSL listening port (TCP port 443) is redirected to the Web server protected by the ISA Server. (See Figure 17-4.) Web Server Web Server Figure 17-4 Deploying a Web Server certificate when using ISA server publishing In this configuration, the Web Server certificate must be installed at the Web server. The DNS name in the certificate's subject must match the DNS name used by Web clients to connect to the ISA Server's external interface. In other words, the DNS name must resolve to an IP address bound to the ISA Server's external interface. This configuration allows an organization to meet the technical requirement of implementing end-to-end encryption of data transmitted between the Web client and the Web server.
The ISA Server provides an alternate method of transmitting data to a Web server protected by a firewall. When you implement Web publishing, the data received by the ISA Server is decrypted and inspected by application filters. These application filters, such as URLScan, inspect Web traffic for worm attacks or other Web-based attacks against a Web server.
Using HTTPS on an IIS Web server requires the server to have a certificate installed and configured. The exact process you will use to configure the certificate varies depending on the source of the certificate however, you will always use the Web Server Certificate Wizard to perform the configuration. To launch the Web Server Certificate Wizard The Web Server Certificate Wizard appears. You can use the Web Server Certificate Wizard to request a new certificate, assign an existing certificate, renew a certificate, and delete a certificate, as described in the following sections.
Through the course of normal administration of the Web server, configuration changes are made. During this process, security settings might have been inadvertently changed. You need to periodically review the configuration of the Web server to ensure that it complies with the security requirements of your organization. You can categorize these Web server security practices by their function, such as operating system security, security policies, firewall security, and router security. In addition, the frequency with which these processes and procedures are completed varies. Some security practices need to be completed continuously while others might be completed monthly. Table 3.14, Table 3.15, Table 3.16, and Table 3.17 list examples of security policies, processes, and procedures for an ISP, grouped by categories. These examples are representative of the types of security practices that are required to maintain the security of your Web server. For more information about the security...
The IIS 6.0 deployment process is written for Web server administrators who are responsible for installing and configuring IIS on new or existing servers. The chapters in this book can be divided into two main deployment scenarios Deploying a new Web server running Windows Server 2003 with IIS 6.0 Upgrading or migrating to a Web server running Windows Server 2003 with IIS 6.0 Deploying a New IIS 6.0 Web Server Read this chapter to understand specific considerations for deploying ASP.NET applications in IIS 6.0. In particular, the chapter describes how you can run multiple versions of the Microsoft .NET Framework on the same Web server and how you can configure ASP.NET applications to use the appropriate version of the .NET Framework. Read this chapter to learn how you can further protect the Web sites and applications that are hosted on a Web server running IIS 6.0. This chapter describes how to secure a Web server and how to secure individual Web sites and applications running on IIS...
Immediately after installing Windows Server 2003 and IIS 6.0 with the default settings, the Web server is configured to serve only static content. If your Web sites consist of static content and you do not need any of the other IIS components, then the default configuration of IIS minimizes the attack surface of the server. When your Web sites and applications contain dynamic content, or you require one or more of the additional IIS components, you will need to enable additional features. However, you still want to ensure that you minimize the attack surface of the Web server. The attack surface of the Web server is the extent to which the server is exposed to a potential attacker. However, if you reduce the attack surface of the Web server too much, you can eliminate functionality that is required by the Web sites and applications that the server hosts. You need to ensure that only the functionality that is necessary to support your Web sites and applications is enabled on the...
Web application developers require support for managing access to databases, security and authorization methods, and reliability and scalability features. They need to access the IIS management namespaces and objects so they can build logic that interacts with Web server requests. They need to use server-side components that can run on multiple Web server platforms, and they need to embed common content for example, site headers, navigation elements, and site footers on their Web pages. Which role services should you install on the development Web server 2. Some of the Web applications are at an early stage of development, whereas others require nonstandard settings. How do you test these applications without affecting other applications on the development Web server
The last initial configuration job to get out of the way is the FTP server. We've got a machine that acts both as a Web server and as an FTP server. Its current name is www.bowsers.com, so people will clearly have no problem finding our Web server. But people assume that an FTP server will have the name ftp, so it'd be nice if the machine also answered to ftp.bowsers.com. We add this second name with the CNAME or Alias function right-click bowsers.com and choose New Alias and you'll see a dialog like the one in Figure 7.64.
Once you download the Web Server certificate chain, you must complete the installation of the certificate and chain at the Web Server, as follows 6. In the Web Server Certificate Wizard, click Next. 11. On the Completing the Web Server Certificate Wizard page, click Finish.
Introduction You can publish Web servers to make internal Web sites accessible to users on the Internet. To publish a Web server, you must first create a Web publishing rule. By creating a Web publishing rule, you configure the ISA Server computer to redirect incoming requests to a Web server on the internal network. When using a destination set that contains a path after the computer name, the Web server must contain the same path. For example, if a client requests www.nwtraders.msft africa default.htm, the internal server africa.internal.nwtraders.msft must contain the path and file africa default.htm. Procedure To create Web server publishing rules, perform the following steps 5. On the Rule Action page, click Discard the request to ignore requests that match the rule conditions, or click Redirect the request to this internal Web server, type the name of the published Web server, and then click Next. Note For more information on publishing web sites with ISA Server, see Publishing...
The Web Server Certificate Wizard is launched from the Internet Services Manager console in Windows 2000 and the Internet Information Services (IIS) Manager console in Windows Server 2003. The following process generates a Web Server certificate request file 6. In the Web Server Certificate Wizard, click Next. 9. On the Name and Security Settings page, in the Name box, type a description of the Web server, set the Bit Length to 1024, and click Next. Note In Windows Server 2003, you can choose the SChannel CSP for the Web Server certificate on the Name and Security Settings page. 16. On the Completing the Web Server Certificate Wizard page, click Finish.
When you install the Web Server server role in Windows Server 2008, the IIS platform installed is IIS7. You probably studied previous IIS platforms for your Windows Server 2003 examinations and might have worked with them as part of your job. For the Windows Server 2008 upgrade examinations, be aware of how IIS works in general and, in particular, the new features that IIS7 provides. Security When you install the Web Server server role, IIS7 is enabled with only basic functionality. Even binary files for unused features are not available for access in standard operating system locations. As a systems administrator, you must explicitly enable additional services and features. This helps reduce the IIS attack surface. Functionality for automatically detecting common hacking attempts now ships with IIS7. This feature was typically enabled in previous versions by installing the URLScan.exe utility.
SSL on IIS 6 can provide an extremely secure platform for secure commerce or for applications that use highly confidential information. The client system and the secure web server can transfer information back and forth in an encrypted form that is extremely difficult to decrypt unless you have the proper keys. Usually, you use SSL to protect your customers and their data while it travels the Internet and to protect your business interests. Now that you have installed the SSL certificate on your web server, how do you use it Well, that's the easy part. After completing Exercises 6.1 and 6.2, you have a secured web server. Before installing SSL, you should have done some testing to make sure that your IIS 6 server worked properly. If you did that, you might have created a test page and then verified that it worked by using a web browser on your network. Entering the address of your server as http testserver and then pressing Enter sets the page up as the default page, as shown in...
Organizations and individuals use Web sites and applications every day as a way to do business on the Internet and within their intranets. Internet Information Services (IIS) 6.0 helps you meet your business needs by providing the services to support a secure, available, and scalable Web server on which to run these Web sites and applications. This chapter describes the high-level processes that are presented in this book for deploying a new IIS 6.0 Web server in your organization's production environment. The other chapters in this book are divided into separate IIS deployment topics that target a specific area of the deployment process including server security, application availability, deploying ASP.NET applications, Web site migration, and server upgrades. For a comprehensive understanding of IIS 6.0 deployment, read all of the chapters in sequential order. For information about a specific aspect of IIS 6.0 deployment, read the individual chapter that corresponds to your area of...
FrontPage publishes your Web site to the Web server you specified. If you want to verify that your Web site was successfully published, click the hyperlink that is displayed after the Web has been published your Web browser will open to the Web site you just published. Note If you cancel publishing in the middle of the operation, files that have already been published remain on the destination Web server.
In the Web Server Certificate Wizard, click Next. Note If you already have a Web Server certificate installed on the Web server, you can choose the Assign an Existing Certificate option. 14. On the Completing the Web Server Certificate Wizard, click Finish. Enabling SSL for an RFC-Based Protocol Once the Web server certificate is installed, the following procedure will enable SSL
When you set up a claims-aware application on a Web server, you must configure IIS and create the application. In this case study, you create the application on TreyResearchProxy. In Internet Information Services (IIS) Manager, access the Site Bindings dialog box and select the HTTPS binding. Verify that the TreyResearchProxy.Treyresearch.net certificate is bound to port 443, as shown in Figure 6-7.
Microsoft Windows Small Business Server 2003 automatically installs and configures Microsoft Internet Information Services (IIS) 6.0 to serve as an intranet Web server. This intranet Web site includes the http companyweb SharePoint intranet site (discussed in Chapter 18, Customizing a SharePoint Web Site ), the Network Configuration Wizard, Remote Web Workplace, and Outlook Web Access (all discussed in Chapter 11, Managing Computers on the Network ).
Once you install the Web Server certificate, you can enable SSL protection for an entire Web site or for a virtual folder within a Web site. The following procedure describes the steps involved Note After you enable SSL, you should ensure that the Web site implements SSL, as required. To verify encryption, open the Web site using the URL https WebServerDNSName vdir. For example, open https www .example.com secure. If 128-bit encryption is enabled, you can verify the encryption level in Internet Explorer by hovering the mouse over the lock icon on the window's bottom right corner. If you have enabled 128-bit encryption, the words SSL Secured (128 bit) appear.
By default, the Administration site enables access from all IPs, a change from IIS 5.0, where the Administration Web site was restricted only to localhost access by default. You may configure the virtual server to restrict access based on IP address, which adds greater security to your Web server. Open the properties for the Administration Web site and click the Directory Security tab. Click Edit in the IP Address and Domain Name Restrictions group, and specify the individual computers, group of computers, or domain from which the server can be managed. You can grant all computers access to the server, but this isn't recommended for security reasons.
You are the network administrator for Test Kingcom The network contains a Windows Server Web server named Web ServerTKl
You are responsible for monitoring the bandwidth utilization of WebServerTK1. You run a System Monitor log on WebServerTK1, which monitors the Bytes Total sec counter on the Network Interface object. The sample rate for the counter is set to 15 seconds. The log is archived once each day. The written company security policy states that network traffic to Web servers must be audited on a regular basis. A server named Testking1 is configured as a Web server on TestKing's intranet. You install Network Monitor Tools from a Windows Server 2003 product CD-ROM on Testking1.
Web servers that are going to be responsible for hosting the AD FS-enabled applications will need to understand how AD FS is incorporated into the AD FS solution. To make them AD FS-aware, you must add AD FS web agents that will be used to interpret the claims and allow access to the web applications. Two agents are available to install the claims-aware agent and the Windows NT token-based applications agent. Depending on the application types you are using, you may have to install one or both of the agents on your web servers.
Web browsing on the Internet or on local intranets is one of the most commonly used applications within an organization. By default, the Hypertext Transfer Protocol (HTTP) does not employ data encryption for transfers between the Web server and the Web client. With a Web Server certificate installed at the Web server, however, the Web server can implement Secure Sockets Layer (SSL), an encryption protocol. SSL implementation at the Web server accomplishes two things The client's Web browser validates the Web server's identity by performing certificate validation on the Web Server certificate. Data is encrypted as it is transferred between the Web server and the client's Web browser. This chapter will discuss design decisions and details for implementing SSL at Web servers. Additional topics include using certificate-based authentication for Web clients and issuing Web Server certificates to third-party Web servers and Web accelerators.
Which CA should issue the Web Server certificate for the customer billing system Web site The customer billing system requires a Web Server certificate from a commercial CA so that there is greater trust in the customer billing system Web site. By using a commercial CA, more customers trust the root CA certificate of the Web Server certificate's certificate chain. 2. Which CA should issue the Web Server certificate for the employee benefits Web site The Web Server certificates for the employee benefits Web site can be issued by any of the three issuing CA's in The Phone Company's CA hierarchy. 3. Where should the Web server certificate(s) be deployed for the customer billing system Web site For the customer billing system Web site, the Web Server certificate must be installed on the DALTXIIS01 computer. 4. Where should the Web Server certificate(s) be deployed for the employee benefits Web site For the employee benefits Web site, a separate Web Server certificate must be installed at...
You are employed as a Systems Administrator for a large Internet Server Provider.Your organization develops and hosts multiple Web sites for commercial users.Your organization is upgrading Windows 2000 Web farm to Windows Server 2003 servers.There are ten production servers, two staging servers, and three development Web servers in the organi-zation.You have been asked to perform the Windows Server 2003 installation on all of these servers.What is the best installation method for your organization 10. You have configured Digest authentication for your Web servers. Jon, one of your users who needs to authenticate to the Web servers, cannot do so.You have checked Jon's user account properties and found that the Store Passwords Using Reversible Encryption option has been checked, but Jon still cannot authenticate. What is the most likely reason for his troubles 11. Andrew is the network administrator for a small Windows Server 2003 Active Directory domain. He has configured IWA for users...
Microsoft Windows Small Business Server 2003 automatically installs and configures Microsoft Internet Information Services (IIS) 6.0 to serve as an intranet Web server. As such, Windows Small Business Server enables such features as the http companyweb SharePoint intranet site (discussed in Chapter 17, Customizing a SharePoint Web Site ), the Network Configuration Wizard, Remote Web Workplace, and Outlook Web Access (all discussed in Chapter 12, Managing Computers on the Network ). Internet-accessible Web servers sit on the front lines of a virtual battlefield, exposed to continual assault by hackers and script-kiddies (neophyte hackers using polished hacking applications and pre-built scripts to launch attacks). For this reason, small businesses should use a Web hosting company to host their public Internet Web sites. Alternatively, companies can use dedicated Windows Server 2003 Web Edition computers placed in a perimeter network to host their public Web sites, and keep these...
In many organizations, Web servers other than IIS are used for Web applications. Although the Web servers are not Microsoft Web servers, there is nothing preventing the Web servers from receiving their Web Server certificate from a Windows Server 2003 CA. Tip By changing the defaults to designate the PKCS 7 file containing the Web server's certificate chain, you complete two steps in one. You install the Web Server certificate at the Web server and you install all certificates in the certificate chain to the Local Machine store, allowing the Web Server to trust the root CA certificate. When a Web Server certificate is required on a third-party Web server or a Web acceleration appliance, the same process is required to enable SSL at the Web server or appliance as for a non-forest member IIS server. To implement SSL at the Web server or appliance, you must 1. Generate a key pair and Web Server certificate request at the third-party Web server or device using the tools provided by the...
Another area where authentication is required is at the Web server. IIS provides several different authentication types from anonymous logon to full certificate-based authentication. Table 8-4 lists the authentication modes available in IIS 6.0. Basically, you need to determine which authentication mode works best for you and for the Web server requirement. Internal and external solutions will be different and there will also be differences between the solutions you implement on the Internet and in the extranet because you will most likely want more secure authentication in the latter. Table 8-5 Web Server Authentication Recommendations Table 8-5 Web Server Authentication Recommendations Table 8-5 Web Server Authentication Recommendations (continued) Table 8-5 Web Server Authentication Recommendations (continued)
The process of requesting and issuing a Web Server certificate varies according to the type of device on which the certificate request is generated. When issuing certificates from an enterprise CA, options include Issuing certificates to Web servers running IIS on forest member computers. Issuing certificates to Web servers running IIS on non-forest member computers. Issuing certificates to third-party Web servers or hardware-based Web acceleration devices.
Some organizations maintain a presence on the Internet by running their own Web servers, but many others rely on ISPs to host their Web sites for them. Running Internet Web servers requires that the computers have registered IP addresses, and as with e-mail servers, the Web servers' addresses must be registered in the DNS so that Internet users can access them. Web servers also present a security risk because they are as liable to attract the wrong kind of users as the right kind. When running Web servers in-house, you have to take steps to secure them, such as by creating a perimeter network and installing a firewall. Outsourcing the Web servers with an ISP eliminates the danger to the private network and prevents you from having to worry about furnishing the servers with sufficient Internet bandwidth. ISPs often price Web hosting services based on the amount of bandwidth the servers use, but the ISP has all the bandwidth the Web servers need readily available. If the traffic to the...
When SSL is implemented for a single Web server, the Web Server certificate must be deployed at the Web server. (See Figure 17-2.) Web Client Web Server Figure 17-2 Deploying a Web Server certificate to a single Web server Web Client Web Server Figure 17-2 Deploying a Web Server certificate to a single Web server In this scenario, the Web Server certificate must be deployed at the Web server computer. This allows the client computer to validate the Web server's identity and use the Web Server certificate's public key to encrypt the pre-master secret key when sending it to the Web server.
Securing a web server using IPSec is going to be difficult if the website is public. Although you can configure IPSec to request secured communications, chances are good that most clients will not be IPSec-ready and will communicate using only unsecured transmissions. The proper way to secure web server traffic is to use SSL this topic is covered in Chapter 6, Deploying, Managing, and Configuring SSL Certificates.
The number of connections to a Web site can also be limited. This can be useful for several reasons The first is to stop too many users from overloading the server and causing performance to suffer the second is to reduce the Web server's impact on the Internet connection in case of a flood of traffic.
Even though it is recommended that you set up your Web sites with NLB, you might decide to use a server cluster instead. For example, your Web applications might not support load balancing or your network infrastructure might not be suitable for implementation of NLB. Note that the IIS Server Instance, SMTP Server Instance, and NNTP Server Instance resource types included in Windows 2000 clusters are no longer available on the Windows Server 2003 platform. In addition, remember that Front Page Extensions are not supported on clustered Web servers. In order to set up a Web or FTP site on a Windows Server 2003 server cluster, follow these steps
Internet-accessible Web servers sit on the front lines of a virtual battlefield, exposed to continual assault by hackers and automated exploit engines that are continually looking for Web sites to deface or use for their own purposes. For this reason, you should use a commercial Web hosting company to host your public Web site. Commercial Web hosting companies have the staff and the expertise to properly protect their sites. If you really want to host your own public Web site, do not do it on your SBS server. Install a dedicated Windows Server 2003 Web Edition server for this purpose and then lock it down completely. Always keep this server completely updated with the latest patches. The one exception to this recommendation we'd make is to enable Remote Web Workplace (RWW). You should configure SBS and your firewall to publish only the Remote Web Workplace, not the default Web site. You may even consider adjusting your firewall to only expose ports 443 and 4125 (for RWW) as an example...
By default, IIS allows Web site visitors to consume as much network bandwidth as is available. When you have a lot of remote users or a slow Internet connection, visitors can consume all available bandwidth, preventing users of the internal network from accessing the Internet for Web browsing and e-mail. This is yet another good reason to have your public Web site hosted by a commercial Web hosting service. While it is easy to place limits on the maximum number of people who can concurrently connect to the Web site and the maximum amount of network bandwidth a Web site (virtual server) can consume, there is a catchinternal and external (Internet) users are treated the same. Therefore, it's best not to apply this feature to the http companyweb site, and you should think about your usage patterns before applying it to the Default Web Site as well.
Part of the expansion of the company is a complete overhaul of their current Internet presence. They are planning on bringing all of the web development and hosting in-house. Currently a web hosting service is providing their Internet presence, and Insane Systems feels as though they could provide better marketing and support information for their customers if they had control over their own website.
However, while processing dictates how fast your computer will do the job, memory decides whether your computer can do the job. Where NT 4 let you get by with 16MB of RAM, Windows 2000 Server will not let you install with anything less than 64MB on an Intel box. When deciding how much memory you will need, try to consider what your server will be doing. Simple file and print sharing is not as resource intensive on a server as running applications like Exchange, SQL Server, Web services, and so on. Anytime you put the server side of a client server application on your system, it means that your server is performing processing that would have otherwise been done by the workstation. This directly influences your memory and processor requirements. For example, a system that is merely serving a few print queues and shared directories can get by with the bare minimums. On the other hand, tack on Web hosting, mail servicing, and user logon validation for several thousand users and you may...
A domain's DNS servers do not necessarily have to be located on its local network, and in fact many Internet Service Providers (ISPs) run Web hosting services in which they provide the use of their DNS servers for a fee. What's important is that an Internet authority, or whatever other body has registered the domain name, has a record of the DNS servers responsible for that domain's hosts. Because NetBIOS names are resolved into IP addresses before transmission, you can use them in place of hostnames on internal networks. To connect to an intranet web server, for example, a user can specify the server's NetBIOS name in a web browser, in place of the traditional hostname. In the same way, you can use a hostname in a UNC path rather than a NetBIOS name.
But what about the actual tools that you're using to perform these tasks The very tools and utilities that you use to administer your network can create a huge potential for misuse, allowing malicious attackers to gain administrative access to a machine or an entire network. Imagine what could happen if an attacker gained access to the DNS Management MMC snap-in They could create, delete, or modify host entries to redirect your clients to malicious or compromised Web hosts, and they could view your DNS registrations to obtain a complete picture of your network to use for further attack. Or think about a malicious user finding a way to use DHCP Manager to change scope information, removing or changing address assignment information and rendering your clients incapable of accessing network resources. In perhaps the worst-case scenario, consider the potential damage if an attacker obtained administrative access to the Active Directory Users and Computers utility at this point they would...
Before you enable client access to the Web server, perform a complete image backup. The purpose of performing this image backup is to provide a point-in-time snapshot of the Web server. If you need to restore the target Web server in the event of a failure, you can use this backup to restore the Web server to a known configuration. Important Do not continue to the next step until you have a successful backup of the entire Web server. Otherwise, you can lose Web sites, applications, or data that you changed after upgrading the Web server. For more information about how to back up the Web server, see Back Up and Restore the Web Server to a File or Tape in IIS Deployment Procedures in this book.
In the first scenario, the ISA Server implements SSL between the Web client and the ISA Server, as well as between the ISA Server and the Web server. (See Figure 17-5.) Web Server Figure 17-5 Deploying Web Server certificates when using ISA Web publishing with SSL on all connections Web Server Figure 17-5 Deploying Web Server certificates when using ISA Web publishing with SSL on all connections In this configuration, Web Server certificates must be installed at both the ISA Server and at the Web server. Two separate SSL connections occur The first SSL connection is between the Web client and the ISA Server. The subject of the Web Server certificate installed at the ISA Server must contain the DNS name used by the Web client to connect to the Web server, and the DNS name must resolve to the ISA Server's external IP address. The second SSL connection is between the ISA Server and the Web server. The subject of the Web Server certificate installed on the Web Server must contain the DNS...
Web Server Figure 17-6 Deploying Web Server certificates when using ISA Web publishing with SSL only between the Web client and the ISA Server Web Server Figure 17-6 Deploying Web Server certificates when using ISA Web publishing with SSL only between the Web client and the ISA Server In this configuration, a Web Server certificate must be installed only on the ISA Server. Once the ISA Server's application filter inspects the incoming HTTPS stream, the data is redirected as HTTP to the back-end Web server. Note This scenario allows network intrusion detection systems such as Snort to inspect all data as it is transmitted to the Web server's network. In this scenario, the subject of the Web Server certificate installed at the ISA Server must contain the DNS name used by the Web client to connect to the Web server, and the DNS name must resolve to the ISA Server's external IP address.
If your organization chooses to proceed with deploying Web Server certificates to internal Web servers, the default Web Server certificate template meets the needs of most companies. Typically, the only change that must be performed is to modify certificate template permissions to enable Read and Enroll permissions at a custom universal or global group that contains Web server administration user accounts. Important Although you can create a version 2 certificate template based on the Web Server certificate template to enable modification of application policies or certificate policies, this prevents use of the Internet Information Services (IIS) Web Server Certificate Wizard. This wizard, discussed in more detail later in the chapter, is hard-coded to use the Web Server certificate template display name and does not allow use of a custom version 2 certificate template.
Incorrect This approach would map books.internal.books.lucernepublishing .com to the Web server. However, you want the Web server to be accessed as books.internal.lucernepublishing.com. D. Incorrect This approach would map internal.books.lucernepublishing to the Web server. However, you want the Web server to be accessed as books.internal .lucernepublishing.com.
So far in this chapter, we've discussed how to get certificates from both public and private certificate authorities, and we've looked at the basics of how to install a certificate on a web server and how to renew a certificate. It is time to fill in the blanks a little in this section of the chapter. Although we may have shown how to install the SSL certificate on the web server, we never really explained how to use it. This section explains how to use the certificate for a web server and also explains how to use certificates for traffic between the web server and the SQL server, between client systems and Active Directory domain controllers, and between client systems and e-mail servers.
Up to this point in the upgrade process, you have upgraded the operating system and all of the operating system components, including IIS 6.0, on the Web server. However, you might need to further configure the IIS 6.0 properties on the Web server so that the Web sites run as they did before the server was upgraded. In addition, you can configure your Web server to take advantage of the enhanced security and availability capabilities of IIS 6.0. Figure 5.5 illustrates the process for configuring the IIS 6.0 properties on your Web server.
At this point in the process, your ASP.NET applications are installed on the Web server and the ASP.NET session state settings have been configured on the Web server. Now you need to ensure that the ASP.NET applications are configured to provide the appropriate levels of security and availability for your organizational needs. Then you can verify that the ASP.NET applications have been deployed successfully, capture the current configuration of the Web server, and enable client access to the ASP.NET applications on your Web server. After you complete these last steps, the deployment of your ASP.NET applications is complete.
Before you enable client access to the target server, perform a complete image backup of the target server. Performing this image backup provides you with a point-in-time snapshot of the Web server. If you need to restore the target server in the event of a failure, you can use this backup to restore the Web server to a known configuration. For more information about how to back up the Web server, see Back Up and Restore the Web Server to a File or Tape in IIS Deployment Procedures in this book.
When you implement SSL, you must identify the certificates that are required to enable SSL encryption between the Web client and the Web server. Two types of certificates can be used A Web Server certificate. A Web Server certificate is mandatory when implementing SSL for a Web server. The Web Server certificate provides encryption of the pre-master secret when it is sent from the Web client to the Web server. In addition, the Web Server certificate allows the Web client to validate the Web server's identity, ensuring that the Web server is not an attacker's Web server impersonating the target Web server.
When no installation program or provisioning scripts exist for your ASP.NET application, you can copy the content of the ASP.NET application to the corresponding Web site and virtual directories that you created on the Web server. You can copy the ASP.NET application content to the Web server by using one of the following methods Run the Xcopy command to copy ASP.NET application content to the Web server on an intranet or internal network. Use Microsoft Windows Explorer to copy ASP.NET application content to the Web server on an intranet or internal network. Use the Copy Project command in Visual Studio .NET to copy ASP.NET application content to the Web server on an intranet or internal network, if the application has been developed by using Visual Studio .NET. Note Frontpage Server Extensions must be installed on the Web server to use the Copy Project command. Use the Publish Web command in FrontPage to copy ASP.NET application content to the Web server on an intranet or over the...
After you have upgraded the Web server, you are ready to enable client access to the Web sites. During the upgrade process, you disabled the network adapter on the Web server to prevent users from accessing the Web server during the upgrade process. Now that you know the upgrade is completed successfully, you can re-enable the network adapters. Enable client access to the Web server by completing the following steps 1. Enable the network adapter used by clients to access the Web server. 2. Monitor client traffic to determine if clients are accessing the Web server. For more information about how to monitor client traffic to Web sites on the Web server, see Monitor Active Web and FTP Connections in IIS Deployment Procedures in this book. 3. Establish a monitoring period, such as a few hours or a day, to confirm that clients that are accessing Web sites and applications on the Web server are experiencing the response times and application responses that you expected.
One of your major security challenges is to protect communication between a Web client and a Web server. To help meet this challenge, you can use server certificates to provide added security for Web services. IIS7 provides built-in support for creating and managing server certificates and for enabling encrypted communications. Server certificates provide a mechanism for a Web server to prove its identity to clients attempting to access it. Chapter 7, Active Directory Certificate Services, describes the hierarchy of trust authorities and the various types of certificate authority (CA), including trusted third-party and internal certificates. The Web server itself can generate a self-signed SSL certificate, and you can obtain or generate certificates from the following types of CA This request is created on a Web server, which produces a text file containing the information about the request in an encrypted format. The certificate request uniquely identifies the Web server. 3. Obtain...
After securing the Web sites and applications on your Web server, you need to help ensure that the Web sites and applications stay secure. You need to deploy Web servers that are easy to manage and operate. As you deploy the Web server, keep in mind the operations processes that must be performed after the Web server is deployed.
The World Wide Web Server component of IIS enables a Windows Server 2003 computer to function as a Web server for HTTP content. The Web service offers several features that provide considerable control over content, security, and bandwidth, making IIS a good option for Windows Server 2003-based Web servers. This section of the chapter focuses specifically on IIS in a traditional Web server capacity, rather than application server. Subsequent sections explain the Web service's features and how to configure and manage Web sites under IIS.
Incorrect The Web server has a static IP address. There is no point in trying to renew its DHCP lease. C. Correct Windows XP Professional DNS employs negative caching. The Web server has been disconnected for a length of time that is sufficient for its host resource record to have been removed from the DNS zone file. Thus, when the users tried to access the Web server's FQDN by typing in the URL, their client computers cached that the FQDN could not be resolved. On the other hand, you pinged the Web server's IP address and did not, therefore, request name resolution. When the users tried to access the Web site again, the client computers used cached information and discovered that the FQDN had been cached as invalid. Clearing the negative result from the clients' caches solves the problem.
The Application Server server role can be installed on a computer with Server Core configuration and is a good candidate for server virtualization. The Web Server server role can also run on a Server Core installation, although some functions, for example, creating IIS Manager (discussed later in this chapter), require a GUI and therefore must be done remotely. This should not be a problem because IIS Manager is typically used from a remote computer. However, remember that you cannot install the Application Server server role on a Windows Server 2008 Web Server installation. 1. Which role service associated with the Application Server server role can be integrated with the Web Server server role to enable Web applications to access advanced features 1. Web Server support
Collecting information about the security aspects of the Web server is required to help ensure that the Web server stays secure. Windows Server 2003 uses security and system logs to store collected security events. The security and system logs are repositories for all events recorded on the Web server. Many management systems, such as Microsoft Operations Manager, periodically scan these logs and can report security problems to your operations staff. If you audit or log too many events, the log files might become unmanageable and contain superfluous data. Before enabling the system and security logs, you need to enable auditing for the system log and establish the number of events that you want recorded in the security log. You cannot change the information that is logged in the system log These events are preprogrammed into Windows Server 2003 services and applications. You can customize system log events by configuring auditing. Auditing is the process that tracks the activities of...
Configure SSL to secure communications channels. Communications channels include client computer to web server, web server to SQL Server computer, client computer to Active Directory domain controller, and email server to client computer. However, all these places are basically physical locations where data is stored. If you focus on these areas alone, you miss a large vulnerability the transmission media. When you use the Internet or even an intranet in many organizations the traffic from your client system to the web server can go through several servers or routers before it is received. All sorts of confidential information passes through these systems, including passwords, company private documents, personal identification numbers (PINs), credit card numbers, online purchase orders, electronic invoices, and other personal and company information. Secure Internet traffic from the client system to the web server. Secure traffic from the web server to the SQL server.
Federation service web agent installation makes a web server federation-aware. The terminology applies to an AD FS-enabled web server. The web agent's role is to initiate federation authentication requests via the resource partner federation service, and to ultimately perform authorization of a returned security token. A web agent can be used for claims-aware applications (such as those written in ASP.NET and using AD FS objects), and also for Windows token-based applications. In the latter scenario, the web agent converts AD FS tokens to Windows impersonation tokens.
If you upgrade a Windows Server 2003 Web server with IIS6 installed to a Windows Server 2008 Web server with IIS7 installed, Web sites on the server are supported and upgraded, generally without user intervention. Any file system content not created or owned by Windows remains intact through the upgrade process, and all Web content on the original operating system remains present and supported after the upgrade. The process occurs in the following stages installation First the new operating system is installed and then server roles such as Web Server install, provided that equivalent functionality was detected on the original operating system. The choice of IIS updates to install is based on the IIS state information gathered from the original operating system.
To ensure that service to clients is not interrupted, monitor the Web server for any active Web and File Transfer Protocol (FTP) connections before taking the Web server offline. Internet Information Services (IIS) 4.0, IIS 5.0, and IIS 6.0 include performance monitor counters that can be used to monitor the active Web and FTP connections. Monitor the active Web and FTP connections to ensure one of the following is true
Review the system log in Windows Server 2003 on the Web server to determine if any of the Web sites did not start. Because the network adapter that connects the Web server to the clients is disabled, you might need to directly connect the Web server to a client computer and enable the network adapter to validate the Web sites and applications. After running your existing validation procedures, disable the network adapter that connects the Web server to the clients and reconnect the Web server as it was originally.
In this exercise, we walk through the steps necessary to revoke a certificate that has been issued by a Windows Server 2003 CA. In our exercise, we use the Web server certificate that we created using Web enrollment. 3. In the details pane, right-click the Web server certificate for Wally's Tugboats. From the context menu, click All Tasks and then click Revoke Certificate. 4. You will be prompted for a reason to revoke the certificate (see Figure 4.26). Let's assume that our certificate is being revoked, because this particular Web server is no longer in service. Select Cease of Operation from the context menu, and click Yes.
So, for instance, suppose I've pointed my HTTP client (which you know as a Web browser, like Internet Explorer) to an HTTP server (which you know as a Web server like a copy of Internet Information Server). Let's also assume that I'm going to visit www.acme.com, that acme.com's Web server is at 126.96.36.199, and that my computer has IP address 188.8.131.52. My Web browser tries to contact the machine at 184.108.40.206. But just knowing a machine's IP address isn't sufficient we need also to know the port address of the program that we want to talk to because, for example, this computer might also be a mail server, and I want to surf its Web pages, not send or receive e-mail. My Web browser knows that by convention the Web server lives at port 80. So my Web browser essentially places a call that is, sets up a TCP IP session with port 80 at address 220.127.116.11, sometimes written 18.104.22.168 80, with a colon between the IP address and the port number. That combination of an IP...
Although most of the changes to IIS that are made during the upgrade process have little affect, some of the changes can affect the Web sites and applications, as well as the administration of the Web server. Before upgrading your existing IIS server, review the changes that will be made to IIS during upgrade and determine whether these changes can affect your Web sites and applications. Otherwise, after the upgrade, applications might not function as they were originally designed to. In addition, you need to identify the changes made to IIS during upgrade so that you can properly administer and configure the Web server upon completion of the upgrade. 1. Select a method to ensure that the WWW service is enabled after upgrading a Web server running Windows 2000 Server.
The attack surface of the Web server is also affected by the other Windows components and services that are enabled in Windows Server 2003. When you install Windows Server 2003 as a dedicated Web server, the default components and services are configured to provide the smallest possible attack surface. In some cases, you might have installed Windows Server 2003 for other purposes, such as a file server, print server, or computer running SQL Server, so you are installing IIS 6.0 on an existing server. In this situation, you need to reevaluate the components and services that are currently running on the Web server to ensure that only the components and services that you need are enabled.
The computer that hosts the customer billing system Web site is at the Dallas office and is assigned the NetBIOS name DALTXIIS01. The DALTXIIS01 Web server is protected by a Cisco PIX. (See Figure 17-7.) All traffic received on TCP port 443, the SSL port, is redirected to the DALTXIIS01 server with no content inspection by the Cisco PIX firewall. Chapter 17 Implementing SSL Encryption for Web Servers 407 DALTXIIS01.thephonecompany.com Figure 17-7 The customer billing application Web server network infrastructure Figure 17-7 The customer billing application Web server network infrastructure
Correct Copying the updated files from the shared folder to the appropriate location on the Web server will update those files. B. Correct Running the script on the Web server that sets appropriate NTFS permissions for Web site files will ensure that any permissions changed during the update process are restored as normal.
So far, we've talked about authentication only for LANs and intranets extranets, but eventually you'll need to configure your network for authenticating web users using the Internet. IIS supports several authentication protocols. Each protocol provides a method for a user to authenticate their identity or account to the web server using a web browser. Once they establish their identity, the account associated with that identity is used to identify the permissions to access resources such as files and web content in the case of a web server.
You should deploy a network load balancing cluster in Stockholm, load balancing the existing Web server with a new one. There is no need to use a failover cluster in this instance because NLB ensures that clients are able to connect to the Web server if a node fails, and no mention is made of a shared storage device or shared folder, which is required for a two-node failover cluster to remain available in the event of a node failure.
As a part of maintaining the security of your Web server, you must perform periodic reviews of the security policies, processes, and procedures in use by your organization. Review your security practices for any changes that might affect the security of the Web server. These changes in security practices can include the following
When you upgrade a Web server running Windows 2000 Server and IIS 5.0, the World Wide Web Publishing Service (WWW service) is disabled unless, before upgrading, you elected to run the IIS Lockdown Tool or make the appropriate changes to the registry. However, if you did not choose either of those methods, you must now enable the WWW service. Note If you are upgrading a Web server that is currently running Windows NT Server 4.0 and IIS 4.0, the WWW service is not disabled. Therefore, you can continue to the next step in the deployment process.
In IIS 5.0 isolation mode, the default process identity is LocalSystem, which enables access to, and the ability to alter, nearly all of the resources on the Web server. Future growth in the utilization of your Web sites and applications requires increased performance and scalability of Web servers. By increasing the speed at which HTTP requests can be processed and by allowing more applications and sites to run on one Web server, the number of Web servers that you need to host a site is reduced. The following are a few of the performance improvements included in worker process isolation mode.
After you select the Web site authentication method for each Web site, you need to configure the Web site to use that method. For more information about how to configure Web server authentication, see Configure Web Server Authentication in IIS Deployment Procedures in this book.
To configure security for Web sites and applications that are hosted on a newly installed Web server, you need to follow certain security practices, such as enabling only the Web service extensions that you need. Web service extensions provide content and features beyond serving static Web pages. Any dynamic content that is served by the Web server is done by using Web service extensions, such as content and features that are provided by ASP, ASP.NET, or CGI. In addition, each Web site and application might have specific requirements for security settings. Figure 3.1 shows the process for securing your Web sites and applications.
Each Web site and application in IIS 6.0 and Windows Server 2003 is stored as a grouping of folders and files. Unauthorized access to, or modification of, these files and folders can present a serious breach of security. You must ensure that only authorized users can access or modify the Web sites and applications that are hosted on your Web server. To help prevent unauthorized access to Web sites and applications on your Web server, use any combination of the steps illustrated in Figure 3.3. Based on the security requirements of your organization, you might perform a subset of the steps or all of the steps.
The configuration of IIS and the Web sites on the source server can reference user accounts that are stored in the local account database on the source server. These accounts that are stored locally on the Web server are known as local user accounts. Local user accounts are valid only on the Web server where they are stored, not on any other Web servers.
You must install the new Web-based application on servers VAN-SRV3A and VAN-SRV3B. In this exercise, you will configure the Web server role on each server before you configure and test the Web application on each server. You will also install the Network Load Balancing role.
In a basic packet filtering scenario implemented on Windows Server 2003, two packet filters are configured on an external interface. These packet filters allow unsolicited connections to a Web server hosted on an internal network. Such a scenario, in which a Web server is hosted at the address 22.214.171.124, is illustrated in Figure 9-39. Web Server 126.96.36.199 Web Server 188.8.131.52
IIS 5.0 and earlier versions were constantly patched up by hot fixes from Microsoft. IIS was once considered one of the main security holes in the Windows platform, which was a major deterrent to using IIS as a commercial Web server. IIS 6.0 comes with an impressive list of new security features designed to win back commercial users. IIS 6.0 includes the following new security features
After upgrading your server to IIS 6.0, you can make additional security-related configuration changes on the Web server. If you ran the IIS Lockdown Tool before upgrading the Web server, most of these changes are already in place. The IIS Lockdown Tool removes unnecessary IIS components, including virtual directories, to reduce the attack surface available to malicious users. Otherwise, make these security-related configuration changes to help reduce the attack surface and increase the security of the Web server. IIS 6.0 includes other components and services in addition to the WWW service, such as the FTP service and SMTP service. IIS components and services are installed and enabled by means of the Application Server subcomponent in Add or Remove Windows Components. After installing IIS, you must enable the IIS 6.0 components and services required by the Web sites and applications running on the Web server.
Because IIS 6.0 is not installed during the default installation of Windows Server 2003, the next step in deploying the Web server is to install and configure IIS 6.0. The deployment process presented here assumes that you install IIS 6.0 with the default options in Add or Remove Programs in Control Panel. If you use other methods for installing and configuring Windows Server 2003, such as Manage Your Server, the default configuration settings might be different. As with installing Windows Server 2003, the primary concern when installing and configuring IIS 6.0 is to ensure that the security of the Web server is maintained. Enabling unnecessary components and services increases the attack surface of the Web server. You can help ensure that the Web server is secure by enabling only the essential components and services in IIS 6.0. 2. If you want to manage the Web site content by using Microsoft FrontPage , install FrontPage 2002 Server Extensions from Microsoft on the Web server. For...
After the Apache Web sites are migrated, they run in a configuration that approximates their configuration on the Apache Web server. All of the Web sites run in the default application pool with the default security identity, NetworkService. In this configuration, the Web sites do not take advantage of the enhanced security and availability of IIS 6.0.
In addition to implementing SSL encryption, a Web server can implement certificate-based authentication. Rather than typing credentials or simply being connected to a Web site anonymously, users select a certificate from their certificate store with the Client Authentication Enhanced Key Usage (EKU) for authentication. The certificate is associated to a user account in IIS's available account databases through a process known as mapping. There are two types of mappings
Now that we have all the company's users connected and working and the remote offices are communicating, Contoso, LTD. has to do business with the rest of the world. The network administrator for Contoso, LTD. has created an extranet, a portion of the Contoso, LTD. private network that is available to business partners through secured VPN connections. The Contoso, LTD. extranet is the network attached to the Contoso, LTD. VPN server and contains a file server and a Web server, which contain all the information they need to directly access. Access to internal resources from these utilities can be accomplished via Web proxy and terminal services, thus protecting the corporate resources from direct contact by noncorporate clients. IPSec policies can be used between the extranet resources and the intranet resources to ensure resources are not compromised. Parts distributors Fabrikam, Inc., and Blue Yonder Airlines are Contoso, LTD. business partners. They connect to the Contoso, LTD....
Translation of Web site configuration. The configuration of the Apache Web server and individual Web sites is translated to the corresponding IIS Web server and Web site configuration settings in the IIS metabase. Translation of .htaccess permissions. The htaccess file sets permissions for access for the virtual Web directories on an Apache Web server. The permissions in this file are translated by the tool into the corresponding directory permissions in the NTFS file system. Migration of MIME types and port numbers. MIME types define the types of static files that are served by the Web server. The tool automatically determines the MIME types defined on the Web server running Apache and then creates the associations of MIME types to extensions on the Web server running IIS. Migration of FrontPage Server Extensions. The tool detects the presence of FrontPage 2000 Server Extensions and FrontPage 2002 Server Extensions on the Apache Web server, enumerates the Web sites and subweb sites,...
Maurice is the administrator for a Windows 2000-based Web server. He has been told that changing the port on which the server runs is an effective form of security. Which of the following most accurately describes the effect of changing the port number for a Web server B. The Web server is hidden to the general public, but it's not impossible to find it. C. The Web server is completely secure because it cannot be accessed except by a special port password combination. D. The Web server is neither hidden nor secure because changing the port number does not change access at all. 16. Herbert is the administrator of a Windows 2000-based Web server. He has decided to implement Integrated Windows authentication in addition to Anonymous access. Which of the following is true of this security model
Securing Outlook Web Access (OWA) should be easy for you now. After all, if you think about it, OWA is just another IIS server. You need to take the same steps for OWA as you would for any other web server 3. Configure SSL for IIS on the Exchange server. This step will be similar to Exercise 6.8. However, the big difference is that you can set up the web server to encrypt only the OWA directory, and not use encryption for any other web pages that may be on the server.