Ch09.ppt - San Ramon Campus_ by pengxuebo


									Microsoft Windows
Server 2008 Server
Chapter 9 Deploying IIS and
 Active Directory Certificate
Learning Objectives

 Install, configure, and troubleshoot
  Microsoft Internet Information Services
 Install, configure, and troubleshoot Active
  Directory Certificate Services

Implementing Microsoft Internet
Information Services
   Internet Information Services (IIS)
     Included     with Windows Server 2008
   Benefits
     Fast
     Use  of software applications to coordinate
      with an IIS server
     Internet Server Application Programming
      Interface (ISAPI)
          Group of DLL (dynamic link library) files that are
           applications and filters
Implementing Microsoft Internet
Information Services (cont’d.)
   Web Server (IIS) role
     Contains   the World Wide Web services which
      are vital for a Web site
   File Transfer Protocol (FTP) service
     TCP/IP-based    application protocol that
      handles file transfers over a network
   Simple Mail Transfer Protocol (SMTP)
     Works  with e-mail services to accept incoming
      e-mail from the Internet and forward it to the
      recipient                                      4
Implementing Microsoft Internet
Information Services (cont’d.)
   Reasons Windows Server 2008 is a good
    candidate for a Web server
     Privileged-mode  architecture
     Fault-tolerance capabilities
     Compatible with small and large databases
     Users can log into a database through the IIS
      Open Database Connectivity (ODBC)

Implementing Microsoft Internet
Information Services (cont’d.)
     Compatible   with:
        Microsoft Point-to-Point Encryption (MPPE)
        IP Security (IPsec)

        Secure Sockets Layer (SSL) encryption technique

   IIS newly designed
     Broken   into modules or features (role
     Install only the features you need
        Smaller attack surface
        More efficient                                    6
Implementing Microsoft Internet
Information Services (cont’d.)

   Table 9-1 Internet Information Services features (role services)
Installing a Web Server
   Requirements
     Windows    Server 2008 installed on the
      computer to host IIS
     TCP/IP installed on the IIS host
     Access to an Internet Service Provider (ISP)
     Sufficient disk space for IIS and for Web site
     Method for resolving IP addresses to
      computer or domain names
          DNS and WINS
Internet Information Services (IIS)
   Connect  to a Web server
   Manage a Web server
   Manage ASP.NET
   Manage authorization for users and for
    specific Web server roles
   Manage Web server logging
   Compress Web server files
   Manage code modules and worker processes
   Manage server certificates
   Troubleshoot a Web server                9
Internet Information Services (IIS)
Manager (cont’d.)

          Figure 9-1 Using IIS Manager

Creating a Virtual Directory
   Virtual directory
     Physical  folder or a redirection to a Uniform
      Resource Locator (URL) that points to a
     Can be accessed over the Internet, an
      intranet, or VPN
   Reason for creating a virtual directory
     Provide   a shortcut path to specific IIS server

Creating a Virtual Directory (cont’d.)

       Table 9-2 Virtual directory security options

Creating a Virtual Directory (cont’d.)

         Figure 9-2 Properties of a virtual directory

Creating a Virtual Directory (cont’d.)

   Set up the virtual directory to be shared
     So that users who need access to add
      contents to the directory can do this over the

Creating a Virtual Directory (cont’d.)

       Table 9-3 Virtual directory share permissions

Figure 9-3 Creating a virtual directory

Managing and Configuring an IIS Web
   Manage IIS components including:
     Application    pools
          Group similar Web applications for management
     Sites
          Manage multiple Web sites from one
           administrative Web server
     SMTP      E-mail
          Manage Internet e-mail
     Certificates
          Configure and monitor certificate security used
           with other Web sites                              17
Managing and Configuring an IIS Web
Server (cont’d.)

        Figure 9-5 Application Pools in IIS Manger
Managing and Configuring an IIS Web
Server (cont’d.)

       Table 9-4 Web site features to configure
Troubleshooting a Web Server

          Table 9-5 Troubleshooting IIS
Using Active Directory Certificate
   Public key infrastructure (PKI)
     Linking a public key or a combination of public
      and private keys to a user or network entity
     Uses a certificate authority to issue public
      key-based digital certificates to trustworthy
      network entities
   Certificate authority (CA)
     Network   entity or host that issues digital
      certificates of trust verifying certificate holders’
      legitimacy                                        21
Using Active Directory Certificate
Services (cont’d.)
   Public key
     Encryption  method that uses a public key and
      private key combination
   Asymmetric encryption
     One  key used to encrypt the data, and the
      other key used to decrypt it
   Public key/private key method
     Uses  an encryption algorithm developed by
      Whitfield Diffie and Martin Hellman
Using Active Directory Certificate
Services (cont’d.)
   X.509 standards for digital certificates
     Developed  by International Organization for
      Standardization (ISO)
     Function as proof of identity for a specific
      network entity

Using Active Directory Certificate
Services (cont’d.)
   X.509 certificate contains:
     Certificate format version
     Certificate serial number
     Signature algorithm identifier
     Certificate authority (certificate issuer)
     Length of time the certificate is valid
     ID of the certificate holder
     Public key data

Using Active Directory Certificate
Services (cont’d.)
   Active Directory Certificate Services role
     Available in Windows Server 2008 Standard,
      Enterprise, and Datacenter Editions
   Online Responder Service
     Determines  the status of digital certifications
     Uses the Online Certificate Status Protocol
      (OCSP) to obtain and decode status

Planning Active Directory Certificate
   Understand the four kinds of CAs that can
    be set up in a Microsoft server
     Enterprise root CA
     Enterprise subordinate
     Standalone root
     Standalone subordinate

   Root CA is always configured before any
    other CAs                                 26
Planning Active Directory Certificate
Services (cont’d.)

            Figure 9-7 CA hierarchy

Planning Active Directory Certificate
Services (cont’d.)
   Implement enterprise root CA and
    enterprise subordinates
     Not   standalone model
 Take into account the ways in which an
  organization can make most use of AD CS
 PKI with multiple subordinate CAs has
  built-in redundancy

Planning Active Directory Certificate
Services (cont’d.)
   Role services for Active Directory
    Certificate Services:
     Certificate Authority
     Certification Authority Web Enrollment
     Online Responder
     Network Device Enrollment service

Certificate Services Roles
 Recommended to divide responsibilities
  for handling money and important security
  tasks in an organization
 AD CS enables dividing CA
  responsibilities into two roles:
     CA   administrator
         Person or persons who manage the CA server
     Certificate   manager
         Given to those who determine which users to
          enroll for certificates and when to revoke
          certificates                                  30
Installing Active Directory Certificate
Services (cont’d.)

         Figure 9-8 Configuring an enterprise CA   31
Managing Active Directory Certificate
   Certification Authority tool tasks
     Set up CA security
     Assign certificate managers
     Start or stop the CA
     Back up the CA
     Restore the CA
     Renew a CA certificate
     View revoked, issued, failed, and pending
      certificates                                32
Figure 9-11 Security tab
Using Autoenrollment
 Clients automatically enrolled for
  appropriate certificates as specified by
  certificate template
 Set up in a two-step process
     Configure   autoenrollment in a certificate
     Configure a group policy to enable
   Three levels of certificate templates
     Level   1 does not support autoenrollment
Using Autoenrollment (cont’d.)

        Figure 9-15 Configuring the autoenrollment policy

Using Credential Roaming

   When user logs into the network
     Digitalcertificate information stored on the
      user’s computer is automatically synchronized
      with the digital certification information for that
      user stored in Active Directory
   Configured as a group policy

Using Credential Roaming (cont’d.)

   Circumstances that launch
    synchronization through credential
     When  the client or Active Directory
      synchronize group policy settings
     When digital certificate information is updated
     When a user unlocks an account that has
      been automatically locked

Network Device Enrollment Service

 Enables routers, switches, and other
  network devices to be enrolled for digital
  certificates through a CA
 Uses the Simple Certificate Enrollment
  Protocol (SCEP) and standardized X.509
  digital certificates

Web Enrollment Service
   For organizations that enable users to
    access network resources through the
     Rather   than through user accounts
 Requires IIS be installed before installing
  Web Enrollment
 Clients must use Internet Explorer version
  6 or higher
 Can be used only with Level 1 or 2
  certificate templates                      39
Online Responder Service

   Service relies on OCSP (Online
    Certificate Status Protocol)
     Determine   if a certificate is revoked
   One of two ways network applications
    determine which network entities have
    revoked certificates
     Otherway is to use certificate revocation lists

Online Responder Service (cont’d.)

   Benefits
     Faster determination and better security
     Can be used in conjunction with CRLs
     Can be used with Kerberos password security
     Compatible with Web enrollment
     Uses CryptoAPI 2.0 infrastructure to provide
      high level of security

Certificate Revocation Lists

 List of certificates that have been revoked
 CRL issuer is a CA
     CRL  issued to client applications and devices
      which cache the CRL for future reference until
      the next CRL is issued
   Default method for determining certificates
    that have been revoked

Figure 9-17 Extensions tab
Figure 9-18 Configuring the CRL publication interval and delta CRLs
   Implement Internet Information Services
     Create  a Windows Server 2008 Web server
     After installing a Web server, configure it to
      customize features
   Public key infrastructure (PKI)
     Use   public and private keys through digital
     Ensure users can be trusted

   Active Directory Certificate Services (AD
     Implements  a PKI using enterprise root and
      enterprise subordinate certificate authorities
   Certification Authority tool
     Manage   a CA

Summary (cont’d.)

 Configure Network Device Enrollment
  Service for added security
 Credential roaming
     Enables a user to log on from any computer
    and still operate with the same digital
• Online Responder Service and CRLs
   Provide information about revoked digital

To top