Archive for the ‘Windows 2008’ Category

Hardening guide for Hyper-V on Windows 2008 R2 server core platform

OS installation phase

  1. Boot the server using Windows 2008 R2 bootable DVD.
  2. Specify the product ID -> click Next.
  3. From the installation option, choose “Windows Server 2008 R2 (Server Core Installation)” -> click Next.
  4. Accept the license agreement -> click Next.
  5. Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
  6. Allow the installation phase to continue and restart the server automatically.
  7. To login to the server for the first time, press CTRL+ALT+DELETE
  8. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
  9. From the command prompt window, run the command bellow:
    sconfig.cmd
  10. Press “2” to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
  11. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  12. From the command prompt window, run the command bellow:
    sconfig.cmd
  13. Press “1” to join the server to the domain -> press “D” to join to domain -> specify the domain name -> click “Yes” to restart the server.
  14. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
  15. From the command prompt window, run the command bellow:
    sconfig.cmd
  16. Press “5” to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
  17. Press “6” to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
  18. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
  19. From the command prompt window, run the command bellow:
    sconfig.cmd
  20. In-case you need to use RDP to access and manage the server, press “7” to enable “Remote Desktop” -> choose “E” to enable -> choose either “1” or “2” according to your client settings -> Press OK.
  21. Press “8” to configure “Network settings” -> select the network adapter by its Index number -> press “1” to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2” to configure the DNS servers -> click OK -> press “4” to return to the main menu.
  22. Press “9” to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
  23. Press “11” to restart the server to make sure all settings take effect -> click “Yes” to restart the server.
  24. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
  25. To install the Hyper-V role, run the command bellow:
    start /w ocsetup Microsoft-Hyper-V
  26. Click “Yes” to allow the server to restart.
  27. To login to the server, press CTRL+ALT+DELETE -> supply credentials of Domain admin account.
  28. To check that the installation completed, run the command:
    oclist | find /i "Microsoft-Hyper-V"
  29. Run the commands bellow to enable remote management of the Hyper-V:
    netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes

    netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

  30. In case you install antivirus for Server Core, add the following to the antivirus exclusions:
    • Virtual machine configuration files directory. By default, it is C:\ProgramData\Microsoft\Windows\Hyper-V.
    • Virtual machine virtual hard disk files directory. By default, it is C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks.
    • Snapshot files directory. By default, it is %systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots.
    • Vmms.exe
    • Vmwp.exe

Manage Hyper-V VMs from Windows 7

  1. Login to a Windows 7 client using administrative account.
  2. Download and install the Remove Server Administration (RSAT) tools for Windows 7 from:
    http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D&displaylang=en
  3. Open Control Panel and click Programs.
  4. Click Turn Window features on or off.
  5. Under Remote Server Administration Tools Role -> Administration Tools check Hyper-V Tools.
  6. Launch to tools by either typing Hyper-V Manager at the Start menu or go to Start ->Administrative Tools ->Hyper-V Manager.

Virtual Machine Servicing Tool 3.0

    Virtual Machine Servicing Tool 3.0 helps to update offline virtual machines, templates, and virtual hard disks with the latest operating system and application patches.
    Download link:
    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=23300

Using Authorization Manager for Hyper-V Security

    Authorization Manager provides a flexible framework for integrating role-based access control into applications. It enables administrators who use those applications to provide access through assigned user roles that relate to job functions.
    Link for more information:
    http://technet.microsoft.com/en-us/library/cc726036.aspx

Hardening guide for Windows 2008 R2 Domain Controller and DNS Server

This guide explains how to install and configure Domain Controller and DNS server based on Windows 2008 R2 platform, for a new forest in a new domain.

Installation phase

  1. Install Windows 2008 R2 server (either standard of enterprise edition).
  2. Important note: The first domain controller in the forest root domain must be installed on physical hardware and not as a virtual server.

  3. Login for the first time to the new server, using administrator account.
  4. Start -> Run -> dcpromo.exe
  5. Click Next twice -> select “Create a new domain in a new forest” -> click Next -> specify the FQDN of the new forest root domain -> click Next -> on the forest functional level, choose “Windows Server 2008 R2” -> click Next -> leave “DNS server” select and click Next -> click “Yes” on the warning message -> choose a location for the database, logs and sysvol folders -> click Next -> specify complex password for the Directory Services Restore Mode administrator password (and document the password) -> click Next twice -> select “Reboot on completion”.
  6. Allow the server to restart when the installation process completes.
  7. Login to the new domain controller for the first time using domain administrator account.
  8. Start -> Run -> cmd.exe
  9. Write the commands bellow to synchronize the PDC emulator with external reliable time source:
    w32tm /config /computer:<> /manualpeerlist:time.windows.com /syncfromflags:manual /update

    exit

  10. Start -> Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
  11. Write the commands bellow to protect all OUs in the domain from accidental deletion:
    import-module activedirectory

    Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

    exit

  12. Server Manager -> right click on Features -> Add Features -> select “Windows Server Backup Features” -> click Next -> click Install -> click Close.
  13. Start -> Administrative Tools -> Windows Server Backup -> from the Actions pane, click on “Backup Schedule” -> click Next -> choose “Full server” -> Specify a backup time -> click Next -> click the check box for your destination disk -> click Next -> click Yes to confirm that the destination disk will be reformatted -> verify the label for the destination disk -> click Next -> verify the information on the Summary page -> click Finish -> On the Confirmation page -> click Close.
  14. Server Manager -> expand Roles -> expand DNS Server -> expand DNS -> expand the server name -> right click on “Reverse Lookup Zones” -> New Zone -> click Next -> choose “Primary zone” -> leave “Store the zone in Active Directory” checked -> click Next -> select “To all DNS Servers running on domain controllers in this forest” -> click Next -> choose “IPv4 Reverse Lookup Zone” -> click Next -> on the “Network ID” field, put the first 3 octats of the network segment the Domain controller resides in -> click Next -> select “Allow only secure dynamic updates” -> click Next -> click Finish.
  15. Perform the above step for all other network segments reside in your organization.
  16. From the left pane, expand the server name -> expand “Forward Lookup Zones” -> right click on each zone name -> Properties -> Name Servers tab -> make sure all Windows 2008 R2 DNS servers appear on this list (assuming you have installed more Windows 2008 R2 domain controllers with DNS service) -> Zone Transfers tab -> select “Allow zone transfers” -> select “Only to servers listed on the Name Servers tab” -> click OK.
  17. Perform the above step for all other “Forward Lookup zones” and “Reverse Lookup zones” in your forest.

IPv6 DNS settings

  1. In-order to configure IPv6 address for the DNS server, start -> Control Panel -> under “Network and Internet”, click on “View network status and tasks” -> click “Change adapter settings” -> right click on the relevant “Local Area Connection” icon -> Properties -> click on “Internet Protocol Version 6 (TCP/IPv6) -> Properties -> select “Use the following IPv6 address” -> if you are not familiar with IP addressing, you can use 2001:0db8:29cd:1a0f:857b:455b:b4ec:7403 -> enter a Subnet prefix length of 64 -> click OK -> click close.
  2. Server Manager -> expand Roles -> expand DNS Server -> expand DNS -> expand the server name -> expand “Reverse Lookup Zones” -> right click on “Reverse Lookup Zones” -> New Zone -> click Next -> choose “Primary Zone” -> click Next -> choose “To all DNS servers running on domain controllers in this forest” -> click Next -> choose “IPv6 Reverse Lookup Zone” -> click Next -> on the “IPv6 Address Prefix” field type the IPv6 subnet prefix (in this example: 2001:0db8:29cd:1a0f::/64) -> click Next -> select “Allow only secure dynamic updates” -> click Next -> click Finish.
  3. Right click on the new “Reverse Lookup Zone” -> properties -> Zone Transfers tab -> select “Allow zone transfers” -> select “Only to servers listed on the Name Servers tab” -> click OK.

IPv6 – Problem and some solutions

The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters.
Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket.
It is time to start migration from IPv4 to IPv6.

Here is couple of articles about the problem:
http://www.betanews.com/article/Internet-has-less-than-a-years-worth-of-IP-addresses-left-say-experts/1279816984

http://www.neowin.net/news/iana-ipv4-addresses-will-dry-up-in-a-year

I have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications:

Microsoft Announces IPv6 Technical Preview for Windows 2000:
http://www.microsoft.com/presspass/press/2000/Mar00/IPv6PR.mspx

Installing IPv6 on Windows XP
http://forums.techarena.in/networking-security/1098260.htm

How IIS 6.0 Supports IPv6 (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1ecff3af-36c2-41b5-957a-8bcc6fac8abc.mspx?mfr=true

Changes to IPv6 in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878121.aspx

Next Generation TCP/IP Stack in Windows Vista and Windows Server 2008
http://technet.microsoft.com/en-us/library/bb878108.aspx

DNS Enhancements in Windows Server 2008
http://technet.microsoft.com/en-us/magazine/2008.01.cableguy.aspx

Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

Using IPv6 with IIS7
http://blogs.iis.net/nazim/archive/2008/05/03/using-ipv6-with-iis7.aspx

IPv6 Support in Exchange 2007 SP1 and SP2
http://technet.microsoft.com/en-us/library/bb629624(EXCHG.80).aspx

Red Hat / CentOS IPv6 Network Configuration
http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/

IPv6 on Fedora Core mini-HOWTO
http://linux.yyz.us/ipv6-fc2-howto.html

Adding IPv6 to Ubuntu systems
http://knowledgelayer.softlayer.com/questions/468/Adding+IPv6+to+Ubuntu+systems

Enabling IPv6 on a Network (Solaris 10)
http://docs.sun.com/app/docs/doc/819-3000/ipv6-config-tasks-1?a=view

Building a Linux IPv6 DNS Server
http://www.linuxjournal.com/article/6541

Networking IPv6 User Guide for J2SDK/JRE 1.4
http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/net/ipv6_guide/index.html

Networking IPv6 User Guide for JDK/JRE 5.0
http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/net/ipv6_guide/index.html

Apache Talking IPv6
http://www.linuxjournal.com/article/5451

How-to IPv6 in Globus Toolkit 3
http://www.cs.ucl.ac.uk/staff/sjiang/webpage/how-to-IPv6-Globus.htm

Enabling IPv6 Support in Nginx
http://kovyrin.net/2010/01/16/enabling-ipv6-support-in-nginx/

IPv6 Support in iOS 4
http://isc.sans.edu/diary.html?storyid=9058

IPv6 – Cisco Systems
http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html

Cisco – IP version 6 Introduction
http://ciscosystems.com/en/US/tech/tk872/tk373/tsd_technology_support_sub-protocol_home.html

Hewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites
http://h10026.www1.hp.com/netipv6/Ipv6.htm

EMC Product Support for IPv6
http://india.emc.com/products/interoperability/ipv6.htm

Nokia IPv6 How To
http://www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/techwhitepaper_ipv6_howto.pdf

Windows 2008 R2 Certification Authority installation guide

This step-by-step guide explains how to install and configure public key infrastructure, based on:

  • Windows 2008 R2 Server core – offline Root CA
  • Windows 2008 R2 domain controller
  • Windows 2008 R2 enterprise edition – Subordinate Enterprise CA server

Offline Root CA – OS installation phase

  1. Boot the server using Windows 2008 R2 bootable DVD.
  2. Specify the product ID -> click Next.
  3. From the installation option, choose “Windows Server 2008 R2 (Server Core Installation)” -> click Next.
  4. Accept the license agreement -> click Next.
  5. Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
  6. Allow the installation phase to continue and restart the server automatically.
  7. To login to the server for the first time, press CTRL+ALT+DELETE
  8. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
  9. From the command prompt window, run the command bellow:
    sconfig.cmd
  10. Press “2” to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
  11. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  12. From the command prompt window, run the command bellow:
    sconfig.cmd
  13. Press “5” to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
  14. Press “6” to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
  15. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  16. From the command prompt window, run the command bellow:
    sconfig.cmd
  17. In-case you need to use RDP to access and manage the server, press “7” to enable “Remote Desktop” -> choose “E” to enable -> choose either “1” or “2” according to your client settings -> Press OK.
  18. Press “8” to configure “Network settings” -> select the network adapter by its Index number -> press “1” to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2” to configure the DNS servers -> click OK -> press “4” to return to the main menu.
  19. Press “9” to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
  20. Press “11” to restart the server to make sure all settings take effect -> click “Yes” to restart the server.

Offline Root CA – Certificate Authority server installation phase

  1. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  2. Install Certificate services:
    start /w ocsetup.exe CertificateServices /norestart /quiet
  3. To check that the installation completed, run the command:
    oclist find /i "CertificateServices"
  4. Download the file “setupca.vbs” from:
    http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx
    To:
    C:\Windows\system32
  5. Run the command bellow to configure the Root CA:
    Cscript /nologo C:\Windows\System32\setupca.vbs /is /sn <ca_server_name> /sk 4096 /sp "RSA#Microsoft Software Key Storage Provider" /sa SHA256
  6. In-order to verify that the installation completed successfully, open using Notepad, the file “_SetupCA.log” located in the current running directory, and make sure the last line is:
    Install complete! Passed
  7. Run the command bellow to enable remote management of the Root CA:
    netsh advfirewall firewall set rule group="Remote Service Management" new enable=yes
  8. Run the command bellow to stop the CertSvc service:
    Net stop CertSvc
  9. Run the command bellow to change new certificate validity period time:
    reg add HKLM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<rootca_netbios_name> /v ValidityPeriodUnits /t REG_DWORD /d 5 /fNote: The command above should be written in one line.
  10. Run the command bellow to start the CertSvc service:
    Net start CertSvc

Enterprise Subordinate CA – OS installation phase
Pre-requirements:

  • Active Directory (Forest functional level – Windows 2008 R2)
  • Add “A” record for the Root CA to the Active Directory DNS.
  1. Boot the server using Windows 2008 R2 Enterprise Edition bootable DVD.
  2. Specify the product ID -> click Next.
  3. From the installation option, choose “Windows Server 2008 R2 Enterprise Edition Full installation” -> click Next.
  4. Accept the license agreement -> click Next.
  5. Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
  6. Allow the installation phase to continue and restart the server automatically.
  7. To login to the server for the first time, press CTRL+ALT+DELETE
  8. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
  9. From the “Initial Configuration Tasks” window, configure the following settings:
    • Set time zone
    • Configure networking – specify static IP address, netmask, gateway, DNS
    • Provide computer name and domain – add the server to the domain
    • Enable Remote Desktop
  10. In-order to be able to remotely manage the Root CA, run the command bellow:
    cmdkey /add:<RootCA_Hostname> /user:Administrator /pass:<RootCA_Admin_Password>

Enterprise Subordinate CA – Certificate Authority server installation phase
Pre-requirements:

  • DNS CNAME record named “wwwca” for the Enterprise Subordinate CA.
  1. To login to the server, press CTRL+ALT+DELETE -> specify the credentials of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”.
  2. Start -> Administrative Tools -> Server Manager.
  3. From the left pane, right click on Roles -> Add Roles -> Next -> select “Web Server (IIS)” -> click Next twice -> select the following role services:
    • Web Server
    • Common HTTP Features
    • Static Content
    • Default Document
    • Directory Browsing
    • HTTP Errors
    • HTTP Redirection
    • Application Development
    • .NET Extensibility
    • ASP
    • ISAPI Extensions
    • Health and Diagnostics
    • HTTP Logging
    • Logging Tools
    • Tracing
    • Request Monitor
    • Security
    • Windows Authentication
    • Client Certificate Mapping Authentication
    • IIS Client Certificate Mapping Authentication
    • Request Filtering
    • Performance
    • Static Content Compression
    • Management Tools
    • IIS Management Console
    • IIS Management Scripts and Tools
    • IIS 6 Management Compatibility
    • IIS 6 Metabase Compatibility
  4. Click Next -> click Install -> click Close.
  5. From the left pane, right click on Features -> Add Features -> Next -> expand “Windows Process Activation Service” -> select “.NET Environment” and “Configuration APIs” -> select the feature “.NET Framework 3.5.1 Features” -> click Next -> click Install -> click Close.
  6. From the left pane, right click on Roles -> Add Roles -> Next -> select “Active Directory Certificate Services” -> click Next twice -> select the following role services:
    • Certification Authority
    • Certification Authority Web Enrollment
    • Certificate Enrollment Policy Web Service
  7. Click Next.
  8. Configure the following settings:
    • Specify Setup Type: Enterprise
    • CA Type: Subordinate CA
    • Private Key: Create a new private key
    • Cryptography:
      Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider
      Key length: 2048
      Hash algorithm SHA256
    • CA Name:
      Common name: specify here the subordinate server NetBIOS name
      Distinguished name suffix: leave the default domain settings
    • Certificate Request: Save a certificate to file and manually send it later
    • Certificate Database: leave the default settings
    • Authentication Type: Windows Integrated Authentication
    • Server Authentication Certificate: Choose and assign a certificate for SSL later
  9. Click Next twice -> click Install -> click Close.
  10. Close the Server Manager.
  11. Start -> Administrative Tools -> Certification Authority
  12. From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
  13. Right click on the RootCA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
    • Uncheck “Publish Delta CRLs to this location”.
    • Mark the line begins with “LDAP”, and click remove.
    • Mark the line begins with “HTTP”, and click remove.
    • Mark the line begins with “file”, and click remove.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<RootCA_Server_Name>.crl
    • Click on the line begins with “HTTP”, and make sure the only option checked is: “Include in CDP extension of issued certificates”.
    • Click on the line begins with “C:\Windows”, and make sure the only option checked is: “Publish CRLs to this location”
  14. Extensions tab -> extension type: Authority Information Access (AIA):
    • Mark the line begins with “LDAP”, and click remove.
    • Mark the line begins with “HTTP”, and click remove.
    • Mark the line begins with “file”, and click remove.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<RootCA_Server_Name>.crt
  15. Click OK and allow the CA server to restart its services.
  16. From the “Certification Authority” left pane, right click on “Revoked certificates”-> Properties:
    • CRL publication interval: 180 days
    • Make sure “Publish Delta CRLs” is not checked
    • Click OK
  17. Right click on the CA name -> All tasks -> Stop service
  18. Right click on the CA name -> All tasks -> Start service
  19. Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory:
    certutil.exe -setreg ca\DSConfigDN "CN=Configuration,DC=mycompany,DC=com"
    certutil.exe -setreg ca\DSDomainDN "DC=mycompany,DC=com"
    Note: Replace “DC=mycompany,DC=com” according to your domain name.
  20. From the “Certification Authority” left pane, right click on “Revoked certificates”-> All tasks -> Publish -> click OK.
  21. Close the “Certification Authority” snap-in and logoff the subordinate CA server.
  22. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
  23. Copy the file bellow from the Offline Root CA server to a temporary folder on the domain controller:
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
  24. Start -> Administrative Tools -> Group Policy Management.
  25. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
  26. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Trusted Root Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the Root CA -> click Open -> click Next twice -> click Finish -> click OK.
  27. Logoff the domain controller.
  28. Return to the subordinate enterprise CA server.
  29. Start -> Administrative Tools -> Certification Authority.
  30. From the left pane, right click on “Certification Authority (Local)” -> “Retarget Certification Authority” -> choose “Another computer” -> specify the RootCA hostname -> click Finish.
  31. Right click on the RootCA server name -> All Tasks -> Submit new request -> locate the subordinate CA request file (.req) -> Open.
  32. Expand the RootCA server name -> right click on “Pending Requests” -> locate the subordinate CA request ID according to the date -> right click on the request -> All Tasks -> Issue.
  33. From the left pane, click on “Issued Certificates” -> locate the subordinate CA request ID -> right click on the request -> All Tasks -> “Export Binary Data” -> choose “Binary Certificate” -> click “Save binary data to a file” -> click OK -> specify location and the file name – <subordinate_ca_server_name_signed_certificate>.p7b -> click Save.
  34. Run the command bellow from command line to avoid offline CRL errors:
    Certutil.exe -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
  35. From the left pane, right click on “Certificate Authority” -> “Retarget Certification Authority” -> choose “Local computer” -> click Finish.
  36. Right click on the subordinate CA server name -> All Tasks -> “Install CA Certificate” -> locate the file <Subordinate_CA_Server_Name_Signed_Certificate>.p7b -> click Open.
  37. Right click on the subordinate CA server name -> All Tasks -> Start Service.
  38. Right click on the subordinate CA server name -> Properties -> -> Extensions tab -> extension type: CRL Distribution Point (CDP):
    • Mark the line begins with “HTTP” -> click Remove -> click Yes.
    • Mark the line begins with “file” -> click Remove -> click Yes.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<subordinate_CA_Server_Name>.crl
    • Click on the line begins with “HTTP”, and make sure the following options are checked: “Include in CRLs” and “Include in the CDP”.
  39. Extensions tab -> extension type: Authority Information Access (AIA):
    • Mark the line begins with “HTTP” -> click Remove -> click Yes.
    • Mark the line begins with “file” -> click Remove -> click Yes.
    • Click on Add -> on the location, put:
      http://wwwca/CertEnroll/<SubordinateCA-FQDN_Subordinate_NetBIOS_Name>.crt
    • Example: http://wwwca/CertEnroll/MyCA.mydomain.com_MyCA.crt

    • Click on the line begins with “HTTP”, and make sure the following option is checked: “Include in the AIA”.
  40. Click OK and allow the CA server to restart its services.
  41. From the “Certification Authority” left pane, right click on “Revoked certificates”-> All tasks -> Publish -> click OK.
  42. Close the “Certification Authority” snap-in
  43. Copy the files bellow from the Root CA to the subordinate CA (same location):
    C:\Windows\System32\CertSrv\CertEnroll\*.crl
    C:\Windows\System32\CertSrv\CertEnroll\*.crt
  44. Logoff the subordinate CA server.
  45. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.
  46. Copy the file bellow from the subordinate CA server to a temporary folder on the domain controller:
    C:\Windows\System32\CertSrv\CertEnroll\*.crt – copy the newest file
  47. Start -> Administrative Tools -> Group Policy Management.
  48. From the left pane, expand the forest name -> expand Domains -> expand the relevant domain name -> right click on “Default domain policy” -> Edit.
  49. From the left pane, under “Computer Configuration” -> expand Policies -> expand “Windows Settings” -> expand “Security Settings” -> expand “Public Key Policies” -> right click on “Intermediate Certification Authorities” -> Import -> click Next -> click Browse to locate the CRT file from the subordinate CA server -> click Open -> click Next twice -> click Finish -> click OK.
  50. Logoff the domain controller.

Hardening guide for IIS 7.5 on Windows 2008 R2 server core platform

OS installation phase

  1. Boot the server using Windows 2008 R2 bootable DVD.
  2. Specify the product ID -> click Next.
  3. From the installation option, choose “Windows Server 2008 R2 (Server Core Installation)” -> click Next.
  4. Accept the license agreement -> click Next.
  5. Choose “Custom (Advanced)” installation type -> specify the hard drive to install the operating system -> click Next.
  6. Allow the installation phase to continue and restart the server automatically.
  7. To login to the server for the first time, press CTRL+ALT+DELETE
  8. Choose “Administrator” account -> click OK to replace the account password -> specify complex password and confirm it -> press Enter -> Press OK.
  9. From the command prompt window, run the command bellow:
    sconfig.cmd
  10. Press “2” to replace the computer name -> specify new computer name -> click “Yes” to restart the server.
  11. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  12. From the command prompt window, run the command bellow:
    sconfig.cmd
  13. Press “5” to configure “Windows Update Settings” -> select “A” for automatic -> click OK.
  14. Press “6” to download and install Windows Updates -> choose “A” to search for all updates -> Choose “A” to download and install all updates -> click “Yes” to restart the server.
  15. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  16. From the command prompt window, run the command bellow:
    sconfig.cmd
  17. In-case you need to use RDP to access and manage the server, press “7” to enable “Remote Desktop” -> choose “E” to enable -> choose either “1” or “2” according to your client settings -> Press OK.
  18. Press “8” to configure “Network settings” -> select the network adapter by its Index number -> press “1” to configure the IP settings -> choose “S” for static IP address -> specify the IP address, subnet mask and default gateway -> press “2” to configure the DNS servers -> click OK -> press “4” to return to the main menu.
  19. Press “9” to configure “Date and Time” -> choose the correct “date/time” and “time zone” -> click OK
  20. Press “11” to restart the server to make sure all settings take effect -> click “Yes” to restart the server.

Web server installation phase

  1. To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.
  2. For minimal installation of IIS7.5 features, run the command bellow from command prompt:
    start /w pkgmgr /l:log.etw /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI
  3. For full installation of IIS7.5 (not recommended on production environments), run the command bellow from command prompt:
    start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell
  4. For full installation of IIS7.5, including .NET framework (not recommended on production environments), run the command bellow from command prompt:
    start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell;NetFx2-ServerCore;NetFx2-ServerCore-WOW64
  5. Create a new folder for the WWW content, in a different partition then the operating system, for example:
    md D:\WWW
  6. Copy the content of the web site to the newly created folder.
  7. Use the Cacls.exe command to configure the required NTFS permissions for the new WWW folder (according to the principle of least privilege).
  8. Run the command bellow to configure IIS metadata to use the new folder:
    %windir%\system32\inetsrv\appcmd set vdir "Default Web Site/" -physicalPath:D:\WWW
  9. Create a new folder for the LogFiles content, in a different partition then the operating system, for example:
    md D:\LogFiles
  10. Use the Cacls.exe command to configure the required NTFS permissions for the new LogFiles folder (according to the principle of least privilege).
  11. Run the commands bellow to configure IIS metadata to use the new folder:
    %windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:"D:\LogFiles"
    %windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralBinaryLogFile.directory:"D:\LogFiles"
    %windir%\system32\inetsrv\appcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:"D:\LogFiles"
  12. Run the command bellow to configure the newly created WWW folder for service packs and other installers:
    reg add HKLM\Software\Microsoft\inetstp /v PathWWWRoot /t REG_SZ /d D:\WWW