Thursday, April 10, 2008

Step-by-Step Guide to Digitally Signed and Encrypted E-Mail


Published: September 17, 2004

This document provides sample procedures for deploying and configuring the E-Mail Services included with the Microsoft Windows Server 2003 operating system. In conjunction with Microsoft Certificate Services, E-Mail Services build a foundation of support for digitally signing and encrypting e-mail traffic within, or external to, an organization.

On This Page
Introduction Introduction
Overview Overview
Configuring E-Mail Services Configuring E-Mail Services
Getting Digital IDs Getting Digital IDs
Digitally Signing and Encrypting E-Mail Digitally Signing and Encrypting E-Mail
Additional Resources Additional Resources

Introduction

Step-by-Step Guides

The Windows Server 2003 Deployment step-by-step guides provide hands-on experience for many common operating system configurations. The guides begin by establishing a common network infrastructure through the installation of Windows Server 2003, the configuration of Active Directory®, the installation of a Windows XP Professional workstation, and finally the addition of this workstation to a domain. Subsequent step-by-step guides assume that you have this common network infrastructure in place. If you do not want to follow this common network infrastructure, you will need to make appropriate modifications while using these guides.

The common network infrastructure requires the completion of the following guides.

Part I: Installing Windows Server 2003 as a Domain Controller

Part II: Installing a Windows XP Professional Workstation and Connecting It to a Domain

Once the common network infrastructure is configured, any of the additional step-by-step guides may be employed. Note that some step-by-step guides may have additional prerequisites above and beyond the common network infrastructure requirements. Any additional requirements will be noted in the specific step-by-step guide.

Microsoft Virtual PC

The Windows Server 2003 Deployment step-by-step guides may be implemented within a physical lab environment or through virtualization technologies like Microsoft Virtual PC 2004 or Microsoft Virtual Server 2005. Virtual machine technology enables customers to run multiple operating systems concurrently on a single physical server. Virtual PC 2004 and Virtual Server 2005 are designed to increase operational efficiency in software testing and development, legacy application migration, and server consolidation scenarios.

The Windows Server 2003 Deployment step-by-step guides assume that all configurations will occur within a physical lab environment, although most configurations can be applied to a virtual environment without modification.

Applying the concepts provided in these step-by-step guides to a virtual environment is beyond the scope of this document.

Important Notes

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred.

This common infrastructure is designed for use on a private network. The fictitious company name and Domain Name System (DNS) name used in the common infrastructure are not registered for use on the Internet. You should not use this name on a public network or Internet.

The Active Directory service structure for this common infrastructure is designed to show how Windows Server 2003 Change and Configuration Management works and functions with Active Directory. It was not designed as a model for configuring Active Directory for any organization.

Overview

Increasingly, individuals and organizations are using e-mail as a tool for sending confidential information. Given the sensitive nature of the data, e-mail systems must provide mechanisms to safeguard the data from alteration while providing the confidence that messages are not intercepted and read by anyone other than the intended recipient.

By using digital IDs with Microsoft Outlook or Outlook Express, you can prove your identity in electronic transactions in a way that is similar to showing your driver's license when you cash a check. You can also use a digital ID to encrypt messages, keeping them private. Digital IDs incorporate the Secure/Multipurpose Internet Mail Extensions (S/MIME) specification for secure electronic e-mail.

How Digital IDs Work

A digital ID is composed of a public key, a private key, and a digital signature. When messages are digitally signed, a digital signature and a public key are added to the message. The combination of a digital signature and public key is called a certificate. With Outlook or Outlook Express, a certificate may be specified for use by others attempting to send encrypted messages to you. This certificate can be different from your signing certificate.

E-mail recipients use a digital signature to verify a sender’s identity. E-mail originators use a public key to encrypt e-mail, which only the intended recipient can read with the corresponding private key. To send encrypted messages, the Address Book must contain digital IDs for the recipients. That way, e-mail senders can use the recipient’s public key to encrypt a message. When recipients receive an encrypted message, their private key is used to decrypt the message for reading.

Before sending digitally signed messages, you must obtain a digital ID. If you are sending encrypted messages, your Address Book must contain a digital ID for each recipient.

How To Obtain Digital IDs

Digital IDs are issued by independent certification authorities (CAs) and may be obtained for business or personal use. When applying for a digital ID at a CA's Web site, the applicant’s identity is verified before an ID is issued. There are different classes of digital IDs, each certifying to a different level of trustworthiness. For more information, see the Where to Get Your Digital ID Web site.

How To Verify a Digital Signature

With revocation checking, e-mail recipients can verify the validity of a digitally signed message. When verifying a digital signature’s validity, the Outlook client requests information about the digital ID from the appropriate CA. The CA sends back information on the status of the digital ID, including whether the ID has been revoked. CA’s keep track of certificates that have been revoked due to loss or termination.

Prerequisites

Part 1: Installing Windows Server 2003 as a Domain Controller

Part II: Installing a Windows XP Professional Workstation and Connecting It to a Domain

Step-by-Step Guide to Using the Encrypting File System

Step-by-Step Guide to Enforcing Strong Password Policies

Step-by-Step Guide to Managing Active Directory (GPO)

Step-by-Step Guide to Understanding the Group Policy Feature Set (GPO)

Step-by-Step Guide to Using the Group Policy Management Console

Configuring E-Mail Services

With E-Mail Services, you can install components on your computer to configure it as a mail server. E-Mail Services include the Post Office Protocol 3 (POP3) service and the Simple Mail Transfer Protocol (SMTP) service, which retrieve and transfer e-mail, respectively. To provide e-mail services to users, such as sending and receiving e-mail, administrators can create mailboxes on the server.

POP3

The POP3 service is an e-mail service that retrieves e-mail. Administrators can use the POP3 service to store and manage e-mail accounts on the mail server. When the POP3 service is installed on the mail server, users can connect to the mail server and retrieve e-mail to their local computer using an e-mail client that supports the POP3 protocol (such as Outlook or Outlook Express). The POP3 service is used with the SMTP service, which sends outgoing e-mail.

SMTP

SMTP controls the way e-mail is transported and delivered across an organization or the Internet to a destination server. SMTP receives and sends e-mail between servers. The SMTP service is automatically installed on the computer where the POP3 service is installed to allow users to send outgoing e-mail. When you create a domain using the POP3 service, the domain is also added to the SMTP service to allow mailboxes in that domain to send outgoing e-mail. The SMTP service on the mail server receives incoming mail and transfers the e-mail to the mail store.

Setting up E-Mail Services

To install E-Mail Services

1.

Log on to HQ-CON-DC-01 as the Administrator@contoso.com.

2.

Click the Start button, click Control Panel, and then click Add or Remove Programs.

3.

Click Add/Remove Windows Components, select the E-mail Services check box, and then click Next. (Note that you may need to provide your installation CD to continue.)

4.

After the Windows Components Wizard completes, click Finish, and then close the Add or Remove Programs screen.

To configure E-Mail Services

1.

Click the Start button, point to All Programs, point to Administrative Tools, and then click POP3 Service.

2.

In the left tree under POP3 Service, click HQ-CON-DC-01.

3.

Click the New Domain link, type contoso.com for the Domain Name, and then click OK.

4.

In the right pane, double-click contoso.com. The tree in the left pane will expand under HQ-CON-DC-01 showing the contoso.com domain. Click the Add Mailbox link.

5.

On the Add Mailbox screen, type mike for the Mailbox Name, clear the Create associated user for this mailbox check box, click OK, and then click OK again once the POP3 Service confirmation screen displays.

6.

Click the Add Mailbox link again and repeat step 5 to create a mailbox for the Administrator.

Note: Since Active Directory accounts were established prior to the installation of E-Mail Services, the manual configuration of mailboxes is required. The POP3 service configuration will update the Active Directory user information with an associated e-mail address provided the logon and mailbox names are identical. The POP3 service does provide for the automatic creation of a user account when defining a new mailbox.

7.

Minimize the POP3 Service MMC.

To test basic e-mail functionality

1.

Click the Start button, point to All Programs, and then click Outlook Express.

2.

On the Internet Connection Wizard screen, type Contoso Administrator for Display name, and then click Next.

3.

Type administrator@contoso.com for E-mail address, and then click Next.

4.

For both the Incoming mail and Outgoing mail server, type HQ-CON-DC-01, and then click Next.

5.

On the Internet Mail Logon screen, change the logon name to administrator@contoso.com, provide the password for the Administrator account, and then click Next.

6.

Click Finish.

7.

Click the Send/Receive button to ensure successful interaction with the e-mail server.

8.

Click Create Mail, address the mail to mike@contoso.com, type Test Mail for the Subject, and then click Send.

9.

Maximize the POP3 Service MMC.

10.

In the right-side results pane, under the HQ-CON-DC-01 tree, verify that the Mailbox for mike has one message, and then close the POP3 Service MMC.

Getting Digital IDs

Many organizations install their own CAs and issue certificates to internal devices, services, and employees to create a more secure computing environment. Large organizations may have multiple CAs set up in a hierarchy that leads to a trusted root CA. Thus, employees of an organization may have a multitude of certificates in their certificate store that have been issued by a variety of internal CAs, all sharing a trust connection via the certification path to the root CA.

In the sections that follow, e-mail signing certificates are issued to domain members from the Contoso CA which, in the examples provided, does not have a trust connection to a commercial root CA. In other words, within the Contoso environment, secure e-mail will be based on certificates issued by the Contoso CA and will be verifiable if used within the Contoso network. However, any secure e-mail sent outside of the Contoso organization will not be verifiable until a trust is established from the Contoso CA to a commercial root CA.

You may purchase a certificate from a commercial CA, such as Verisign, for individual or organizational use. Once you have purchased a certificate and you use it to digitally sign an e-mail message, any message recipient can verify that a message has not been altered during transit and that the message came from you—assuming, of course, that the message recipient trusts the CA that issued your certificate.

Note:  Personal certificates procured from a commercial root CA may be used in the following sections as an alternative to certificates issued by the Contoso CA to extend this example beyond the Contoso namespace.

Obtaining a Digital ID from the Contoso CA

Certificate requests must be made by the user, computer, or service that has access to the private key associated with the public key that will be part of the certificate. There are two primary ways to explicitly request certificates in a Windows Server 2003 operating system.

Request certificates using the Certificate Request Wizard  When you request certificates from a Windows Server 2003 enterprise CA, you can use the Certificate Request Wizard located in the Certificates snap-in.

Request certificates using the Windows Server 2003 Certificate Services Web pages  Each CA that is installed on a computer running Windows Server 2003 has Web pages that users can access to submit basic and advanced certificate requests. By default, these pages are located at http://servername/certsrv, where servername is the name of the computer running Windows Server 2003.

To request a certificate using the Certificate Request Wizard

1.

On HQ-CON-DC-01, click the Start button, click Run, type certmgr.msc, and then click OK.

2.

Under Certificates – Current User, click the plus sign (+) next to Personal to expand the folder.

3.

Right-click Certificates, point to All Tasks, and then click Request New Certificate. On the Certificate Request Wizard welcome screen, click Next.

4.

Click User under Certificate types, and then click Next.

5.

Type Digital ID for the Friendly name, and then click Next.

6.

Verify that the settings for the certificate request are the same as shown in Figure 1, and then click Finish.

Figure 1.  A Certificate Request

Figure 1.  A Certificate Request

7.

Click OK to confirm the successful certificate request.

8.

Close the Certificate Manager MMC.

Configuring Certificate Services for Autoenrollment

Autoenrollment is a useful feature of certification services in Windows XP and Windows Server 2003, Standard Edition. Autoenrollment allows the administrator to configure subjects to automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without requiring subject interaction. The subject does not need to be aware of any certificate operations, unless you configure the certificate template to interact with the subject.

To configure certificate auto-enrollment

1.

Click the Start button, point to All Programs, point to Administrative Tools, and then click Group Policy Management.

2.

Click the plus sign (+) next to Forest:contoso.com, click the plus sign (+) next to Domains, right-click the Domain Password Policy under the contoso tree, and then click Rename.

Note: Verify that you are working under the contoso.com root domain.

3.

Change the Domain Password Policy to Domain Password and Certificate Policy, and then press Enter.

4.

Right-click Domain Password and Certificate Policy, and then click Edit.

5.

Under Computer Configuration, expand the Windows Settings tree, expand the Security Settings tree, and then click Public Key Policies.

6.

In the right-side results pane, double-click Autoenrollment Settings.

7.

Under Enroll certificates automatically, select both check boxes as shown in Figure 2, and then click OK.

Figure 2.  Certificate Autoenrollment

Figure 2.  Certificate Autoenrollment

8.

Repeat steps 5 through 7 to configure certificate autoenrollment for the User Configuration section of the Domain Password and Certificate Policy.

9.

Close the Group Policy Object Editor, and then close the Group Policy Management window.

10.

Click the Start button, click Run, type certsrv.msc, and then click OK.

11.

Under the Certification Authority tree, click the plus sign (+) next to ContosoCA, right-click Certificate Templates, and then click Manage.

12.

Right-click the User template, and then click Duplicate Template.

13.

For Template display name, type Autoenrolled User, and then click the Security tab.

14.

Under Group or user names, click to highlight Domain Users.

15.

Under Permissions for Domain Users, select the check box for Allow next to Autoenroll as shown in Figure 3, and then click OK.

Figure 3.  Certificate Template Security.

Figure 3.  Certificate Template Security.

16.

Close the Certificate Template Manager, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.

17.

Double-click Autoenrolled User, and then click to highlight Issued Certificates. In the next section, autoenrolled certificates will be verified.

To obtain an autoenrolled certificate

1.

Log on to HQ-CON-WRK-01 as mike@contoso.com.

Note:  Mike will receive an autoenrolled user certificate in approximately 90 seconds. This can be verified on the Issued Certificates screen in the Certificate Manager console on HQ-CON-DC-01. If Mike does not receive an autoenrolled certificate within a few minutes, you can run gpupdate /force from the command prompt to accelerate a Group Policy refresh.

Digitally Signing and Encrypting E-Mail

To configure Outlook Express on HQ-CON-WRK-01

1.

On HQ-CON-WRK-01, click the Start button, point to All Programs, and then click Outlook Express.

2.

On the Internet Connection Wizard screen, type Mike for Display name, and then click Next.

3.

Type mike@contoso.com for E-mail address, and then click Next.

4.

For both the Incoming mail and Outgoing mail server, type HQ-CON-DC-01, and then click Next.

5.

On the Internet Mail Logon screen, change the logon name to mike@contoso.com, provide the password for Mike, and then click Next.

6.

Click Finish.

7.

Click the Send/Receive button to ensure successful interaction with the e-mail server, and then click the Inbox. There should be an e-mail from the Contoso Administrator.

To configure Outlook Express for Digital IDs

1.

On HQ-CON-WRK-01 within Outlook Express, click Tools, and then click Options.

2.

Click the Security tab, and then click the Advanced tab.

3.

At the bottom of the Advanced Security Settings screen, under Revocation Checking, select Only when online for Check for revoked Digital IDs as shown in Figure 4.

Figure 4.  Outlook Express Advanced Security Settings

Figure 4.  Outlook Express Advanced Security Settings

4.

Click OK twice.

Sending Digitally Signed E-Mail

Digitally signed e-mail allows an e-mail recipient to verify your identity. Encrypting an e-mail message prevents other people from reading it when it is in transit.

To send a Digitally Signed e-mail

1.

Click Create Mail.

2.

In the To: address line, type administrator@contoso.com, and then type Test Signed Email for the Subject.

3.

Click the Tools menu, click Digitally Sign, and then click Send.

Reading and Verifying Digitally Signed E-Mail

You can read digitally signed or encrypted messages like any other message. Outlook and Outlook Express display a Help screen the first time you open or preview a digitally signed message or an encrypted message.

If you receive a secure message that has a problem (for example, the message was tampered with or the digital ID of the sender has expired), you will see a security warning that details the problem before you are allowed to view the contents of the message. Based on the information in the warning, you can decide whether to view the message.

After you send a digitally signed message to a contact, you can read an encrypted message from that person the same way you read a regular message.

To read and verify a Digitally Signed e-mail

1.

Switch to HQ-CON-DC-01, access Outlook Express, and then click the Send/Receive button.

2.

Double-click the Test Signed Email from Mike.

3.

In the upper-right corner of the e-mail, click the Red Certificate icon. Verify that the contents have not been altered and that the signature is trusted as shown in Figure 5, and then click OK. At the bottom of the open e-mail message from Mike, click Continue, and then close the e-mail message from Mike.

Figure 5.  Verifying a Digital ID

Figure 5.  Verifying a Digital ID

Note:  Revocation checking is not enforced for the Administrator’s Digital ID security settings.

4.

Click Tools, and then click Options.

5.

Click the Security tab, and then click the Advanced tab.

6.

At the bottom of the Advanced Security Settings screen, under Revocation Checking, select Only when online for Check for revoked Digital IDs as shown in Figure 4.

7.

Click OK twice.

To send a Digitally Signed and encrypted e-mail

1.

On HQ-CON-DC-01, right-click the e-mail message from Mike, and then click Reply to Sender.

2.

Click the Tools menu, and then click Encrypt.

3.

Click Send.

4.

Switch to HQ-CON-WRK-01, open the e-mail reply from the Contoso Administrator, and confirm the e-mail properties. They should be similar to those shown in Figure 6.

 Figure 6.  Verifying a Digitally Signed and Encrypted E-Mail

Figure 6.  Verifying a Digitally Signed and Encrypted E-Mail

Additional Resources

For more information, see the following resources.

Obtaining Digital IDs at http://office.microsoft.com/assistance/preview.aspx?AssetID=HA010547821033&CTT=6&Origin=EC010963431033

Microsoft Certificate Services (Public Key Infrastructure) at http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

For the latest information about Windows Server 2003, see the Windows Server 2003 Web site at
http://www.microsoft.com/windowsserver2003

Blogged with the Flock Browser

Wednesday, April 9, 2008

How to Create a MOSS 2007 VPC Image: Part 1



How to Create a MOSS 2007 VPC Image: Part 1

I have finally been able to create a fully-functional MOSS 2007 Virtual PC image, including POP3 email service for testing MOSS email functions! To celebrate this accomplishment, I've decided to share my process, step-by-step, screenshots included. Because documenting this process with screenshots is so lengthy, it will be broken into a series of posts on this blog.

 

Although I ask that you don't consider this to be the ultimate authority on how to create a MOSS 2007 VPC image, you should still be able to use this procedure to build a fully-functional image for MOSS 2007 demos and development work.

 

Before proceeding, here are a couple of assumptions:

 

1. You have access to all of the required software:

  • Microsoft Virtual PC with SP1
  • Windows Server 2003
  • SQL Server 2005 with SP1
  • MOSS 2007 Enterprise
  • SharePoint Designer 2007
  • Microsoft Office 2007
  • Internet access

2. This will not be a lesson on how to use Virtual PC; I'll assume that you are already familiar with the tool and are capable of building a basic virtual machine using Windows Server 2003.

 

That being said... let's dive in!

 

Part 1: Getting Started, Installing IIS, and Installing .NET Framework 2.0

 

Start by building a VPC “base image” with a clean installation of Windows Server 2003

VPC settings:

Memory: set a value which is at least half of the physical memory on your host machine

Networking: 1 adapter, mapped to a network adapter on your local machine

 

Install Virtual Machine Additions:

 

VPC Actions menu > Install or Update Virtual Machine Additions

 

Perform Windows Update inside the virtual machine

 

Select Start > All Programs > Windows Update

 

Follow the instructions and install all available updates, including Internet Explorer 7

 

 

 

Install IIS with .NET Framework 2.0

 

Select Start > Control Panel > Add or Remove Programs:

 

In the Add or Remove Programs dialog box, click the Add / Remove Windows Components button on the left side:

 

 

In the Windows Components Wizard dialog box, highlight the Application Server option, then click the Details button:

 

 

In the Application Server dialog box, highlight the Internet Information Services (IIS) option, then click the Details button:

 

 

In the Internet Information Services (IIS) dialog box, highlight the World Wide Web Service option, then click the Details button:

 

 

In the World Wide Web Service dialog box, select the Active Server Pages option, the Server Side Includes option, and the World Wide Web Service option, then click the OK button:

 

 

Click OK twice more to close the dialog boxes and return to the Windows Components Wizard dialog box:

 

 

Scrolling down the list of options, locate and deselect the Internet Explorer Enhanced Security Configuration option:

 

 

Scrolling a bit further down the list of options, locate and select the Microsoft .NET Framework 2.0 option:

 

 

Click the Next button to begin the IIS installation; you may be asked to insert the Windows Server installation media.

 

When the installation is complete, click the Finish button:

 

 

You should now have a fully-functional IIS web server installed inside your VPC image.

 

In Part 2, we'll look at how to install and configure POP3 email service inside the VPC image.

 

Comments

Thank you - Great

hi, thank you very much for bringing light into this. Please make rest available - the seasons day are passing very fast.
Thank you - Donald
at 12/21/2006 1:27 AM

Thanks.. ^^;

.
at 2/11/2007 9:23 PM

Thx

Thanks for writing it out.
I'll give this a try.

Ad Weterings - The Netherlands
http://microsoftwatcher.spaces.live.com/
at 2/23/2007 4:15 AM

Thanks

This has been very useful. Great step-by-step directions.
at 3/20/2007 10:29 AM

.NET Framework Version

What version of W2K3 server should I be using?  Just curious because when I attempted to use Add/Remove programs to select .NET Framework 2.0, it wasn't listed among the possibilities.

Awesome effort here, by the way.
at 3/29/2007 2:20 PM

Disk Setup

Great set of articles. Thank you for posting.  What size/number of disks are recommended for this virtual environment?
at 5/17/2007 10:07 AM

Could not install SP2

I keep getting "Access is denied" when i try and install SP2 from Windows Update.
I am running on Vista, but VPC 2007 is supposed to support it.

Any ideas?
at 6/7/2007 6:32 PM

Domain Controller needed?

Great series.
Does the windows server need to be a domain controller?  Are all local accounts ok.
at 6/8/2007 12:25 PM

thanks for posting this!

great help :)

-gezelle
at 6/12/2007 11:44 PM

RE:.NET Framework 2.0, it wasn't listed among the possibilities

You have to install the 2.0 framework
download it from msft
at 6/13/2007 5:53 PM

Doain ontroller

I've heard that it is important to have another server acting as domain controller. Is this true?

\anders
at 8/20/2007 8:21 AM

Which version of VPC?

Should one use VPC 2004 or 2007?
at 9/11/2007 8:40 PM

How big should my virtual disk be when making this VPC image?

What's a good size for a small to medium-sized site?
at 10/8/2007 2:26 AM

Answers to .NET Framework. VPC Version, W2K3 Version


Download .NET Framework 2.0 from http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5&DisplayLang=en

I have used both. Been using VPC 2007 with WSS 3/MOSS 2007 images for the last 10 months.

W2K3. Minimum on a VPC is Standard. In production you could use Web Edition in the WFE.

Dave B
at 11/20/2007 4:51 PM

How big a VPC drive.


I have found a 25 gig split in two 15 and 10. I keep VHD's dynamic.

With 15 gig you have enough room for all of the updates. You can install MOSS on Drive D which is a best practice in production.

If you get the size wrong on the second partition you can use VhdResizerto resize. Cann't resize the boot partition. Oh yes VhdResizer is freeware. ANDit works.

Dave
at 11/20/2007 5:17 PM
Blogged with the Flock Browser

Worker Process Isolation Mode (IIS 6.0)


IIS 6.0 worker process isolation mode takes the concept of application isolation, which was introduced in IIS 4.0, one step further. In IIS 6.0, you can isolate one application from another so that an error in one application does not affect another application running in a different process. This application isolation mode provides better isolation while not incurring a performance penalty for isolation.

Worker process isolation mode loads application code — for example, ASP and ASP.NET applications — into the worker process only. By isolating application code in the worker process, this application isolation mode ensures a reliable environment for an application server: the WWW service, IIS Admin service, and HTTP.sys can run continuously despite any service interruptions that occur in a worker process. Also, Web sites running in the worker processes are not affected by failures in other worker processes because they are isolated from each other through operating system process boundaries.

Worker process isolation mode uses all of the new IIS 6.0 core components and supports application pooling, recycling, and health monitoring features.

Blogged with the Flock Browser

Troubleshooting in IIS 6.0 (IIS 6.0)

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5e1b7119-3d78-4f8c-9c5b-de3d325860c4.mspx?mfr=true

Many of the design changes in Internet Information Services (IIS) 6.0 directly address the need to secure the World Wide Web Publishing Service (WWW service) as a whole, and Web and FTP sites in particular. You might experience errors if you have not enabled certain features or services that are locked, or disabled, by default. This topic describes some of the symptoms of these errors and the processes to remedy them (or a link to a topic that describes how to remedy the error). For a comprehensive list of changes in IIS 6.0, including a list of security changes and a brief explanation of the new process model, see What's Changed in IIS 6.0.

Dynamic or Static Content Errors

Connection Errors

Miscellaneous Errors


Blogged with the Flock Browser

Installing IIS (IIS 6.0)


This topic describes 3 methods for installing IIS:

Using the Configure Your Server Wizard.

Using Add or Remove Programs from Control Panel.

Using unattended setup.

This topic also lists the directories created on install, describes the IIS initial configuration backup, and briefly describes IIS optional components.

  Important

To help minimize the attack surface of the server, IIS 6.0 is not installed on Windows Server 2003 by default. When you first install IIS 6.0, it is locked down — which means that only request handling for static Web pages is enabled, and only the World Wide Web Publishing Service (WWW service) is installed. None of the features that sit on top of IIS are turned on, including ASP, ASP.NET, CGI scripting, FrontPage® 2002 Server Extensions from Microsoft, and WebDAV publishing. If you do not enable these features, IIS returns a 404 error. You can enable these features through the Web Services Extensions node in IIS Manager. For more information about how to troubleshoot 404 errors and other issues, see Troubleshooting in IIS 6.0.

Microsoft strongly recommends installing IIS on an NTFS-formatted drive. NTFS is a more powerful and secure file system than FAT and FAT32. For more information, see Securing Files with NTFS Permissions.

  Important

You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".

Procedures

To install IIS using the Configure Your Server Wizard

1.

From the Start menu, click Manage Your Server.

2.

Under Managing Your Server Roles, click Add or remove a role.

3.

Read the preliminary steps in the Configure Your Server Wizard and click Next.

4.

Under Server Role, click Application server (IIS, ASP.NET) and then click Next.

By default, the wizard installs and enables IIS, COM+, and DTC.

5.

If you want to serve either of the optional technologies (FrontPage Server Extensions or ASP.NET), on the Application Server Options page, select the appropriate check boxes, and then click Next.

6.

Read the summary and click Next.

7.

Complete the wizard, and then click Finish.

  Note

The Configure Your Server Wizard enables ASP.NET by default, unlike the Add/Remove Windows components install method below.

For more information on the Configure Your Server Wizard, see "Configuring Your Server Wizard" in Windows Help.

To install IIS, add components, or remove components using Control Panel

1.

From the Start menu, click Control Panel.

2.

Double-click Add or Remove Programs.

3.

Click Add/Remove Windows Components.

4.

In the Components list box, click Application Server.

5.

Click Details.

6.

Click Internet Information Services Manager.

7.

Click Details to view the list of IIS optional components. For a detailed description of IIS optional components, see "Optional Components" in this topic.

8.

Select all optional components you wish to install.

  Note

The World Wide Web PublishingService optional component includes important subcomponents like the Active Server Pages component and Remote Administration (HTML). To view and select these subcomponents, click World Wide Web Publishing Service and then click Details.

1.

Click OK until you are returned to the Windows Component Wizard.

2.

Click Next and complete the Windows Component Wizard.

Unattended Setup

To simplify the process of setting up IIS on multiple computers running a member of the Windows Server 2003 family, you can run setup unattended. To do this, create and use an answer file, which is a customized script that automatically answers the setup questions.

For information on how to create an answer file and to view a table of all IIS unattended setup parameters, see Appendix E: Unattended Setup.

IIS Directories

IIS installs the following directories:

\InetPub

systemroot\Help\IISHelp

systemroot\System32\InetSrv

systemroot\System32\InetSrv\MetaBack

These directories contain user content and cannot be moved. You can, however, select the location of your Wwwroot and Ftproot directories at installation by using a script during unattended setup. If you uninstall IIS, the IISHelp directory is removed. The InetPub and InetSrv directories remain on your computer.

IIS Initial Configuration Backup

When you first install IIS, a backup of the initial metabase configuration is automatically created in the systemroot\System32\InetSrv\MetaBack directory. This backup can be used to restore the IIS configuration to its state immediately following IIS installation. This is a useful tool for solving metabase corruption or configuration problems, and can help you recover a known good configuration without needing to reinstall IIS. This backup is not password protected, and can only be used to restore settings on the system on which it was created. See Backing Up and Restoring the Metabase in IIS 6.0 for information about restoring the initial IIS configuration backup.

It is strongly recommended that following IIS installation, and before any configuration changes are made, you create a password-protected backup of the IIS configuration. Unlike the automatic initial configuration backup, a password-protected backup is system independent, and can be used to restore settings on other systems running IIS 6.0. See Backing Up and Restoring the Metabase in IIS 6.0 for information about creating a password-protected backup of the IIS configuration.

Optional Components

IIS includes optional components that you can enable or disable at anytime through the Add or Remove Programs item in Control Panel, or using unattended setup. Descriptions of these components and the impact to your current IIS settings are described below.

Files for Active Server Pages (ASP), Internet Data Connector, server-side includes, and WebDav are installed, but disabled by default on a clean installation. All IIS functionality is enabled by default on an upgrade. When one of these components is selected or cleared from the Windows Components Wizard or by using an unattended file, the component is enabled or disabled in the WebSvcExtRestrictionList Metabase Property.

BITS Server Extensions

The Background Intelligent Transfer Service (BITS) is a background file transfer mechanism and queue manager, also known as a drizzle service. BITS throttles file requests to minimize bandwidth consumption and enhance the end-user experience. Enable BITS with IIS to maintain Web server quality of service. From the Windows Components Wizard, click Details to enable the following BITS Server components:

BITS Server Extensions ISAPI: Enable this option to drizzle IIS requests with the help of the BITS server.

BITS Server Extensions Snap-in: Enabling this option to access and view the BITS graphical user interface (GUI).

Common Files

For the sake of added security in your server environment, you may choose to deselect some of the common files. However, if you deselect the Common Files option, all of the common files are subsequently deselected and IIS will not be installed on your machine. Therefore, if you want to install IIS on your computer, leave this option selected. If you want to limit the services and components installed with IIS, deselect the individual components that are listed below the Common Files component.

File Transfer Protocol (FTP) Server

The File Transfer Protocol (FTP) is used to copy files to and from remote computer systems on a network that uses Transmission Control Protocol/Internet Protocol (TCP/IP).

FrontPage 2002 Server Extensions

FrontPage 2002 Server Extensions allow you to view and manage a Web site in a graphical user interface using FrontPage as the authoring environment. FrontPage allows you to quickly create Web sites on your server, as well as, create, edit, and post Web pages to IIS remotely. While you are creating your site, FrontPage keeps a connection open to IIS, saving and changing the Web files so you can view your site. If you choose not to install the FrontPage Server Extensions, you will have to manually copy all of your Web content, configure your settings, and in some cases, manually register applications already registered in FrontPage. Microsoft FrontPage Server Extensions are not supported for resources in Microsoft Clustering.

Internet Information Services Manager

IIS Manager is a graphical user interface to administer your Web site. In previous releases of IIS, this tool was called the Internet Service Manager. Without IIS Manager, you can still manage your server, but you must use coded scripts that call on the IIS APIs to create sites, applications, virtual directories, and security settings.

NNTP Service

Use Network News Transfer Protocol (NNTP) to distribute network news messages to NNTP servers and to NNTP clients (news readers) on the Internet. NNTP provides for the distribution, inquiry, retrieval, and posting of news articles by using a reliable stream-based transmission of news on the Internet. NNTP is designed so that news articles are stored on a server in a central database, thus users can select specific items to read. Indexing, cross-referencing, and expiration of aged messages are also provided.

If you have NNTP installed, you can view Microsoft News (NNTP) Service Help by typing file:\\%systemroot%\help\news.chm in your browser address bar and pressing ENTER.

SMTP Service

Use Simple Mail Transfer Protocol (SMTP) to set up intranet mail services that work in conjunction with IIS. SMTP is a TCP/IP protocol for sending messages from one computer to another on a network. This protocol is used on the Internet to route e-mail.

If you have SMTP installed, you can view Microsoft Mail (SMTP) Service Help by typing file:\\%systemroot%\help\mail.chm in your browser address bar and pressing ENTER.

World Wide Web Publishing Service

IIS serves pages to the Internet and the World Wide Web. This component must be installed for IIS to perform its primary service. If you do not select this option, you disable IIS.

The World Wide Web Publishing Service (WWW service) includes the following subcomponents:

About ASP: Select to enable ASP on your server. If this option is not selected, all .asp requests return a 404 error.

Internet Data Connector: Select to enable Internet Data Connector on your server. If this option is not selected, all .idc requests return a 404 error.

Administering Servers Remotely in IIS 6.0: Select to enable remote Web administration of your IIS Web server from any Web browser on your intranet. Once you install IIS and view your Web sites through IIS Manager, IIS creates a site called Administration.

Remote Desktop Web Connection: Select to enable connectivity to a computer's desktop from a remote location and run applications as if you were sitting at the console.

Using Server-Side Include Directives: Select to enable server-side include files on your server. If this option is not selected, all .shtm, .shtml, and .stm requests return a 404 error.

Web Authoring with WebDAV: Select to allow Web Distributed Authoring and Versioning (WebDAV) on your server. WebDAV is similar to File Transfer Protocol, with the exception being that WebDAV allows any WebDAV client to publish and change content in a WebDAV directory using HTTP.

Web Site Administration: Select to install the World Wide Web Publishing Service. If this option is not selected, IIS does not run on your server.

Related Information

For information about unattended setup, see "Planning for Unattended Setup" in Windows Help.


Blogged with the Flock Browser

SMTP Server Setup (IIS 6.0)

SMTP Server Setup (IIS 6.0)

The Simple Mail Transfer Protocol (SMTP) service provided by IIS is a simple component for delivering outgoing e-mail messages. Delivery of a message is initiated by transferring the message to a designated SMTP server. Based on the domain name of the recipient e-mail address, the SMTP server initiates communications with a Domain Name System (DNS) server, which looks up and then returns the host name of the destination SMTP server for that domain.

Next, the originating SMTP server communicates with the destination SMTP server directly through Transmission Control Protocol/Internet Protocol (TCP/IP) on port 25. If the user name of the recipient e-mail address matches one of the authorized user accounts on the destination server, the original e-mail message is transferred to that server, waiting for the recipient to pick up the message through a client program.

In the case where the originating SMTP server cannot communicate directly with the destination server, the SMTP service can transfer messages through one or more intermediate relay SMTP servers. A relay server receives the original message and then delivers it to the destination server, or redirects it to another relay server. This process is repeated until the message is delivered or a designated timeout period passes.

The SMTP service is not installed by default. You must install the SMTP service using the Control Panel. Installing the SMTP service creates a default SMTP configuration which you can then customize to your needs using IIS Manager.

Many articles about deploying and configuring the SMTP service are available by searching for "smtp" on the Microsoft Developer Network (MSDN) Web site.

Procedures

To install the SMTP service

1.

From the Start menu, click Control Panel.

2.

Double-click Add or Remove Programs.

3.

From the left pane, click Add/Remove Windows Components.

4.

From the Components list, click Application Server, and then click Details.

5.

From the Subcomponents of Application Server list, click Internet Information Services (IIS), and then click Details.

6.

From the Subcomponents of Internet Information Services (IIS) list, select the SMTP Service check box.

7.

Click OK.

8.

Click Next. You might be prompted for the Windows Server 2003 family CD or the network install path.

9.

Click Finish.

When you install the SMTP service, a default SMTP server configuration is created with a message store in LocalDrive:\Inetpub\Mailroot.

When setting up the SMTP service for the first time, you can configure global settings for a SMTP virtual server, as well as settings for individual components of the virtual server.

  Important

You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".

To configure global SMTP settings

1.

In IIS Manager, expand the local computer, right-click Default SMTP Virtual Server, and click Properties.

2.

Change the default settings on the property pages as needed. For information about individual settings, click Help.

To configure SMTP virtual server components settings

1.

In IIS Manager, expand the local computer, expand Default SMTP Virtual Server, right-click the component you want to configure, and click Properties.

2.

Change the default settings on the property pages as needed. For information about individual settings, click Help.

Blogged with the Flock Browser

MOSS 2007 Evaluation VPC

Announcing the availability of a MOSS VPC (Inc 2007 client) in the VHD Program run by the Server Virtualization team and available for download on Microsoft.com.

The VPC includes the MOSS Product Evaluation Guide (on the desktop) and is configured so the walk through at the end of the guide works with the image.

Direct Download Link.

http://www.microsoft.com/downloads/details.aspx?FamilyID=67f93dcb-ada8-4db5-a47b-df17e14b2c74&DisplayLang=en

Blogged with the Flock Browser