- Turn the tables on your organization with Adaxes 2018.1’s Web Interface and reporting capabilities - Thu, Sep 20 2018
- Review: Softerra Adaxes – Automating Active Directory management - Thu, Jun 4 2015
- Azure Multi-Factor Authentication – Part 8: Delegating Administration - Tue, Apr 28 2015
Whether they’re used to host internal websites, app websites, or your organization’s public website, web servers allow for information exchange. Misconfiguration, therefore, poses a security risk.
When I think of misconfiguration, I always get the feeling that people clicked somewhere they didn’t need to click, or they thought they clicked an option but didn’t. These two types of misconfiguration can be easily eliminated when you deploy web servers on Server Core installations of Windows Server 2012.
You can use any Server Core installation as a web server. Windows Server 2008, Windows Web Server 2008, Windows Server 2008 R2, and Windows Server 2012 all came with Internet Information Services (IIS), which is the main Server Role to turn Windows Server into a web server.
With that being said, you might not want to use Server Core installations of Windows Server 2008 or Windows Web Server 2008 as a web server, since these two Windows Server editions do not offer the ability to run ASP or ASP.NET within Internet Information Services. Thus, you cannot host dynamic .NET websites on these platforms. However, you can run dynamic websites based on PHP on Server Core installations of Windows Server 2008 or Windows Web Server 2008.
The ability to run dynamic .NET websites was first introduced in Windows Server 2008 R2, along with PowerShell support for IIS. The latter functionality allows you to configure websites through clear PowerShell cmdlets instead of appcmd.exe and the many IIS VBS scripts.
Overview of Internet Information Services (IIS) on Server Core
The IIS Server Role on Server Core is the most elaborate and modular Server Role you will find on this platform. It consists of four categories of Role Services, spanning a grand total of 44 independent Role Services:
|Server Role and Role Services Display Name||Role Name (to install)|
|Web Server (IIS)||Web-Server *|
|- Web Server||Web-WebServer *|
|o Common HTTP Features||Web-Common-Http *|
|§ Default Document||Web-Default-Doc *|
|§ Directory Browsing||Web-Dir-Browsing *|
|§ HTTP Errors||Web-Http-Errors *|
|§ Static Content||Web-Static-Content *|
|§ HTTP Redirection||Web-Http-Redirect|
|§ WebDAV Publishing||Web-DAV-Publishing|
|o Health and Diagnostics||Web-Health *|
|§ HTTP Logging||Web-Http-Logging *|
|§ Custom Logging||Web-Custom-Logging|
|§ Logging Tools||Web-Log-Libraries|
|§ ODBC Logging||Web-ODBC-Logging|
|§ Request Monitor||Web-Request-Monitor|
|o Performance||Web-Performance *|
|§ Static Content Compression||Web-Stat-Compression *|
|§ Dynamic Content Compression||Web-Dyn-Compression|
|o Security||Web-Security *|
|§ Request Filtering||Web-Filtering *|
|§ Basic Authentication||Web-Basic-Auth|
|§ Centralized SSL Certificate Support||Web-CertProvider|
|§ Client Certificate Mapping Authentic…||Web-Client-Auth|
|§ Digest Authentication||Web-Digest-Auth|
|§ IIS Client Certificate Mapping Auth||Web-Cert-Auth|
|§ IP and Domain Restriction||Web-IP-Security|
|§ URL Authorization||Web-Url-Auth|
|§ Windows Authentication||Web-Windows-Auth|
|o Application Development||Web-App-Dev|
|§ .NET Extensibility 3.5||Web-Net-Ext|
|§ .NET Extensibility 4.5||Web-Net-Ext45|
|§ Application Initialization||Web-AppInit|
|§ ASP.NET 3.5||Web-ASP-Net|
|§ ASP.NET 4.5||Web-ASP-Net45|
|§ ISAPI Extensions||Web-ISAPI-Ext|
|§ ISAPI Filters||Web-ISAPI-Filter|
|§ Server Side Includes||Web-Includes|
|§ WebSocket Protocol||Web-WebSockets|
|- FTP Server||Web-FTP-Server|
|o FTP Service||Web-FTP-Service|
|o FTP Extensibility||Web-FTP-Ext|
|- IIS Hostable Web Core||Web-WHC|
|- Management Tools||Web-Mgmt-Tools|
|o IIS Management Console||Web-Mgmt-Console|
|o IIS 6 Management Compatibility||Web-Mgmt-Compat|
|§ IIS 6 Metabase Compatibility||Web-Mgmt-Metabase|
|§ IIS 6 Management Console||Web-Mgmt-Lgcy-Console|
|§ IIS 6 Scripting Tools||Web-Mgmt-Lgcy-Scripting|
|§ IIS 6 WMI Compatibility||Web-WMI|
|o IIS Management Scripts and Tools||Web-Scripting-Tools|
|o Management Service||Web-Mgmt-Service|
Although the FTP Server Role Service is listed above, this article does not cover installing and configuring an FTP Server on Server Core. That is the topic of the next article in this series.
Installing Internet Information Services (IIS) on Server Core
Now, installing the right Role Services for the job at this moment might look like a daunting job, but the team behind the installation of the Internet Information Services (IIS) Server Role has been kind enough to install the most commonly used Role Services when you install its main Server Role. The Role Services installed by default are denoted with asterisks in the lists above.
To install the Internet Information Services (IIS) Server Role with default options, run the following PowerShell command (type PowerShell at the command prompt if you haven’t done so):
Install-WindowsFeature Web-Server -IncludeManagementTools
Install IIS with PowerShell
If you want a web server that is perfectly suited for hosting mere static content (like .htm and .html files and .jpg, .png, and .gif pictures), you’d be done.
IIS has been installed and you can access your Server Core Web Server from your favorite browser:
Default IIS page
Now, most web server applications and content management solutions are based on ASP and ASP.NET. To this purpose, you can install the ASP (Web-ASP), ASP.NET 3.5 (Web-ASP-Net), and/or ASP.NET 4.5 (Web-ASP-Net45) Role Services. When you install the latter, some of the .NET Framework 4.5 Features (NET-Framework-45-Features), ISAPI Extensions (Web-ISAPI-Ext), and ISAPI Filters (Web-ISAPI-Filter) will automatically be installed too.
If you want to use the web server to host PHP-based applications, you would need to install PHP. WordPress is a prime example, and your Server Core installation would be happy to host it for you.
For best security practices, you might want to disable the Directory Browsing Role Service to avoid visitors having access to directories on your web server(s) when they don’t have any of the default documents in them. To perform this action, type the following PowerShell command (type PowerShell at the command prompt if you haven’t done so):
An easy way out of the madness of Internet Information Services (IIS) Role Services and extensions is a program that Microsoft offers called WebMatrix. This free program can be run on both Server with a GUI and Server Core installations and installs the Web Platform Installer (WebPI). Through this program (which starts automatically after installing), you can simply Add the most popular web applications with default settings for the virtual directories, application pools, and database(connection)s:
Managing Internet Information Services (IIS)
Internet Information Services (IIS) and its associated features can be managed both from the console of your Server Core installation and remotely.
From the console
On the console of your Server Core installation, you’d have four resources to manage your web server:
- The many IIS-related PowerShell cmdlets
- The many IIS VBS scripts
- The manual editing of web.config files with notepad.exe
While I won’t bore you with the typical thick-finger problems when working with notepad.exe, the antiquated interfaces of appcmd.exe, and the likes of iisvdir.vbs, iisweb.vbs, and iisext.vbs, I will dive into the wonderful world of IIS PowerShell management.
In Windows Server 2012, a total of 77 IIS-related PowerShell cmdlets are available to manage most of the Web Server Role Service.
For instance, the following line of PowerShell code will create a new website named ServerCore that is connected to TCP Port 80, only listens to the www.servercore.net host header, and stores its files in a folder named wwwroot in the typical folder structure for a WordPress installation through the Web Platform Installer (type PowerShell at the command prompt if you haven’t done so):
New-WebSite -Name ServerCore -Port 80 -HostHeader www.servercore.net -PhysicalPath "C:\Inetpub/wwwroot/wordpress"
And since we’d also want to allow visitors to www.servercore.net to only type servercore.net into their address bar, we would also bind the servercore.net host header:
New-WebBinding -Name "ServerCore" -IPAddress "*" -Port 80 -HostHeader servercore.net
Figuring out how to configure IIS on the console of your Server Core installation might become tedious at points. Luckily, you can also manage IIS remotely from a Graphical User Interface (GUI).
To this purpose, you will need to meet the following two requirements:
- Install the IIS Management Console on the management server.
- Install the IIS Management Service on your Server Core web server.
To install the IIS Management Service on your Server Core web server(s), type the following PowerShell command (type PowerShell at the command prompt if you haven’t done so):
By default, the Web Management Server will not accept remote connections. To allow this, we’ll have to resort to using Regedit. Open the register by typing regedit.exe at the command prompt. Then, in the left pane, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\WebManagement\Server. Here, change the value for EnableRemoteManagement from 0x00000000 to 0x00000001. Close Regedit with Alt+F4 or by clicking the X symbol in the right top of the program.
You can control the entire Web Management Service in this part of the Registry, including the port it listens on and the IP address(es) the service responds to.
When you think you’re done, you’re mistaken. The service is not started automatically, nor is it scheduled to start automatically, so you’ll need to issue the following two commands to make that happen:
sc config WMSVC start= auto net start WMSVC
The IIS Manager is part of the IIS Server Role on Server with a GUI installations of Windows Server 2012. You can install the IIS Management Console through Server Manager. To install the IIS Manager, click Manage in the top right corner of Server Manager. From the context menu, select Add Roles and Features. Click Next > in the Before you begin, Select installation type and Select destination server screens. In the Select server roles screen, select Web Server (IIS) from the list.
In the pop-up, click Add features, since these are exactly the features we’re looking for. Now click Next > three times to skip through to the Internet Information Services Role Services selection. In this screen, deselect the top Web Server in the list. This will result in the IIS Management Console as the only desired Role Service. Click Next > and then Install.
Unfortunately, the IIS Manager in Windows 8 is unable to connect to web servers remotely, so it can’t be used to manage your Server Core web server(s).
Now, after you’ve got the IIS Management Console installed, click Close and start the Internet Information Services (IIS) Manager from the Start Screen.
In the Internet Information Services (IIS) Manager, right-click Start Page in the Connections pane on the left. Choose Connect to a Server…. Run through the Connect to Server wizard by supplying the name or IP address of your Server Core web server and appropriate credentials. When the IIS Manager can connect successfully, you can also name the connection.
You can then manage your Server Core web server remotely, as you would with any other Windows Server 2012–based web server:
Manage IIS remotely
Windows Server 2012–based Server Core web servers can be used to host highly available, highly secure web servers. You don’t have to perform all the configuration and management tasks on the console to make the web server secure, but you might want to.