Running Internet Information Services (IIS) on Server Core instead of the regular Windows Server 2012 has some advantages. In today’s part of my Server Core series, I will show you how to install a web server on Server Core.

Whether they’re used to host internal websites, app websites, or your organization’s public website, web servers allow for information exchange. Misconfiguration, therefore, poses a security risk.

When I think of misconfiguration, I always get the feeling that people clicked somewhere they didn’t need to click, or they thought they clicked an option but didn’t. These two types of misconfiguration can be easily eliminated when you deploy web servers on Server Core installations of Windows Server 2012.

You can use any Server Core installation as a web server. Windows Server 2008, Windows Web Server 2008, Windows Server 2008 R2, and Windows Server 2012 all came with Internet Information Services (IIS), which is the main Server Role to turn Windows Server into a web server.

With that being said, you might not want to use Server Core installations of Windows Server 2008 or Windows Web Server 2008 as a web server, since these two Windows Server editions do not offer the ability to run ASP or ASP.NET within Internet Information Services. Thus, you cannot host dynamic .NET websites on these platforms. However, you can run dynamic websites based on PHP on Server Core installations of Windows Server 2008 or Windows Web Server 2008.

The ability to run dynamic .NET websites was first introduced in Windows Server 2008 R2, along with PowerShell support for IIS. The latter functionality allows you to configure websites through clear PowerShell cmdlets instead of appcmd.exe and the many IIS VBS scripts.

Overview of Internet Information Services (IIS) on Server Core ^

The IIS Server Role on Server Core is the most elaborate and modular Server Role you will find on this platform. It consists of four categories of Role Services, spanning a grand total of 44 independent Role Services:

Server Role and Role Services Display NameRole Name (to install)
Web Server (IIS)Web-Server *
- Web ServerWeb-WebServer *
o Common HTTP FeaturesWeb-Common-Http *
§ Default DocumentWeb-Default-Doc *
§ Directory BrowsingWeb-Dir-Browsing *
§ HTTP ErrorsWeb-Http-Errors *
§ Static ContentWeb-Static-Content *
§ HTTP RedirectionWeb-Http-Redirect
§ WebDAV PublishingWeb-DAV-Publishing
o Health and DiagnosticsWeb-Health *
§ HTTP LoggingWeb-Http-Logging *
§ Custom LoggingWeb-Custom-Logging
§ Logging ToolsWeb-Log-Libraries
§ ODBC LoggingWeb-ODBC-Logging
§ Request MonitorWeb-Request-Monitor
§ TracingWeb-Http-Tracing
o PerformanceWeb-Performance *
§ Static Content CompressionWeb-Stat-Compression *
§ Dynamic Content CompressionWeb-Dyn-Compression
o SecurityWeb-Security *
§ Request FilteringWeb-Filtering *
§ Basic AuthenticationWeb-Basic-Auth
§ Centralized SSL Certificate SupportWeb-CertProvider
§ Client Certificate Mapping Authentic…Web-Client-Auth
§ Digest AuthenticationWeb-Digest-Auth
§ IIS Client Certificate Mapping AuthWeb-Cert-Auth
§ IP and Domain RestrictionWeb-IP-Security
§ URL AuthorizationWeb-Url-Auth
§ Windows AuthenticationWeb-Windows-Auth
o Application DevelopmentWeb-App-Dev
§ .NET Extensibility 3.5Web-Net-Ext
§ .NET Extensibility 4.5Web-Net-Ext45
§ Application InitializationWeb-AppInit
§ ASPWeb-ASP
§ ASP.NET 3.5Web-ASP-Net
§ ASP.NET 4.5Web-ASP-Net45
§ CGIWeb-CGI
§ ISAPI ExtensionsWeb-ISAPI-Ext
§ ISAPI FiltersWeb-ISAPI-Filter
§ Server Side IncludesWeb-Includes
§ WebSocket ProtocolWeb-WebSockets
- FTP ServerWeb-FTP-Server
o FTP ServiceWeb-FTP-Service
o FTP ExtensibilityWeb-FTP-Ext
- IIS Hostable Web CoreWeb-WHC
- Management ToolsWeb-Mgmt-Tools
o IIS Management ConsoleWeb-Mgmt-Console
o IIS 6 Management CompatibilityWeb-Mgmt-Compat
§ IIS 6 Metabase CompatibilityWeb-Mgmt-Metabase
§ IIS 6 Management ConsoleWeb-Mgmt-Lgcy-Console
§ IIS 6 Scripting ToolsWeb-Mgmt-Lgcy-Scripting
§ IIS 6 WMI CompatibilityWeb-WMI
o IIS Management Scripts and ToolsWeb-Scripting-Tools
o Management ServiceWeb-Mgmt-Service

Note:
Although the FTP Server Role Service is listed above, this article does not cover installing and configuring an FTP Server on Server Core. That is the topic of the next article in this series.

Installing Internet Information Services (IIS) on Server Core ^

Now, installing the right Role Services for the job at this moment might look like a daunting job, but the team behind the installation of the Internet Information Services (IIS) Server Role has been kind enough to install the most commonly used Role Services when you install its main Server Role. The Role Services installed by default are denoted with asterisks in the lists above.

To install the Internet Information Services (IIS) Server Role with default options, run the following PowerShell command (type PowerShell at the command prompt if you haven’t done so):

Install IIS with PowerShell

Install IIS with PowerShell

If you want a web server that is perfectly suited for hosting mere static content (like .htm and .html files and .jpg, .png, and .gif pictures), you’d be done.

IIS has been installed and you can access your Server Core Web Server from your favorite browser:

Default IIS page

Default IIS page

Now, most web server applications and content management solutions are based on ASP and ASP.NET. To this purpose, you can install the ASP (Web-ASP), ASP.NET 3.5 (Web-ASP-Net), and/or ASP.NET 4.5 (Web-ASP-Net45) Role Services. When you install the latter, some of the .NET Framework 4.5 Features (NET-Framework-45-Features), ISAPI Extensions (Web-ISAPI-Ext), and ISAPI Filters (Web-ISAPI-Filter) will automatically be installed too.

If you want to use the web server to host PHP-based applications, you would need to install PHP. WordPress is a prime example, and your Server Core installation would be happy to host it for you.

For best security practices, you might want to disable the Directory Browsing Role Service to avoid visitors having access to directories on your web server(s) when they don’t have any of the default documents in them. To perform this action, type the following PowerShell command (type PowerShell at the command prompt if you haven’t done so):

An easy way out of the madness of Internet Information Services (IIS) Role Services and extensions is a program that Microsoft offers called WebMatrix. This free program can be run on both Server with a GUI and Server Core installations and installs the Web Platform Installer (WebPI). Through this program (which starts automatically after installing), you can simply Add the most popular web applications with default settings for the virtual directories, application pools, and database(connection)s:

WebMatrix

WebMatrix

Managing Internet Information Services (IIS) ^

Internet Information Services (IIS) and its associated features can be managed both from the console of your Server Core installation and remotely.

From the console

On the console of your Server Core installation, you’d have four resources to manage your web server:

  1. The many IIS-related PowerShell cmdlets
  2. Appcmd.exe
  3. The many IIS VBS scripts
  4. The manual editing of web.config files with notepad.exe

While I won’t bore you with the typical thick-finger problems when working with notepad.exe, the antiquated interfaces of appcmd.exe, and the likes of iisvdir.vbs, iisweb.vbs, and iisext.vbs, I will dive into the wonderful world of IIS PowerShell management.

In Windows Server 2012, a total of 77 IIS-related PowerShell cmdlets are available to manage most of the Web Server Role Service.

For instance, the following line of PowerShell code will create a new website named ServerCore that is connected to TCP Port 80, only listens to the www.servercore.net host header, and stores its files in a folder named wwwroot in the typical folder structure for a WordPress installation through the Web Platform Installer (type PowerShell at the command prompt if you haven’t done so):

And since we’d also want to allow visitors to www.servercore.net to only type servercore.net into their address bar, we would also bind the servercore.net host header:

Remotely

Figuring out how to configure IIS on the console of your Server Core installation might become tedious at points. Luckily, you can also manage IIS remotely from a Graphical User Interface (GUI).

To this purpose, you will need to meet the following two requirements:

  1. Install the IIS Management Console on the management server.
  2. Install the IIS Management Service on your Server Core web server.

To install the IIS Management Service on your Server Core web server(s), type the following PowerShell command (type PowerShell at the command prompt if you haven’t done so):

By default, the Web Management Server will not accept remote connections. To allow this, we’ll have to resort to using Regedit. Open the register by typing regedit.exe at the command prompt. Then, in the left pane, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\WebManagement\Server. Here, change the value for EnableRemoteManagement from 0x00000000 to 0x00000001. Close Regedit with Alt+F4 or by clicking the X symbol in the right top of the program.

Tip!
You can control the entire Web Management Service in this part of the Registry, including the port it listens on and the IP address(es) the service responds to.

When you think you’re done, you’re mistaken. The service is not started automatically, nor is it scheduled to start automatically, so you’ll need to issue the following two commands to make that happen:

The IIS Manager is part of the IIS Server Role on Server with a GUI installations of Windows Server 2012. You can install the IIS Management Console through Server Manager. To install the IIS Manager, click Manage in the top right corner of Server Manager. From the context menu, select Add Roles and Features. Click Next > in the Before you begin, Select installation type and Select destination server screens. In the Select server roles screen, select Web Server (IIS) from the list.

Install IIS

Install IIS

In the pop-up, click Add features, since these are exactly the features we’re looking for. Now click Next > three times to skip through to the Internet Information Services Role Services selection. In this screen, deselect the top Web Server in the list. This will result in the IIS Management Console as the only desired Role Service. Click Next > and then Install.

Note:
Unfortunately, the IIS Manager in Windows 8 is unable to connect to web servers remotely, so it can’t be used to manage your Server Core web server(s).

Now, after you’ve got the IIS Management Console installed, click Close and start the Internet Information Services (IIS) Manager from the Start Screen.

In the Internet Information Services (IIS) Manager, right-click Start Page in the Connections pane on the left. Choose Connect to a Server…. Run through the Connect to Server wizard by supplying the name or IP address of your Server Core web server and appropriate credentials. When the IIS Manager can connect successfully, you can also name the connection.

You can then manage your Server Core web server remotely, as you would with any other Windows Server 2012–based web server:

Manage IIS remotely

Manage IIS remotely

Concluding ^

Windows Server 2012–based Server Core web servers can be used to host highly available, highly secure web servers. You don’t have to perform all the configuration and management tasks on the console to make the web server secure, but you might want to.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!

0
Share
4 Comments
  1. Stevan Allen 5 years ago

    Hi,

    Server certificates does not appear in the IIS section of the server when you connect remotely using the IIS GUI.

    How do I manage certificates please?

    0

  2. Edwi 5 years ago

    On server Core you create a request.inf file and use the certreq -new request.inf request.txt command to create the csr.

    0

  3. Edwin Bakkes 5 years ago

    Create a CSR Configuration File

    The Microsoft certreq utility uses a configuration file to generate a CSR. You must create a configuration file before you can generate the request.
    Create the file and generate the CSR on the Windows 2012 Server Core that will use the certificate.

    Open a text editor and paste the following text, including the beginning and ending tags, into the file.

    ;----------------- request.inf -----------------

    [Version]

    Signature="$Windows NT$

    [NewRequest]

    Subject = "CN=View_Server_FQDN, OU=Organizational_Unit, O=Organization,
    L=City, S=State, C=Country"
    ; Replace View_Server_FQDN with the FQDN of the View server.
    ; Replace the remaining Subject attributes.
    KeySpec = 1
    KeyLength = 2048
    ; KeyLength is usually chosen from 2048, 3072, or 4096. A KeyLength
    ; of 1024 is also supported, but it is not recommended.
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

    ; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.
    [Extensions]

    2.5.29.17="{text}"
    _continue_="dns=ROOT-SRV01.ROOT.LOCAL&"
    _continue_="dns=CORE.ROOT.LOCAL&"
    _continue_="dns=ROOT-SRV01&"
    _continue_="dns=CORE&"

    ;-----------------------------------------------

    Save the file as request.inf on the C:\Temp folder on the Windows 2012 Server Core.

    Generate a CSR and Request a Signed Certificate from a CA

    Navigate to the directory where you saved the request.inf file.

    Generate the CSR file.

    For example: certreq -new request.inf certreq.txt

    In a text editor, open the CSR file (such as certreq.txt) and copy the contents of the file, including the beginning and ending tags.

    For example:
    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIID2jCCAsICAQAwazEWMBQGA1UEBhMNVW5pdGVkIFN0YXRlczELMAkGA1UECAwC
    Q0ExEjAQBgNVBAcMCVBhbG8gQWx0bzEKMAgGA1UECgwBTzELMAkGA1UECwwCT1Ux
    FzAVBgNVBAMMDm15LmNvbXBhbnkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
    . . .
    . . .
    L9nPYX76jeu5rwQfXLivSCea6nZiIOZYw8Dbn8dgwAqpJdzBbrwuM1TuSnx6bAK8
    S52Tv0GxW58jUTtxFV+Roz8TE8wZDFB51jx+FmLs
    -----END NEW CERTIFICATE REQUEST-----

    Use the contents of the CSR file to submit a certificate request to the CA in accordance with the CA's enrollment process.

    After conducting some checks on your company, the CA signs your request, encrypts it with a private key, and sends you a validated certificate.

    The CA also sends you a root CA certificate and, if applicable, an intermediate CA certificate.

    Save the certificate named cert.cer on C:\Temp folder on the Windows 2012 Server Core.

    Import a Signed Certificate by Using Certreq

    Navigate to the directory where you saved the signed certificate file such as cert.cer.

    For example: cd C:\Temp

    Import the signed certificate by running the certreq -accept command.

    For example: certreq -accept cert.cer

    The certificate is imported into the Windows local computer certificate store.

    0

  4. Eva Janakieff 1 year ago

    The Shared Configuration neither appears in IIS Management Console ...

    So, how can I configure Share Configuration in Web Servers Core?

    Thanks,

    Eva Janakieff

     

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account