Exercises 4.1. Securing a local folder Because all users accessing a Windows Server 2003 member server at the console will have been granted the Log On Locally right, you will need to use local security to prevent them from accessing certain folders. In this exercise, you will secure a local folder so that only selected users can access its contents. Estimated Time: 40 minutes 1. | Verify that the volume the desired folder is on is an NTFS volume. If it is not, use the CONVERT command to change it to NTFS.
| 2. | Open either My Computer or Windows Explorer. Navigate to the folder on which you want to configure security.
| 3. | Right-click the object and select Properties from the pop-up menu. Click the Security tab on the resulting dialog box.
| 4. | From the Security tab, click the Add button.
| 5. | The Select Users or Groups dialog box appears. This dialog box allows you to select either a local or domain user or group to assign permissions to. Enter the user or group and then click OK.
| 6. | This returns you to the Folder Properties dialog box. Note that by default, the user or group just added has been granted Read and Execute, List Folder Contents, and Read permissions for the folder.
| 7. | In the Permissions section of the Folder Properties dialog box, select the desired permissions and then click the OK button to save.
|
4.2. Creating a website In this exercise, you use the Web Site Creation Wizard to create a website to serve some Active Server Pages. Because only static content is allowed with the default installation of IIS 6.0, you must configure IIS to use Active Server Pages manually. Estimated Time: 20 minutes Additional Requirements: A folder containing a sample website. 1. | Click Start, Administrative Tools, Internet Information Services Manager.
| 2. | From the IIS Manager MMC, right-click the Web Sites entry and then select New, Web Site from the pop-up menu.
| | | 3. | On the Welcome to the Web Site Creation Wizard screen, click the Next button to continue.
| 4. | On the Web Site Description screen, type in a descriptive name for the website. Click the Next button to continue.
| 5. | The IP Address and Port Settings screen appears. From this screen, you can select the IP address, TCP port, or host header to which this website will respond. Make the appropriate choices and then click the Next button to continue.
| 6. | The Web Site Home Directory screen appears. From this screen, you can select the folder that contains the files for your website. You can also specify that you want to allow anonymous access to your site. Make the appropriate choices and then click the Next button to continue.
| 7. | The Web Site Access Permissions screen appears. From this screen, you can specify the permissions you are granting visitors to your website. You should always specify the minimum permissions needed. Make the appropriate choices and then click the Next button to continue.
| 8. | When the Finishing the Web Site Creation Wizard screen appears, click the Finish button to save.
| 9. | The new website appears in the IIS Manager console, listed under the Default Web Site entry.
| 10. | In the left pane of the IIS Manager, click the Web Service Extensions folder.
| 11. | Highlight the Active Server Pages entry in the right pane of the MMC and then click the Allow button. The status of the extension is changed to Allowed.
| 12. | Close IIS Manager.
|
Exam Questions | 1. | You are the administrator for a small sporting goods company. The Human Resources manager of your company creates several files in a shared folder called HR-Data on a Windows Server 2003 server. The share and the files have the permissions shown. HR-Data Share Permissions: Users: Read Administrators: Read HR Managers: Full Control HR-Data NTFS Permissions: Users: Read Administrators: Read HR Managers: Full Control While the HR manager is on vacation, you receive a call from one of your users. It seems that one of the files in the HR-Data folder contains some very sensitive information, and it should be removed. How can you accomplish this without disrupting normal operations, using the minimum amount of authority necessary to delete the file? 
| A. | Grant yourself Full Control permission for the HR-Data folder. Delete the file. Remove Full Control permission for the HR-Data folder. |
| B. | Take ownership of the HR-Data folder. When prompted, take ownership of existing files. Grant yourself Full Control permission for the file. Delete the file. |
| C. | Take ownership of the file. Delete the file. |
| D. | Grant yourself Modify permission for the HR-Data folder and its contents. Delete the file. Remove Modify permission for the HR-Data folder. |
| | 2. | As part of a server consolidation, you are moving a group of shared folders to a new Windows Server 2003 server. After moving the folders and their contents using XCOPY, you turn the server back over to the users. Soon, your telephone rings with users complaining that they can't see the file shares. What steps will you need to perform to fix the problem?
| A. | You need to reconfigure the NTFS permissions. |
| B. | You need to reconfigure the share permissions. |
| C. | You need to restart the Server service on the new server. |
| D. | You need to reshare the shares. |
| E. | You need to give the shares unique names. |
| | | | 3. | The administrative assistant for the CIO of your company resigns without warning. The assistant's personal folders contain several files that the CIO needs access to. The folders have the following permission: Admin Assistant: Full Control All the user folders are located on a server formatted with NTFS. What's the quickest way to give the CIO access to these files?
| A. | Reset the password on the administrative assistant's account and give the CIO the user ID and the new password. |
| B. | Assign ownership of the files to the CIO. |
| C. | Take ownership of the files and give the CIO Full Control permission. |
| D. | Move the files to the CIO's folders. |
| | 4. | The Contracts folder is configured with the following permissions: Share Permissions: Managers: Full Control Legal department: Change HR: Read NTFS Permissions: Managers: Full Control Legal department: Modify HR: Read If Bill is a member of the legal department and the HR group, what is his effective permission over the network?
| A. | Change |
| B. | Modify |
| C. | Read |
| D. | Full Control |
| | | | 5. | As part of a server consolidation, you are moving several websites on your intranet from Windows 2000 Servers to a new Windows Server 2003 server. After moving the websites, you turn the server back over to the users. Soon, your telephone rings with users complaining that they are receiving 404 errors when they try to access any of the websites. What steps will you need to perform to fix the problem?
| A. | You need to reconfigure the NTFS permissions. |
| B. | You need to reconfigure the share permissions. |
| C. | You need to restart the Server service on the new server. |
| D. | You need to enable the Web Service Extensions. |
| | 6. | After reading about how much improved IIS 6.0 is over IIS 5.0, you decide to perform an in-place upgrade of one of the Windows 2000 servers for your intranet. After the upgrade has completed, you check all the install logs and the Event Viewer and don't see any problems. After you turn the web server back over to the users, your telephone rings with users complaining that they cannot access the website. What step must you perform to fix the problem?
| A. | Replace the network interface card. |
| B. | Start the web service. |
| C. | Rewrite the web apps to be compatible with IIS 6.0. |
| D. | Reconfigure the web service in IIS 5.0 Isolation mode. |
| E. | Reconfigure the web service in Worker Process Isolation mode. |
| | 7. | You are the administrator for a Windows Server 2003 server running IIS 6.0. The CIO is extremely security conscious. She wants you to set up an intranet site in such a way that only authorized users can access it. All users on your network are running Windows XP. What is the easiest way to accomplish this?
| A. | Turn off anonymous access for the site and configure it for Digest Authentication. |
| B. | Turn off anonymous access for the site and configure it for Basic Authentication in combination with SSL. |
| C. | Turn off anonymous access for the site and configure it for Integrated Authentication. |
| D. | Turn off anonymous access for the site and configure it for Basic Authentication. |
| | | | 8. | You are the administrator for a Windows Server 2003 server running IIS 6.0. The CIO is extremely security conscious. She wants you to set up a site on the Internet in such a way that only authorized users can access it. The website should support all types of browsers. What is the easiest way to accomplish this?
| A. | Turn off anonymous access for the site and configure it for Digest Authentication. |
| B. | Turn off anonymous access for the site and configure it for Basic Authentication in combination with SSL. |
| C. | Turn off anonymous access for the site and configure it for Integrated Authentication. |
| D. | Turn off anonymous access for the site and configure it for Basic Authentication. |
|
Answers to Exam Questions | 1. | C. You must take ownership of the file and then you can delete the file. See "Configuring and Managing NTFS File and Folder Permissions." | | 2. | A, B, D. When a shared folder is moved, it is no longer shared. When it is moved to a different server, it will assume the NTFS permissions of the target folder, which probably won't be the same as the original folder. See "Copying and Moving Files and Folders." | | 3. | B. Unlike in previous versions of Windows, in Windows Server 2003, the administrator can assign the ownership of files and folders. Moving the files would not work because files moved to a different folder on an NTFS partition will retain their existing permissions. The other options would work, but they involve more steps. See "Changing Ownership of Files and Folders." | | 4. | A. Because Bill is accessing the folder through a share, his permissions will be the more restrictive of the combined share and NTFS permissions. See "Combining Share and NTFS Permissions." | | 5. | D. In Windows Server 2003, the default for IIS 6.0 is to install in "locked down" mode. In locked down mode, only pages containing static content are displayed. All other pages return a 404 error when they are accessed. Enabling the Web Service Extensions allows you to use pages containing dynamic content. See "Installing Internet Information Services (IIS)." | | 6. | B. During an upgrade from a previous version of Windows, IIS is installed; however, the service is disabled, and you must start it manually. This prevents administrators from carrying over vulnerabilities from previous versions of Windows. A web server that is upgraded from a previous version of IIS is enabled in IIS 5.0 Isolation mode, by default, to ensure that the application installed continues to run. See "Installing Internet Information Services (IIS)." | | | | 7. | C. Integrated Authentication is the best answer. Although the other options would work, they all have limitations. Basic Authentication would work, but it transmits the password in clear text. Anyone with a Sniffer utility could discover the passwords. Adding SSL would be fine, but you would either have to purchase a certificate or set up your own CA. Digest Authentication requires the passwords to be stored unencrypted in the Active Directory. See "Managing Security for IIS." | | 8. | B. The only correct answer for this situation is Basic Authentication in combination with SSL. Basic Authentication is the only option that supports all browsers, and SSL is required to encrypt the traffic between the browser and the website. See "Managing Security for IIS." |
Suggested Readings and Resources 1. Boswell, William. Inside Windows Server 2003. New Riders, 2003. ISBN 0735711585. 2. Hassell, Jonathan. Learning Windows Server 2003. O'Reilly, 2006. ISBN 0596101236. 3. Jones, Don. Windows Server 2003 Crash Course. Wiley, 2003. ISBN 0764549251. 4. Matthews, Marty. Windows Server 2003: A Beginners Guide. McGraw-Hill, 2003. ISBN 0072193093. 5. Microsoft Windows 2003 File Server Best Practices: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/file_srv_bestpractice.asp?frame=true. 6. Minasi, Mark, et al. Mark Minasi's Windows XP and Server 2003 Resource Kit. Sybex, 2003. ISBN 0782140807. 7. Minasi, Mark, et al. Mastering Windows Server 2003 Server. Sybex, 2003. ISBN 0782141307. 8. Shapiro, Jeffrey, et al. Windows Server 2003 Bible 2nd edition. John Wiley & Sons, 2006. ISBN 0764549375. 9. Windows Server 2003 Deployment Guide. Microsoft Corporation. http://www.microsoft.com/windowsserver2003/techinfo/reskit/deploykit.mspx. 10. Windows Server 2003 Resource Kit. Microsoft Corporation. Look for a link to it on the Technical Resources for Windows Server 2003 page. http://www.microsoft.com/windowsserver2003/techinfo/default.mspx. |
