04.26.07

Alternate WSSv3 Deployment with SBS Part 4 - Configure SSL

Posted in Sharepoint at 11:16 pm by webmaster

A Sharepoint deployment is more valuable if you can access the site externally.  In order to do this you need to install a certificate in IIS and configure IIS to use SSL. 

If you are intending on using this in site in a production environment I strongly recomend a certificate from a reputable third party to ensure the best “user experience”, however I am going to show you how you can obtain a free “third party” certificate to get you used to the process and get your site up and running with encryption.

Assumptions

1. We have DNS records on the internet that will get us to our third party router.  The name we will use in our certificate will be the FQDN of this DNS record.
2. The router is programmed to pass the SSL request through to our website (IIS website I chose port 446)

Generate A Certificate Request

You can use the Startcom’s documentation for further information or simply follow these steps:

• Start –>  Administrative Tools –> IIS Manager
• Double Click, Server Name –> Web Sites
• Right Mouse Click (RMC)  Sharepoint - 80 –> Properties
• Select  –> Directory Security –> Secure Communications
• click Server Certificate and select Create a new certificate then click Next
• Select Prepare the request now, but send it later, then click Next
• Type a descriptive name for the Certificate (such as OWA SSL Certificate) then click Next
• It’s time to enter our Organization name as well as the Organizational unit, do so then click Next
• Now specify the common name which should be the  external FQDN (Fully Qualified Domain Name),
• Enter the Region/Country, State/Province and the City/Locality then click Next
• Specify the location and the file to which you want to save the specified information, then click Next (For example C:\)
• Click Next then Finish

Request a certificate

Our next step is to request our certificate from our third party vendor from the “information file” we just created. 

• Navigate to Startcom’s SSL certificate request website
• Select the “Class 1 Certificate” and select Continue
• select the second option –> Server Certificate (Without CSR generation), then click Continue
• Login or create an account if you don’t have one. 
• Process request (get ssl.crt file)
• Navigate to the IIS Manager
• Double Click, Server Name –> Web Sites
• Right Mouse Click (RMC)  Sharepoint - 80 –> Properties
• Select  –> Directory Security –> Server Certificate > Next
• Process the pending request and install the certificate then click Next

Install the Certification Authority and Intermediate Authority certificates into the Trusted Root Certification Authorities store.

• Start > Run and type MMC then click Enter.
• Then click File > Add/Remove Snap-in in the menu, now click Add and select Certificates
• Computer Account then Local Computer then click Next > Close and Ok
• drill down to Trusted Root Certification Authorities > Certificates and left-click the Certificates container
• choose All tasks > Import
• Next and specify the path to the CA.DER file
• Accept to place the Certificate in the Trusted Root Certification Authorities
• click Next and Finish > OK
• Now follow the exact same procedures for the sub.class1.server.ca.cer certificate

Enable SSL and configure port on the Sharepoint Website

• Start –>  Administrative Tools –> IIS Manager
• Double Click, Server Name –> Web Sites
• Right Mouse Click (RMC)  Sharepoint - 80 –> Properties
• Insert 446 or whatever port number you have selected in the SSL Port feild and press ok
• Select  –> Directory Security –> Secure Communications  –> Edit
• Select Require Secure Channel (SSL), click OK
• Require 128 bit encryption

Client Side Certificate Installation

In order to get rid of the annoying Certificate errors on the client that indicate the certificate is not from a trusted authority you can install client certificates on any client you will access this site from.  An ActiveX component is available to do this work for you:

Install Client Side Certificates  

Quick Test

You should now be able to use https://FQDN:446/default.aspx to access your sharepoint site.

Permalink Comments

04.24.07

Security Event Log Analysis Resources

Posted in OS at 9:49 pm by webmaster

To be effectively monitoring any system you should be checking for unauthorized logon attempts and other potential malicious behaviour on your server

To help aid in the process I have put togeather a list of resources that will help aid in the understanding of these logs below.  To get you started read this article on tsgrinder.

Other Resources

Windows Security Logging and Other Esoterica (Microsoft Auditing Team)

Securing Windows 2000 Server (Microsoft - Chapter 9)

Audit Policies and Event Viewer (Randy Franklin Smith)

Security Log Quick Reference (Randy Franklin Smith - Download)

Windows Security EventID (Randy Franklin Smith)

Windows Security Logon Types (Randy Franklin Smith)

Kerboros Failure Codes (Randy Franklin Smith)

Tracking an intruder with netlogon (Microsoft)

Enable Optional Auditing (How to enable and apply security auditing in Windows 2000)

kb174074 (Microsoft - Security Event Descriptions)

Small Business Server Access Types

To really understand this process practice trying to understand valid and invalid attemps of the following accesses:

Workstation or Server
IN = Interactive
TS = Terminal Services (remote desktop protocol)
RW = Remote Web Workplace (IIS)
OW = Outlook Web Access (IIS)

Examples

All events are Success Events in the Security log on Small Business Server 2003 SP1 unless otherwise noted.

Default Audit Policy.

1. Idle System (Note these items appear all the time so they are not included in the items below to keep in cleaner)
1. 538
2. 540
3. 576
4. 515 (infrequent)
2. Remote Desktop to server
1. Administrator, Valid Logon
1. 672
2. 673 - login GUID
3. 552 - lots of information
4. 528
2. Administrator, Logon Failure, Invalid password
1. Failure Audit, Event 529
3. Unkown User
1. Failure Audit, Event 529
4. Administrator, Valid Logoff
1. Event 551
1. User Name - Administrator
2. Domain - NETBIOS Domain Name
3. Login ID - ?
3. RWW to server
1. Administrator, Valid Logon
1. 680
2. 552 - lots of information
3. 673
2. Administrator, Invalid Logon
1. 672
2. 673 - login GUID
3. 552 - lots of information
4. 529
4. OWA to server
1. Administrator, Valid login
1. Initial URL access to server
1. 672
2. 673
3. 552
4. 540  IUSR_*
2. Initial URL access to server
1. 672
2. 673
3. 552  Payload of event contains - Username, Remote IP
4. 540  (Authenticated Username)

Permalink Comments

04.22.07

Alternate WSSv3 Deployment with SBS Part 3 - Install WSS

Posted in Sharepoint at 2:40 am by webmaster

With all the preparation we can finally get down to business of installing WSSv3.

Preparation

1. Preparation
1. Obtain Windows Server CD you installed win2003 with (required for IIS 6 install)
2. Download .net framework version 2
3. Download .net framework version 3 
4. Download Microsoft WSS version 3 Administrator’s Guide
5. Stop your VM and perform a full backup of your VM. Now if you mess up you have something you can easily go back to
6. choose ssl port 446
   chose external name
   configur router (port forward 446 to internal IP of win2003)
2. Add IIS 6
1. Start –> Control Panel –> Add/Remove Programs
1. Add Remove Windows Components
2. Application Server
3. Add Remove Windows Components
4. Application Server
5. Check Internet Information Server
2. Turn on ASP.net 2.x if required
1. Start –> Administrative Tools –>  IIS Manager
2. SERVERNAME –> Web Server Extensions
3. Verify ASP.net 2 is enabled
3. Run Microsoft updates (I intstalled SP2 on both servers but not IE7)
4. Install Windows Sharepoint Services 3
1. Sharepoint_setup.exe
2. accept, continue
3. advanced
4. sever type standalone
5. data location
6. close
5. Run Configuration Wizard
1. restart services yes
2. wait
3. finish
6. login with domain adminstrator account
7. Run Microsoft update (should be a wss update)
8. http://HOSTNAME/default.aspx  should now work (TEAM Site)
9. Also have a look in Start –> Administrative Tools for:
1. “SharePoint Products and Technologies Configuration Wizard”
10. In the next article we will explore the use of SSL so we can use our WSSv3 site from the internet in a secure fasion.

Other Resources

Technet Windows Sharepoint Services Version 3 Technical Reference

WSSv3/WSSv2 Comparison

WSS SDK

Blog Sites

 Microsoft Sharepoint Products and Technologires Team Blog

Chad Gross’s Blog

Permalink Comments

04.21.07

Alternate WSSv3 Deployment with SBS Part 2 - Install & Configure VM

Posted in Sharepoint at 4:18 pm by webmaster

Installation of WSSv3 installed in a virtual environment requires working with many differenttechnologies.  This Installment is meant more as an overview to get you started.  For an in-depth look at installing Virtual Server 2005 R2 please see this installation guide.

In this installment we will:

• Setup a VM
• InstallWindowws 2003
• virtual machine extensions
• configure networking in VM and Win2003
• configure router

Setup VM

The first thing you need to do is setup the VM. 

• Download Virtual Server 2005 R2
• run the installer
• create a virtual machine for win2003
• Attach the virtual network of this VM to the physical NIC of your SBS server
• ensure the dhcp server is turned off on the virtual machine/network

Windows 2003

The next step is to simply install Windows 2003.

• Install windows 2003 SP1 in the VM

 Virtual Machine Extensions

To improve the performance of your VM ensure you install the virtual machine extensions

•  Login to win2003 and use the web admin tool for Virtual server to install the virtual machine extensions

Configure Networking

• configure the virtual network paramteres in Control Panel
• a static IP address in your reservered IP range.  We will call this win2003LANIP
• use your standard subnet mask and gateway 
• set the primary dns server to be the IP of your sbs server
• Join the server to the domain (I used My Computer –> Properties, Computer Name –> Change
• Reboot

Apply Updates

Apply all hotfixes, services packs and hotfixes

Configure Router

One simple port forward of port 446 inbound to port 446 outbound to win2003LANIP is all the router programming that is required.

Permalink Comments

Alternate WSSv3 Deployment with SBS Part 1 - Introduction

Posted in Sharepoint at 4:04 pm by webmaster

I was very excited to hear that WSSv3 was going to work with Small Business server untill I found out that one of the most important features for me (email integration) did not work.  Sure I tried it but one of the things I want to try to do is automate.  One of my principle communication methods is email. 

So I set out to see how I could come up with a way to install WSSv3 on SBS.  The result?  You guessed it - run SBS 2003 SP1 as normal, install a virtual 2005 R2 virtual machine which will host windows 2003 SP1 configured as a member server to SBS.  We can then load wssv3 on the win2003 and hopefully get all of  our functionality. 

I must say that two people that have inspired me to document this process is Susan Bradley and Chad Gross.  These two people have provided me much insight and guidance in what I have done here - so thanks!

I hope to do two installments:

1. WSSv3 Install - focus on getting all the pieces installed so we have a functioning wssv3 install
2. Wss v3 configure - configure it so it will be usefull for the IT professional

My Goal

In the end I want to be able to access the wssv3 site from the internet and the local SBS lan.  For ease of implementation I have chosen to implement the wssv3 site on a non-standard SSL port so that we don’t conflict with other SBS SSL traffic that is going to the SBS server.

This is what we will eventually use to access our wssv3 site from the internet: https://YourCurrentFQDN:446/Default/aspx

This means that you don’t need to make an external dns changes.  It does mean that the URL is a little funky.  But I am willing to live with that.  I didn’t try it but you may also be able to use your current SSL certificate from your SBS server.  I have you go get a free public one instead.  

Terminalogy

I am not the best writer or communicator.  Nor am I artistic (Can’t ya tell?)  It is much easier for me just to create some definitions:

• SBS          The original Small Business Server.  I assume it is set up and configured
• VM            The freely downloaded virtual machine from Microsoft
• Win2003    A legitamate copy of Windows Server 2003 willl be required to run in the VM
• WSS         Windows Sharepoint Services Version 3

WSSv3 Install

I will break the install process down into smaller pieces as defined below. 

1. Setup VM, Windowws 2003, virtual machine extensions, configure networking in VM and Win2003, configure router
2. Install WSS and Configure WSS
3. Configure WSS for SSL

Disclaimer

As with any install you do or any information you obtain and implement from this site:  You do so at your own risk.  I also do not reccomnend using this in a production environment.  Implement on a test server first to see if it meets your expectations.

Permalink Comments

04.17.07

Change domain administrator account on SBS

Posted in OS, win2003, SBS2003 at 10:42 am by webmaster

A question that often gets asked is how to change the domain administrator password on Small Business Server.  I will take this oppurtunity to plug the wealth of information available on the sbs2k3 Yahoo group.  The guys (and gals) over there have come up with this:

1. CTRL-ALT-DEL and change the password
2. Open services and check for any services running under this account, and reset the password.
3. Open Scheduled Tasks and check for any tasks running under this account, and reset the password.
4. Open a command prompt and enter the following to reset the Directory Services Restore password.
5. Open Command Prompt.
1. Type the following:
1. ntdsutil
2. set DSRM password
3. reset password on server NULL
2. Enter the new password.
3. Type the following:
1. Quit
2. Quit
4. Close Command Prompt.
6. One final thing you may want to consider doing is to reset any cached passwords for the administrator account on any machines that may have these passwords cached otherwise you may be constantly prompted to enter a password.  Credit and background information here.
1. Follow these steps to “forget” these passwords
1. Start –> Settings –> Control Panel
2. Double click “User Accounts
3. Select the “Advanced” tab
4. In the “Passwords and .NET Passports” area click “Manage Passwords”
5. Remove everything there.
2. Delete everything in the following two folders:
   

   C:\Documents and Settings\YOURUSERNAME\Application Data\Microsoft\Credentials
   C:\Documents and Settings\YOURUSERNAME\Local Settings\Application Data\Microsoft\Credential

Permalink Comments

04.14.07

Managing IE7 with group policy

Posted in win2003, SBS2003, IE7, Group Policy at 2:41 pm by webmaster

Want to make IE7 a better user experience for your users?  A simple group policy addition makes it much easier for your users to digest IE7.

The changes I make are:

1. Display the menu bar
2. Select some default options for users so they (you) don’t have to select them every time a new profile is created for a user.

You can make other changes if you want to but since IE7 is here to stay and it is not going away we might as well make this change easier for our users.

The steps are very straightforward:

1. Download the new IE7 group policy settings which are deployed tfrom Microsoft through a .msi file which simply contains an adm file.
2. Tweak the settings, here is what I have used (YMMV)
1. Turn Off Managed Phishing Filter     Enabled (Automatic)
2. Prevent participation in the Customer Experience Improvement Program Enabled
3. Prevent Performance of first run customization settings   Enabled (Go directly to home page)
4. Turn on Menu Bar by Default      Enabled

As I stated above, the whole point of this excercise is to provide a “similar” experience to our users for IE7.  This essentially should provide the menu bar for our users and prevent the users from having to answer questions about things they know nothing about anyway.

Want more details on how to do this?  Here is an attempt at a step by step procedure.  Please contact me if there are any errors or ommisions.

1. Create a new Group Policy Object (GPO).  Lets call it Custom-IE7
1. Start –> Administrative Tools –> Group Policy Management
2. Navitage to Forest –> Domains –> Domain Name –> Group Policy Objects
3. Right Mouse Click (In the right window Pane, select “New”
4. Type the name ofm your new GPO - “Custom - IE7″
2. Link the Custom-IE7 GPO to an existing OU.  This OU should contain the computers that you want to “tune” IE7 for.
1. Find the Organizational Unit (OU) which contains the group of  computers you want to apply these settings to (Use Active Directory Users and Computers)
1. For example when using SBS 2k3 SP1 or higher I would use Domain –> My Business –> Computers –> SBSComputers
2. Using the “Group Policy Management” GPM snapin, navigate to the OU selected in the above step, Right Mouse Click in the left window, and select “Link an existing GPO” and then select the “Custom-IE7″ GPO you created previously
3. Ensure IE7 adm files are loaded into your domain
1. New Group Policy’s Administrative Templates (.adm files) for IE7 are loaded automatically onto the Domain Controller when a Group Policy is opened from a workstation where IE7 has been installed (I have never used this method)
2. Download and install “Administrative Templates for Internet Explorer 7 for Windows” manually
1. Download the templates
2. Install them
1. Use the msi installer you just downloaded to install the templates to your server
2. Using the GPM snapin navigate to “Custom - IE7″ GPO
3. Select Edit
4. Click Computer Configuration  –> Administrative Templates
5. Right-click Administrative Templates, click Add/Remove Templates, and then click Add
6. navigate to wherever the templates were stored (C:\Program Files\Microsoft Group Policy)
7. Select “inetres.adm”
8. Click Yes
9. Click Close
10. Now the new IE7 Group policuy settings should be viewable in the GPO
4. Configure the Custom-IE7 GPO to contain the special IE7 settings we want
1. Using the GPM snapin navigate to “Custom - IE7″ GPO and Right Mouse Click and select Edit
2. Navigate to: Computer Configuration –> Administrative Templates –> Windows Components –> Internet Explorer
3. Modify the following settings
1. Turn Off Managed Phishing Filter     Enabled (Automatic)
2. Prevent participation in the Customer Experience Improvement Program Enabled
3. Prevent Performance of first run customization settings   Enabled (Go directly to home page)
4. Turn on Menu Bar by Default      Enabled
5. Use “gpupdate /force” on a workstation to ensure  that your settings get incorporated right away
6. Use “gpresult > gp.txt && notepad.exe gp.txt” to verify you see your group policy settings on your worksation.

References:

1. Internet Explorer Deployment Guide (March 2007)
2. Exploring New Functionality in Internet Explorer (Virtual Lab Doc)

Permalink 6 Comments

04.12.07

W32 time errors on default install of Small Business Server

Posted in OS, SBS2003 at 12:05 pm by webmaster

If you are seeing eventid 47, 29 and sometimes 36 in the event logs of a default Small Business Server?  Follow these steps as outlined by Susan Bradley:

Just want the steps:

w32tm /config /manualpeerlist:pool.ntp.org,0×8/syncfromflags:MANUAL  
net stop w32time  
net start w32time  
w32tm /resync

The above command modifies the following registry values:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Parameters\NtpServer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

For further information check these out:

W32 time sync issues kb article

Eventid.net (Eventid 29)

Microsoft Ntp Time Server list   

Windows Server 2003 Time Synchonization kb

Great w32time article
 

Permalink Comments