FTPS and Filezilla with IIS 7.5 and Windows Web Server

Overview

In a previous article, I configured Windows Server 2008 R2 to be used as an FTP server, but since FTP does not use encryption when sending control information or data, a more secure way to transfer files is to use FTPS with transport layer security (SSL/TLS). You will need to correctly configure an FTP client like Filezilla to connect securely using FTPS.

Video Tutorials

Host FTP services with IIS 7.5 and Windows Web Server

Overview

In a previous article, I covered installing and configuring IIS to host multiple websites. Once you have your Windows server hosting websites through IIS, how will your users get their web pages and web files to their respective web folders on the server? In this scenario, Windows Server 2008 R2 can also be used as an FTP server. When you installed Windows IIS 7.5, you specified key features to install including:

– Web server service (HTTP),
File transfer protocol (FTP),
– Certificate security services (CA, SSL, TLS, RSA),
– and related security services (HTTPS, FTPS),
– Email services (SMTP),
– Dynamic web development with ASP.NET,
– Database administration tools,
– WebDAV for secure file hosting and transfers,
– Migration and support tools for IIS 6.0

Even if you didn’t install FTP services when you installed IIS, you can always add it afterwards.

Installation

In order to install IIS 7.5 and FTP services in Windows Server 2008 R2, open the server manager, and click Add Role. If you have not installed IIS 7.5 yet, I recommend looking at my previous article and video tutorials on installing IIS 7.5 and creating multiple hosted websites.

Video Tutorials

In the following video tutorials (parts 3, 4, and 5), I configure FTP on Windows Server 2008R2 in order to be able to transfer files to the hosted websites (the default website and an additional website). In order to transfer files using FTP, I configure site users and passwords, and I troubleshoot connecting and transferring file to the FTP sites with the created users.

Host Websites with IIS 7.5 and Windows Web Server

Overview

Windows Server 2008 R2 can be used as a web server by adding the Microsoft Internet Information Services (IIS v7.5) server role to the server. IIS is not activated by default. When installing Windows IIS 7.5 you can specify key features to install including:

•  Web server service (HTTP),

•  File transfer protocol (FTP),

•  Certificate security services (CA, SSL, TLS, RSA),

•  and related security services (HTTPS, FTPS),

•  Email services (SMTP),

•  Dynamic web development with ASP.NET,

•  Database administration tools,

•  WebDAV for secure file hosting and transfers,

•  Migration and support tools for IIS 6.0


Installation

In order to install IIS 7.5 and web services in Windows Server 2008 R2:

  1. Open the server manager, and click Add Role.

Video Tutorials

In the following video tutorials (parts 1 and 2), after reviewing the installation of IIS 7.5, I create two separate websites, the default website and an additional website. I then configure and create default webpages for the two websites, add a DNS record for the additonal website, and test if both websites are reachable.

Map a Network Drive in Server 2008

Overview

If you create a shared folder for users on your network to have access to, you may want to insure that it is visible to them when they log in. One way to do that is to map a network drive and configure it to reconnect automatically when users log in.

Video Tutorial

In this video I map a network drive to a shared folder

Install File Services in Server 2008

Overview

Using Windows Server 2008 under the File Services role, you can install:

File Server – Allows you to share files and folders using the Share and Storage management Console
Distributed File System (DFS)  – Allows you to replicate copies of the shared folders on multiple servers under one namespace
File Services Resource Manager (FSRM) – Allows you to monitor the files and set quotas
Netowork File System (NFS) – Allows you to set up Samba shares to share files with Linux and Unix systems
Server 2003 File Services – Allows backwards compatibility

Installing File Services

  1. Go to the Server Manager > On the left column select Roles and in the main window area click on Add Roles
  2. In the Add Roles Wizard under Server Roles put a check in the checkbox under File Services
  3. Now under Files Services > Role Services select the services that you want to install under File Services. Select the following and click next:
    – File Server
    – Distributed File System, DFS Namespaces and DFS Replication
    – File Server Resource Manager
    – Services for Network File System (This is useful if you will have linux users on the network)
    – File Replication Service (if it is available)
  4. Under DFS Namespaces select “Create a namespace later using the DFS Management snap-in…” and click next
  5. Click next under Storage Monitoring
  6. In the Confirmation window click Install and Close

Video Tutorial

In this video I install File Services and set up a shared folder

Create a Group Policy

Overview

Group Policy is an extremely usefully administrative tool. You can use group policies to restrict what access to resources users on your network will have access to. If you want to restrict a user’s ability to make configuration changes to a system, you can do it by creating a group policy that applies to his/her user account or computer. The ability to create and apply group policies on your domain is indispensable for an administrator. Windows Server 2008 makes working with group policies much more efficient and easy.

Video Tutorial

In this tutorial I create a group policy to restrict access to all removable media devices

Create a Primary Zone using DNS Manager

Overview

  • When you create a Primary Zone using DNS Manager in Windows Server 2008 you establish your DNS Server as an Authority over a particular domain name.
  • The Zone you create can be restricted to work on the private network, by creating it to be a simple local authority operating only on your local area network. To do this, you make the zone linked to a non-publicly registered domain name like danslab.local or danslaptop.local
  • Alternatively, the Zone you create can be linked to a publicly registered domain name like danscourses.com or dansgames.com.
  • When you create a Primary Zone, it will be linked to a publicly registered or private domain name and the server will become the Authoritative DNS Server for that domain name (either publicly or privately).

Video Tutorials

In the example below, I create a Primary Zone for resolving a non-public domain name to a host on the local network that is running a webserver

In this tutorial, I discuss running an Apache web server using WampServer:

In this tutorial, I discuss registering a domain name and transferring it to your company’s or home ip address so that your DNS server can function as the Authoritative DNS server for that domain name

Configuring and Connecting to a Remote Access Server in Server 2008

Windows Remote Access Server Overview

Installing and configuring a RAS remote access server and successfully configuring it to allow a VPN connection from outside the network whether that will be over LANs or over the WAN involves three areas of configuration on the server: 1) Connection, 2) Authentication, and 3) Authorization. Below is a summary of some of the key points in that process as well as some video tutorials demonstrating the details of the setting up a RAS server for VPN connections. 

Remote Access Server Connection

Three types of connections:

1. Dialup – Telephone connections use SLIP or PPP protocols

2. VPN (Virtual Private Network) – A virtual private network is a private encrypted tunnel or channel through a public or open network like the internet. To connect via VPN you need a VPN client software program to connect to a VPN Server. The server needs a public ip address if you are connecting from the internet. You could also connect to a VPN server with a private ip address if you are on the same private local area network. VPN Protocols:

PPTP – Microsoft proprietary, built in encryption, TCP port 1723
L2TP – Open standard, IPSec, TCP port 1701, and UDP port 500

3. SSTP
(Secure Sockets Tunneling Protocol) – Uses the SSL on TCP port 443

Remote Access Server Authentication

  1. PAP (Password Authentication Protocol) – username and password sent in cleartext this is not secure
  2. SPAP (Shiva Password Authentication Protocol) – Used with Shiva devices, deprecated.
  3. CHAP (Challenge Handshake Authentication Protocol) – Three way handshake using MD5 hashing of the shared secret. Does not protect against impersonation
  4. MS-CHAPv1 – Microsoft version of CHAP, deprecated
  5. MS-CHAPv2 – Encrypts the shared secret, mutual authentication
  6. EAP (Extensible Authentication Protocol) – flexible authentication method based on PPP, smart cards, certificates, biometrics, custom add-on authentication methods are supported as well as MD5 challenge and TLS.
    PEAP (Protected EAP) – Used with wireless clients for a secure channel for EAP, fast reconnect for wireless clients, enable quarantine checks (NAP)

    • 802.1x – port based authentication with a Radius client to a Radius server. Used in wireless implementations.
    • EAP-TLS transport layer security – next generation of ssl, (smart cards, certificates)
    • PEAP-EAP-TLS
    • PEAP-EAP-MS-CHAPv2 – password based

Remote Access Server Authorization

Once you have authenticated you need to pass through three stages. In the 1st stage you need to meet conditions of network policies. Once you have met at least one condition of the network policy you go on to the two other authorization stages. The 2nd stage is the dial-in access stage, the active directory dial-in tab under user properties is a powerful way to control dial-in access. The 3rd stage is the contraints and settings stage. You can be granted or prevented access through policy contraints and settings on the server.

Step by Step Tutorial Demonstration