0672326094_chapter_8
TRANSCRIPT
-
8/3/2019 0672326094_chapter_8
1/21
Rand H. Morimoto, MC
Andrew Abbate, MC
Eric Kovach, MC
Ed Roberts, MVP (Windows Serv
800 East 96th Street, Indianapolis, Indiana 46240
Windows
Server 2003
Microsoft
http://www.samspublishing.com/bookstore/product.asp?isbn=0672326094 -
8/3/2019 0672326094_chapter_8
2/21
8Administering
Windows
Server 2003
Remotely
There are several methods by whichsystem administrators can manage the IT
environments server resources. Though it is
possible to manage each server locally,
managing these resources remotely can
greatly improve productivity. Remote
administration reduces the administrative
overhead required to manage servers in any
size IT organization because it provides theflexibility for administrators to be centrally
located while managing distributed server
resources.
Windows Server 2003 provides the tools
necessary for administrators to perform a
vast array of management functions on
remotely located servers. Server application
and operating system upgrades can be
performed remotely, as well as domain
controller promotion/demotion and disk
defragmentation.
This chapter describes the tools available for
administrators to manage Windows Server
2003 servers remotely and provides best
practices for leveraging remote administra-
tion features.
IN THIS CHAPTER
Using Remote Desktop forAdministration
Taking Advantage of Windows
Server 2003 Administration Tools
Using Out-Of-Band Remote AdministrationTools for Emergency Administration
Using and Configuring RemoteAssistance
Securing and Monitoring Remote
AdministrationDelegating Remote Administration
Administering IIS in Windows Server2003 Remotely
BEST PRACTICE
bootcfg.exe Syntax
Presented by:
Reproduced from the book Microsoft Windows Server 2003 Insider Solutions. Copyright 2004, Sam
Publishing. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN
Written permission from Pearson Education, Inc. is required for all other uses.
http://www.samspublishing.com/bookstore/product.asp?isbn=0672326094http://www.samspublishing.com/bookstore/product.asp?isbn=0672326094http://www.samspublishing.com/bookstore/product.asp?isbn=0672326094http://techrepublic.com.com/ -
8/3/2019 0672326094_chapter_8
3/21
Using Remote Desktop for Administration
Remote Desktop for Administration is one mode of the Terminal Services built into Windows
Server 2003. Terminal Services can be enabled in one of two ways:
n Terminal Server mode. This is the Application Server mode that was available in Windows2000 Server.
n Remote Desktop for Administration. This is an enhancement of the Remote
Administration mode of Windows 2000 Server.
This second Terminal Services mode is used to administer Windows Server 2003 servers remotely.
Remote Desktop for Administration provides remote access to the graphical interfacebased tools
available in the Windows environment. Remotely managing servers with Remote Desktop for
Administration does not affect server performance or application compatibility.
Unlike the other terminal service mode, no terminal server Client Access Licenses (CALs) are
required to use Remote Desktop for Administration. Windows Server 2003 provides two remoteadministrative sessions, for collaborative purposes, and a console session.
Enhancements to Remote Administration with Remote
Desktop Connection
By taking advantage of the new Terminal Services client, known as the Remote Desktop
Connection (RDC), remote administration is enhanced in Windows Server 2003 in several ways.
The RDC supports a wide selection of hardware devices, so servers can be managed remotely from
several different types of client hardware. The RDC is supported on the following hardware types:
n
16-bit Windows-based computers running Windows for Workgroups with TCP/IP.n 32-bit Windows-based computers running every Windows OS from Windows 95 to
Windows Server 2003.
n Windows CE-based handheld devices.
n Windows CE-based terminals, or thin clients.
The RDC allows for automatic restoration of interrupted network connections. This is key for
remote administration. In the event that an administrator is disconnected in the middle of a
mission-critical operation, the RDC will reconnect the session without losing the administrators
place in the operation.
The RDC supports a great deal of customization for the look and feel of a remote session. Providinghigh color, audio, and full screen sessions, the RDC allows you to control the graphic options and
connection speed. This is an important feature because as you connect remotely to servers over a
slow WAN link you will want to throttle the bandwidth usage for those particular sessions.
One of the biggest improvements to the RDC involves client resource redirection, which is avail-
able to Windows Server 2003 and Windows XP. You now have the capability to access local drives,
network drives, and printers through the remote connection. Cut and paste, as well as large file
transfers, can be accomplished between the client and server in a remote administration session.
8Administering Windows Server 2003 Remotely
164
-
8/3/2019 0672326094_chapter_8
4/21
Using Remote Desktop for Administration
Finally, in addition to the two remote sessions available for remote administration, Windows
Server 2003 allows a console mode that enables you to connect to the real console of the
server. Now administrative functions, such as some software installations that previously
required local interaction, can be performed remotely.
Enabling Remote Desktop for Administration
Enabling Remote Desktop for Administration is a simple procedure. Unlike Windows 2000, the
Remote Desktop for Administration feature is now a separately configurable component from
Terminal Services and has some new flexibil-
ity options previously unavailable.
The Remote Desktop for Administration
feature is actually installed by default in
Windows Server 2003, but it is installed in a
disabled status for security reasons. To enable
the feature with a default Start menu configu-ration, perform the following steps:
1. From the Control Panel, double-click the System icon.
2. Choose the Remote tab.
3. On the bottom of the screen, click the check box to Allow Users to Connect Remotely to
your computer, as shown in Figure 8.1.
4. Click OK to complete the configuration.
The default level of encryption forremote sessions
The default level of encryption for remote
sessions is bidirectional 128-bit. Some older
terminal service clients might not support
128-bit encryption.
FIGURE 8.1 Enabling Remote Desktop for
Administration.
-
8/3/2019 0672326094_chapter_8
5/21
If the Windows Server 2003 will be accessed remotely from a terminal server client that does not
support high encryption, the encryption level of the remote session can be set to Client
Compatible. This encryption level will provide the highest level of encryption to the remote
session supported by the client. To change the default encryption level on the server to Client
Compatible, follow these steps:
1. Open Terminal Services Configuration from All Programs\Administrative Tools.
2. In the right pane, under the Connection column, right-click RDP-Tcp, and choose
Properties.
3. Set the encryption level to Client Compatible, as shown in Figure 8.2, and click OK to
complete the configuration.
8Administering Windows Server 2003 Remotely
166
FIGURE 8.2 Setting the encryption level forRemote Administration.
Best Practices for Remote Desktop for Administration
Understanding the following aspects of remote administration will enable system administrators
to make the best use of the new Remote Desktop for Administration features in Windows
Server 2003:
Use the Console ModeWith the new console mode of connection available in Windows Server 2003, you can interact
with the remote server as if you are directly at the physical server. This enables you to see pop-
ups and messages that might only appear at the console.
Configure Disconnect and Reset Timeouts
By default, disconnect and reset timeouts are not set. This has the potential to lock you out of
remote sessions if there are two remote sessions that are active but in a disconnected state. On
-
8/3/2019 0672326094_chapter_8
6/21
Taking Advantage of Windows Server 2003 Administration Tools
the flip side, when configuring the timeouts,
allow enough time so that accidental discon-
nections can be resumed without resetting
the session. By default, when a connection is
broken, the session goes into a disconnected
state and continues to execute whatever
process it is running at that time. If the
session is configured to reset when the connection breaks, all processes running in that session
will be abruptly stopped. Disconnect and reset timeouts can be configured using the Terminal
Services Configuration Administrative tool.
Coordinate Remote Administration
With Windows Server 2003, administrators are able to collaborate through multiple remote
sessions. This feature has potential problems, though, if two administrators are unknowingly
connected remotely to the same server. For instance, server data might be lost if two administra-
tors attempt to perform disk defragmentation from two remote sessions at the same time.
Distinguish Terminal Services from Remote Administration
Although administrators have the capability to install software through a Remote Desktop for
Administration session, Terminal Services running in Terminal Server mode provides better
installation and environment settings for office applications. For general desktop and remote
application access functionality, use a dedicated Terminal Server solution.
Taking Advantage of Windows Server 2003
Administration Tools
Another method for remote administration of servers from a client desktop computer is avail-
able by installing the Windows Server 2003 Administration Tools Pack on a workstation running
Windows XP Professional Workstation. The primary target of administration for the
Administration Tools Pack is the remote management of Active Directory. The Windows Server
2003 Administration Tools Pack includes Microsoft Management Console (MMC) snap-ins,
Active Directory administrative tools, and other tools that are used to manage computers
running Windows Server 2003.
Installing the Admin Pack
The Windows Server 2003 Administration Tools Pack is included in the i386 folder on theWindows Server 2003 installation media. Once installed, you can run administrative tasks
remotely on Active Directory using the Active Directory tools that are automatically installed on
domain controllers. The tools only install on a computer running Microsoft XP Professional
with Service Pack 1 applied to the operating system.
Preventing Eavesdropping
For security purposes, when you are using the
console mode of remote administration, the
physical console of the server is automati-
cally locked to prevent eavesdropping.
-
8/3/2019 0672326094_chapter_8
7/21
Installing the administrative tools requires local administrative access on the workstation.
Running the tools requires the following:
n Administrative privileges in Active Directory.
n Network access to a domain controller in a Windows Server 2003 domain.
n Domain membership of the Windows XP Professional workstation in the Windows Server
2003 domain.
To install Windows Server 2003 Administrative Tools on a local Microsoft XP workstation,
follow these steps:
1. Insert the Windows Server 2003 CD-ROM
and browse to the i386 folder.
2. Double-click Adminpak.msi.
3. Click Next, and then click Finish.
When installing the Windows Server 2003
Administration Tools on a Windows XP work-
station, it is a best practice to also install the
Windows Server 2003 help files. On a
Windows XP workstation, by default, there is
only the Windows XP help. If the workstation
is intended to be an administrators remote
console, the Windows Server 2003 help files
should be locally available.
Again, installing the Windows Server 2003 help files can only be installed on Windows Server 2003
servers and Windows XP Professional SP1 workstations.
The Windows Server 2003 help files can be installed on an XP workstation from either the
installation media or over the wire from a Windows Server 2003 server. To install the help files
from the install media, perform the following steps on the workstation:
1. Click Start, and then click Help and Support.
2. In Help and Support Center, click the Options button.
3. Under Options, click Install and Share Windows Help.
4. Choose Install Help Content from a CD or Disk Image.
5. Browse to the CD, and click the Find button.
6. Click the Install button.
8Administering Windows Server 2003 Remotely
168
Not Mutually Compatible
The Administration Tools Pack for Windows
Server 2003 and Windows 2000 are not
mutually compatible. To administer Windows
2000 domains, use the Windows 2000 Tools.
To administer Windows Server 2003 domains,
use the Windows Server 2003 tools.
Although the Windows Server 2003
Administration Tools Pack can be used to
manage 64-bit Windows Server 2003 servers,
it cannot be installed on a computer running
a 64-bit version of the operating system.
-
8/3/2019 0672326094_chapter_8
8/21
Taking Advantage of Windows Server 2003 Administration Tools
Using Convenience Consoles
To ease delegation of administrative functions, the Windows Server 2003 Administration Tools
Pack includes Convenience Consoles that group specific tools into functional groups. The
administrative tools in the Tools Pack can be roughly classified into four categories:
n System Administration
n Network Administration
n Storage Management
n Directory Services Administration
Basically, the Convenience Consoles are customized MMCs that contain tools and MMC snap-
ins that fall into related groups. The MMCs are included in the installation and appear in the
Administrative Tools program group of the XP Workstation. The consoles can be published to
administrative workstations for administrators who have been delegated permissions in the
given category. There are three Convenience Consoles included in the Tools Pack:
n Active Directory Management. This console includes Active Directory Users and Computers,
Active Directory Sites and Services, Active Directory Domains and Trusts, and DNS. The
file associated with this console is ADMgmt.msc.
n Public Key Management. This console includes Certification Authorities, Certificate
Templates, Certificates for Current User, and Certificates for Local Computer. The file
associated with this console is PKMgmt.msc
n IP Address Management. This console contains the DHCP, DNS, and WINS management
tools. The file associated with this console is IPAddrMgmt.msc.
Customizing Administration Consoles
The convenience provided in the administration consoles might be a good start for some IT
organizations wanting to delegate administrative tasks. Most companies, though, will want
further customization to the consoles, or will want to create completely new consoles to meet
the delegation needs of the organization.
For example, the Active Directory Management Convenience console can be customized to
include the Group Policy Management Console (GPMC) and remove the DNS snap-in.
Organizations might create a Storage Management console that includes Windows Clustering,
Network Load Balancing Clusters, and Remote Storage snap-ins.
If a custom console is created in an effort to delegate administration, the console should be
configured so that it cannot be modified once it has been deployed to delegated administrators.
To lock down the properties of a custom console, perform the following steps:
1. Click Start, click Run, type mmc path\filename.msc/a, and then click OK.
2. On the File menu, click Options.
-
8/3/2019 0672326094_chapter_8
9/21
3. In Console mode, choose User ModeLimited Access, Single Window.
4. Select the Do Not Save Changes to This Console check box, as shown in Figure 8.3, and
click OK.
8Administering Windows Server 2003 Remotely
170
5. When the custom console is closed, choose Yes to save changes.
Using Out-Of-Band Remote Administration Tools forEmergency Administration
All the methods for remote access to Windows Server 2003 servers discussed so far in this
chapter rely on what are considered in-bandconnections. In-band connections typically involve
connecting to the server directly through a network connection, and then using Terminal
Service or Remote Desktop to manage the server with tools provided by Windows Server 2003.
In-band connections are used with servers that are functioning normally. Out-of-bandconnec-
tions, on the other hand, refer to connections to a server that do not rely on a network connec-
tion, or a fully functioning server. Out-of-band remote administration is made available in
Windows Server 2003 Emergency Management Services (EMS) to enable you to connect to andrepair servers that are unavailable by in-band methods of connection.
Emergency Management Service (EMS)
Emergency Management Service (EMS) is a new feature available in Windows Server 2003 that
enables you to manage servers remotely that are not available through the normal (network)
connections. With EMS and appropriate server hardware equipped with supporting firmware,
FIGURE 8.3 Locking down a customconsole.
-
8/3/2019 0672326094_chapter_8
10/21
Using Out-Of-Band Remote Administration Tools for Emergency Administration
you can manage a server without the need for a keyboard, mouse, local monitor, or video
adapter. EMS uses text-mode communication only, which provides flexibility as to the means by
which servers are remotely accessed. These methods include serial connections, terminal
concentrators, and terminal emulators.
With the proper hardware and EMS configuration, out-of-band support is provided to theservers kernel components, the loader, setup, Recovery Console, and Stop errors. When the
server is up and running, EMS provides a text-mode management console called Special
Administration Console (SAC), which will be discussed later in this section.
If the server hardware supports it, EMS can be installed with the Windows Server 2003 operating
system. By enabling firmware console redirection in the systems BIOS before installing the OS,
EMS will be self-configured on installation. To enable EMS after the operating system is
installed, you can use the bootcfg.exe command with the /EMS switch in the command console.
For example, the following command enables EMS to use COM1 with a baud rate of 19200 on
the first boot entry ID:
Bootcfg.exe /EMS ON /PORT COM1 /BAUD 19200 /ID 1
bootcfg.exe Syntax
The syntax for the bootcfg.exe /EMS command is illustrated as follows:
BOOTCFG /EMS value [/S system [/U user [/P [password]]]]
[/PORT port] [/BAUD baudrate] [/ID bootid]
Parameter List:
/EMSs Value On, Off, or Edit
/S computer Specifies a remote computer
/U Domain\user Specifies user context
/P password Password for the user account
/PORT port Specifies the COM port to be used for redirection. Valid ports are
COM1, COM2, COM3, COM4, BIOSSET(EMS uses BIOS settings).
/BAUD baudrate Valid baudrates are 9600, 19200, 57600, 115200.
/ID Bootid Specifies the boot entry ID to add the EMS option. This is required
when the EMS value is set to ON or OFF.
BEST PRACTI
Configuring the Serial Connection for EMS
As indicated in the previous section, for EMS to manage Windows Server 2003, properly
designed hardware must be integrated and configured on the server. The server motherboard
should support Serial Port Console Redirection (SPCR). If it does not, the SPCR table will have to
be configured manually. The server firmware should also be able to release control of the serial
port to Windows Server 2003 once the operating system is started in order to take advantage of
-
8/3/2019 0672326094_chapter_8
11/21
most EMS functionality. Additional hardware,
such as a service processor that is independent
of the main server processor, will enhance EMS
functionality. If the server hardware includes a
service processor, console redirection should be
available. The firmware must also use the same
terminal conventions as EMS.
The serial port is the most common out-of-
band hardware interface because it provides
multiple methods of remote access, such as terminal concentrators and modems. By default,
EMS uses the first serial port (COM 1 at 3F8). It is important to verify that the motherboard
serial ports are enabled, and that no other device is using that resource. EMS and the Windows
debugger cannot share the same COM port.
The actual configuration of the serial port will depend on the firmware settings available for a
server. Some computers will enable user configuration, whereas others might simply have an
Enabled/Disabled setting. Best practices for hardware configuration with EMS are as follows:
n Enable the appropriate port and maintain the default setting. Because EMS works with
COM1 at 3F8 automatically in most cases, this should be the target configuration.
n Configure the port to use the highest baud rate available to the hardware. This will
provide the best performance and reduce slow text-mode processes.
n Use a null modem cable with the serial port connection.
n Select hardware and firmware that support VT-UTF8. This terminal environment provides
the best compatibility with EMS. Sending the proper command escape sequences are more
difficult in a telnet session using VT100 and V100+.
Special Administration Console (SAC)
The Special Administration Console (SAC) is the primary EMS command line environment
available to Windows Server 2003. The SAC is different from the typical command line environ-
ment, and provides functionality intended for out-of-band management scenarios.
When EMS is enabled, SAC is available as long as the Windows Server 2003 kernel is running.
SAC provides commands to perform the following management tasks:
n Restart or shut down the server.
n View and end active processes.
n View and set server IP address.
n Generate a stop error to create a memory dump.
n Start and access command prompts.
8Administering Windows Server 2003 Remotely
172
Terminal Conventions Supported by EMS
The terminal conventions supported by EMS
in Windows Server 2003 are VT100, VT100+,
and VT-UTF8. Using the same terminal
conventions in the server firmware, serviceprocessor, and client terminal ensures a
consistent environment for managing servers
in all states of operation (or failure).
-
8/3/2019 0672326094_chapter_8
12/21
Using and Configuring Remote Assistance
Because SAC enables you to access the command prompt, any text-based utilities usable in a
Telnet session are available (provided there are system resources to run them). For example, the
common communications accessory, HyperTerminal, can be used to access SAC on an EMS
enabled server, as shown in Figure 8.4.
FIGURE 8.4 Using HyperTerminal to accessthe SAC command line.
SAC includes command shell utilities, such as dir, and text-based console programs, such as
bootcfg.exe. Access to the command prompt requires a user logon with a local or domain
account.
If SAC fails or becomes unavailable, !Special Administration Console (!SAC) is enabled. The !SAC
is an auxiliary console environment hosted by Windows Server 2003 that has a subset of the
features available with SAC. With !SAC, you can redirect Stop error message text and restart
the server.
Using and Configuring Remote Assistance
Remote Assistance is a feature that was introduced in Windows XP that enables a user on one
computer to remotely view and even take control of the desktop environment of another users
computer. The interaction between the two computers is initiated either through an invitation
or through an offer of assistance from one user to the other. For organizations that have
deployed Windows XP in their desktop environment, Remote Assistance is a valuable tool for
help desk departments. Many service calls that once required a visit to the end user to resolve a
problem can now be resolved interactively through a Remote Assistance session.
Carrying the functionality forward, the Remote Assistance tool is also available to Windows
Server 2003. Whereas Remote Assistance is a valuable tool for the help desk in a desktop envi-
ronment, it becomes a valuable collaborative tool for system administrators in the server envi-ronment. Using Remote Assistance, an administrator of one server can request or offer remote
assistance to an administrator of another server. The two administrators can then collaboratively
resolve server configuration issues in real time through the same GUI on the server in question
without having to be physically at the server.
This section describes how to configure and use the Remote Assistance tool to carry out collabo-
rative remote administrative sessions on Windows Server 2003 servers.
-
8/3/2019 0672326094_chapter_8
13/21
Requirements for Remote Assistance
To take advantage of Remote Assistance, both machines engaging in a collaborative session must
be running either the Windows XP or Windows Server 2003 operating system. Additionally,
both machines must be connected via a common network. What makes Remote Assistance so
flexible is that the common network can be the Internet.
If the collaborative session is initiated by one administrator sending an invitation to the other
administrator, the computer sending the invitation must be able to transfer a file. The file can
be transferred through e-mail, or automatically through the Help and Support Center, which
uses Outlook Express or Windows Messenger. The file can also be saved and transferred by any
other means of transferring a file.
If the collaborative session is initiated by an offer to assist, thus bypassing the invitation, then
both computers must be in the same domain or be members of two trusting domains.
Additional configurations are necessary for a machine to accept Remote Assistance offers, which
will be discussed later in the section.
To use Remote Assistance in Windows Server 2003, it must be enabled. For security purposes, it
is disabled by default. To enable Remote Assistance, perform the following steps:
1. Open the System applet in the Control Panel.
2. Go to the Remote tab, and click the check box to Turn on Remote Assistance and Allow
Invitations to be Sent from This Computer.
3. Click the Advanced tab, and enable the Remote Control feature and the invitation expira-
tion, as shown in Figure 8.5.
8Administering Windows Server 2003 Remotely
174
FIGURE 8.5 Configuring Remote Assistance.
Sending a Remote Assistance Invitation
This section steps through the process by which a collaborative session is initiated through an
invitation for Remote Assistance. The invitation can be sent in one of three ways:
n Using Windows Messenger. Windows Messenger is the preferred method for sending the
invitation for assistance because it provides additional ways for the two machines to find
each other over the Internet. If the two computers are on separate networks, separated by
firewalls, and/or use Network Address Translation (NAT), this is the method to use.
-
8/3/2019 0672326094_chapter_8
14/21
Using and Configuring Remote Assistance
n Sending an e-mail. Remote Assistance
uses Simple Mail Advanced
Programming Interface (MAPI) to help
compose the invitation. The inviter or
Novice sends an e-mail to the invitee
or Expert with an attachment. When
the Expert opens the attachment, he is
prompted for a password, providing
that the Novice specified a password,
and the process continues.
n Saving and transferring a file. This
method is used if there is no compatible
MAPI client installed, or if other prerequisites are not available. This option enables the
Novice to save the same file that would be created and attached to an e-mail automatically
to be saved to her local drive or to a network share. The file can be transferred on a
network share, a floppy disk, or other means. When the Expert receives the file, he candouble-click it to open the invitation and start the Remote Assistance session.
To invite another administrator for Remote Assistance by sending a file, perform the following
steps:
1. Open Help and Support Center by clicking Start and then clicking Help and Support.
2. Under Ask for Assistance click Invite a Friend to Connect to Your Computer with Remote
Assistance.
3. Click Invite Someone to Help You.
4. Click Save Invitation as a File.
5. Specify the Inviters name, and an expiration time for the invitation, then click Continue.
6. Type in a password that will unlock the invitation, retype the password for confirmation,
and click Save Invitation.
7. Select a location accessible to the Expert to save the file.
8. When the Expert receives the invitation, the Expert is prompted for the password. After
supplying this password, the Expert can initiate the Remote Assistance session.
9. After the Expert initiates the session, the Novices computer verifies the password that the
Expert entered.10. The Novices computer also checks to make sure that the invitation that the Expert used is
a valid invitation and that the invitation is still open.
11. If the invitation is open and the password is correct, the Novice receives a notification
stating that the Expert wants to start the session now and the Novice is prompted to start
the Remote Assistance session.
Remote Assistance
If an e-mail client has not yet been config-
ured, Remote Assistance attempts to help the
Novice configure it. To change the e-mail
client that Remote Assistance uses, in ControlPanel, double-click Internet Options, and on
the Programs tab, change the e-mail setting
to the appropriate e-mail client. Some e-mail
clients that do not support Simple MAPI will
not appear as an option in the Internet
Options Control Panel program.
-
8/3/2019 0672326094_chapter_8
15/21
12. If the Novice chooses to start the session, the Remote Assistance Novice chat dialog box
will open on the Novices computer, as shown in Figure 8.6, and the Remote Assistance
Expert console opens on the Experts computer. At this point, the Expert can see every-
thing on the Novice computer, in real time.
8Administering Windows Server 2003 Remotely
176
13. The Expert can request to take control of
the Novices computer at this point by
clicking the Take Control button on the
Expert console. This sends a message to
the Novices computer notifying theNovice that the Expert is requesting to
take control of the computer.
14. When the collaborative session is
complete, the session can be ended by
the Novice or Expert by clicking the
Disconnect button.
Securing and Monitoring Remote Administration
Remote administration of servers is a valuable tool for distributed IT organizations. It is impor-
tant, though, when enabling remote administration features in Windows Server 2003, to main-
tain a high level of security for the server resources. Windows Server 2003 installs but disables
remote access features by default for security purposes. When enabling these features, ensure
that only administrators with the proper credentials will be able to remotely gain access to the
server. This section provides tips on securing and monitoring remote administration.
FIGURE 8.6 Establishing a RemoteAssistance session.
After the Expert Takes Control
After the Expert takes control, the Remote
Assistance session responds to both users
inputs. As a result, the mouse might behave
erratically if both the Expert and Novice are
attempting to control the session. If the Novice
stops control, the Remote Assistance session
continues and the Expert can still see the
Novices desktop.
-
8/3/2019 0672326094_chapter_8
16/21
Securing and Monitoring Remote Administration
Securing Remote Administration
The security implications of enabling remote administration are fairly obvious. With remote
administration features enabled, users who log on remotely can perform tasks as if they were
sitting right in front of the server. Depending on the role the server plays in the organization,
unauthorized access to a server can jeopardize a companys entire business. For this reason, it isimportant to protect the server from unauthorized access. Part I of this book, Security Solutions,
provides detailed approaches to securing Windows Server 2003. The following checklist points out
key items to keep in mind for servers with remote administration features enabled:
n Depending on the topological location of the server, firewall technologies can be used to
protect the server. Some servers, such as VPN and Web servers, are more prone to attack
due to their topological proximity to the Internet. As such, firewalls should be deployed
and properly configured to filter network traffic to and from such servers.
n Enable IPSec. IPSec policies provide both the strength and flexibility to protect communi-
cations between private network computers, domains, sites, remote sites, extranets, and
dial-up clients. It can even be used to block receipt or transmission of specific traffic types.With an Active Directory domain, IPSec policies can be enforced using Group Policy.
n Require all users who make remote connections to use strong passwords. The role that
passwords play in securing an organizations network is often underestimated and over-
looked. Passwords provide the first line of defense against unauthorized access to the
server. Password-cracking tools continue to improve, and the computers that are used to
crack passwords are more powerful than ever.
n Limit the users who can log on to the server remotely. You can leverage security templates,
or group policies to limit whom can connect to a server through Terminal Services. The
setting Allow Logon through Terminal Services can be found in the Group Policy Editor by
navigating to Computer Configuration\Windows Settings\Security Settings\LocalPolicies\User Rights Assignment.
n Always password-protect Remote Assistance. A Remote Assistance invitation that has no
password associated with it might be intercepted by an attacker, giving him the capability
to remotely interact with a server. For this reason, it is also important to set an expiration
time on the invitation.
Monitoring Remote Administration
Proper auditing practices go hand-in-hand with any good security policy. The Terminal Services
Manager tool can be used to view and interact with remote connections in real time, but this is
only helpful to view a servers current status. It is important to maintain and review the security
logs of servers, as well as set up the proper items to monitor for events that occur when you are
not actively watching for remote connections.
Auditing policies can be enforced on a server-by-server basis by applying security templates
through the Security Configuration and Analysis MMC snap-in. In an Active Directory environ-
ment, auditing policies can be applied by group policy, as shown in Figure 8.7.
-
8/3/2019 0672326094_chapter_8
17/21
For servers enabled for remote administration, it is important to audit the success and failure of
logon events, account management, policy changes, and system events. Also, failure of privi-
leged use events should logged.
Delegating Remote Administration
Perhaps the easiest way to control who has access to log on remotely to a server is to modify the
built-in Remote Desktop Users group. By default, the security settings on Windows Server 2003servers limits remote access to administrators and the Remote Desktop Users group.
To extend this security by limiting what a user can do after a remote session has been estab-
lished to a server, you can delegate administration in Windows Server 2003. By delegating
administration, a wide range of administrative tasks can be assigned to the appropriate users
and groups. You can assign basic administrative tasks to regular server admin groups, and leave
domainwide and forestwide administration to members of the Domain Admins and Enterprise
Admins groups.
You can delegate administration by using either the Delegation of Control Wizard or the
Authorization Manager MMC snap-in. The Delegation of Control wizard walks you through a
series of steps to execute the process. The Authorization Manager provides a bit more flexibility,but with a lot more complexity. The Delegation of Control Wizard is detailed in Chapter 4,
Distributing Administration.
8Administering Windows Server 2003 Remotely
178
FIGURE 8.7
Setting up an audit policyin group policy.
-
8/3/2019 0672326094_chapter_8
18/21
Administering IIS in Windows Server 2003 Remotely
Administering IIS in Windows Server 2003 Remotely
There are three different options available in Windows Server 2003 to manage Web services
provided by Internet Information Services remotely: using the Internet Information Services (IIS)
Manager, using Terminal Services, and using the Remote Administration (HTML) tool. Choosingthe correct option depends on the type of administration necessary, the network connection,
and the type of client machine from which the administrator is working. This section describes
the different remote administration options for Web server administrators and defines the
scenarios in which each method is appropriate.
Using Internet Information Services Manager (IIS)
Internet Information Services Manager is the default tool by which Web services are adminis-
tered on a Web server. In addition to managing the Web services on a local server, this adminis-
trative tool can be configured to connect to other servers running IIS. It is important to keep in
mind that the IIS Manager should be used to remotely connect to Web servers available on theintranet, not on the Internet.
Windows Server 2003 provides a completely reworked version of IIS: version 6. Although there
are many new features available in IIS 6.0, the manager tool installed with the Web service
supports the management of down-level versions of IIS. So, in addition to providing remote
administrative functionality to servers running IIS 6.0, the IIS Manager also can remotely
connect to and manage Web servers running IIS 5.1 and 5.0.
To use the Internet Information Services Manager to manage a Web server remotely, follow these
steps:
1. On the IIS 6.0-based server, click Start, point to Administrative Tools, and then click
Internet Information Services Manager.
2. Click on the Action menu, and choose Connect.
3. In the Computer Name box, type the
computer name of the remote Web
server, and then click OK. It is also
possible to enter the IP address of the
Web server, as shown in Figure 8.8.
4. The remote computer is displayed under
Internet Information Services (IIS) in
the tree pane.
It Might Not Be Possible to Connect to anIIS Computer
If TCP/IP and a name resolution server such
as Windows Internet Naming Service (WINS)
are not available, it might not be possible to
connect to an IIS computer by using the
computer name.
-
8/3/2019 0672326094_chapter_8
19/21
Using Terminal Services
If Remote Desktop for Administration is enabled on the Web server, you can connect to and
administer IIS using the RDP client. Just as the previous method of connecting to a Web server
with IIS Manager provided down-level support to Web servers that are not running IIS 6.0, the
terminal service method of remote administration provides an up-level mode of administration.
So, the client workstation from which the remote connection is made can administer IIS 6.0from any operating system that supports the terminal service client. In addition to using
Windows Server 2003, the client machine can be Windows 98, NT 4.0, XP, or 2000.
To remotely administer an IIS server with terminal services, simply follow these steps:
1. On a computer on which the Terminal Services client is installed, start the Terminal
Services client.
2. Connect to the remote IIS-based computer.
3. From the Terminal Services Client window, administer IIS as if logged on to the computer
locally. For example, click Start, point to Administrative Tools, and then click Internet
Information Services Manager to start the Internet Information Services Manager.
Using the Remote Administration (HTML) Tool
To manage Web servers through a Web browser, you can configure and use the Remote
Administration (HTML) tool. Though this tool does not offer the full feature set of the Internet
Information Services Manager, you can perform most Web and FTP site management tasks with
the added flexibility of accessing your servers from the Web.
The Remote Administration (HTML) Tool provided with Windows Server 2003 IIS is not back-
wards compatible. In other words, it cannot be used to manage IIS 5.0 or 5.1; it will only work
with IIS 6.0.
The HTML tool is not enabled by default when IIS 6.0 is installed. Also, depending on how IIS
was installed on the server, the HTML tool might need to be added before it can be used. To add
the HTML tool to an existing IIS server, perform the following steps:
1. From the Control Panel, run Add or Remove Programs.
8Administering Windows Server 2003 Remotely
180
FIGURE 8.8 Remotely managing an IISserver.
-
8/3/2019 0672326094_chapter_8
20/21
Administering IIS in Windows Server 2003 Remotely
2. Choose Add/Remove Windows Components.
3. Navigate to Application Server\Internet Information Services\World Wide Web Services
and then choose Remote HTML Administration. Click the OK button three times for
dialog prompts and then click Next.
4. Insert the Windows Server 2003 installation media when prompted.
5. When the installation completes, click Finish.
After the HTML tool is installed, the remote administration functionality must be enabled in
Internet Information Services Manager. To maintain a high level of security for the Web server,
it is important to restrict remote access to the server to a select IP address or group of IP
addresses from which the server can be remotely administered. In the following example, a Web
server will be enabled for remote administration, but will be configured so that only a computer
with an IP address of 192.168.20.20 will be able to remotely administer IIS for that server. To
enable the HTML remote administration tool, perform the following steps:
1. Click Start, point to Administrative Tools, and then click Internet Information Services
Manager.
2. Expand ServerName, where ServerName is the name of the Web server, and then expand
Web Sites.
3. Right-click Administration and then click Properties.
4. Under Web Site Identification, record the numbers that are displayed in the TCP Port box
and SSL Port boxes. The defaults are 8099 and 8098.
5. Click the Directory Security tab, and then click the Edit button under IP address and
domain name restrictions.6. In the IP Address and Domain Name Restriction dialog box that appears, click Denied
Access, and then click Add.
7. The Grant Access On dialog box
appears. Under Type, click Single
computer.
8. Type the IP address, in this example,
192.168.20.20 as shown in Figure 8.9,
and then click OK.
9. Click OK again to complete the configu-ration, and close Internet Information
Services Manager.
Opening Remote Administration
Although it is possible to open remote admin-
istration of Web servers and Web sites to all
computers, it is advisable for security
purposes to grant access to only a select
group of computers.
-
8/3/2019 0672326094_chapter_8
21/21
After the Remote Tool is installed, and the Web server is enabled for remote administration,
perform the following steps to remotely administer the Web server:
1. Start Microsoft Internet Explorer, and then type the host name of the Web server, followed
by the port number that was recorded earlier in the SSL Port box, and then click Go.
For example, if the Web server is on an intranet, and the SSL port number is 8098, type
the following URL: https://ServerName:8098 (where ServerName is the name of the
Web server).
2. At the prompt, enter a username and password for the Web server. The Remote
Administration Tool is then displayed in the browser window.
3. From this point, there are several links and options to choose from in administering the
Web server. Choose one that is appropriate for the task at hand and continue to remotely
manage the server.
Summary
Windows Server 2003 provides a wealth of options that enable administrators the flexibility
necessary to manage servers in a distributed IT environment through remote administration
tools and techniques. Although some tools are really just enhancements of technologies intro-
duced in earlier operating systems, there are many new features that make Windows Server 2003
a compelling alternative and worthwhile investment in terms of both manageability and secu-
rity. Administrators can now remotely attach to servers without a network connection,
keyboard, mouse, or video adapter to troubleshoot and bring the server back online without
ki i d ti l i it t th h i l l ti
8Administering Windows Server 2003 Remotely
182
FIGURE 8.9
Securing RemoteAdministration of IIS.