When Windows Server 2008 is adopted by more people I will combine Admin Reports Forum into the new forum to make a one stop shop for all your Windows Server needs.

Be one of the first to register at the new Windows Server 2008 Forum.

Also coming soon will be a Windows Server 2008 forum

In the upcoming days I will be adding articles about my experience setting up and configuring Windows Server 2008. Many tasks that I used to make my life easier are already included and only have to be installed and turned on. For one backing up the servers will be much easier.

For now I’ll post a screenshot of Windows Server 2008. This was taken after the initial install. This is a large screenshot, 1920×1200, so be aware of that before you open it.

Look for more articles, tutorials, screenshots, tips and tricks in the near future. I will document each step of the way as I upgrade all my servers to Windows Server 2008.

Read on to determine if RPC over HTTP is installed and if it is how to secure your server against any attack that exploits this vulnerability.

The DCOM exploits present in Windows Server 2003, referenced in Microsoft Security Bulletin MS03-039 and CERT Advisory CA-2003-19, are also present in the RPC over HTTP interface.

This interface is not installed by default, but can be added using the Add / Remove Programs control panel applet.

To determine if RPC over HTTP is installed:

1. In Control Panel, click Add / Remove Programs.
2. Click Add / Remove Windows Components.
3. Click Networking Services, then click Details.
4. If the RPC over HTTP Proxy box is checked, then RPC over HTTP is installed on the server.

DCOM is a protocol than can be used oon top of RPC over HTTP. By default, any server with RPC over HTTP installed will accept DCOM requests using this protocol. Accepted DCOM requests are then sent to TCP port 593.

Security best practices demand the disabling or removal of all non-essential components and services. DCOM support within RPC over HTTP can be removed by modifying the registry.

To remove DCOM support within RPC over HTTP:

1. Use a registry editing tool to navigate to the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
2. Locate the ValidPorts value.
3. By default, the value will contain the following entry: :100-5000This allows RPC over HTTP to use TCP ports 100 through 5000. As DCOM uses TCP port 593, we can disable it as follows:
4. Edit the ValidPorts value to contain the following: :100-592;:594-5000
5. Remove or amend any other entries that contain reference to TCP port 593 or port ranges spanning TCP port 593 in the manner demonstrated above.

When you remove entries for port 593, you prevent DCOM from being used through the RPC over HTTP protocol, but RPC programs (like the Outlook 2003 client) are permitted to connect to the RPC server (Exchange 2003 Server) through RPC over HTTP. More information on RPC over HTTP can be found on the Microsoft website.

Use it when you move to another Windows server. You can even use it to load a new website so you don’t have to configure PHP or any other extensions or loadable modules. Keep in mind if you do want to load a new website to duplicate the configuration you’ll have to change the host headers and IP address assigned to the new site in Windows Server IIS manager.

Let’s get started.

First thing to do is start IIS manager. Start > Administrative Tools > Internet Information Services(IIS) Manager.

Once you have it open right click Websites and select New > New website from file. A browse to box will popup and you can browse to the location you saved the site configuration to.

Once you browse to the file click Read. In the bottom box some text will scroll and it will say successful if it imported correctly. If it didn’t it will tell you the errors. You can manually edit the xml file to correct the errors if you wish.

If you used this to create a new website with the same configuration as an existing site then right click the new website and change host headers and IP address.

Thats’ it. If you have any questions post a comment to this article. If you need one on one help visit Admin Reports Forum.

I’ll attach the batch files at the end of the post for those that don’t want to copy and paste the code. Now lets get started.

For the first method you’ll need the batch file and a text file with you FTP login information and you’ll need a command line zip program. You can use Winzip Command Line Tools if you have Winzip installed on the sever or7zip if you have it installed. I use GNU Gzip, you download it at the projects Sourceforge page, so this tutorial will be specific to it.

First the batch file to create the backup.

Copy and paste this into your text editor and save as mysql-ftp.bat:

@ECHO OFF

@REM Set directory variables.
SET basedir=C:\Backup
SET workdir=C:\Temp
SET mysqldir=C:\path\to\mysql\bin
SET gzipdir=C:\PROGRA~1\GnuWin32\bin
SET mysqlpassword=mysqlpassword
SET mysqluser=mysqluser

@REM Change to mySQL directory
CD %mysqldir%

@REM dump all databases.
mysqldump -u %mysqluser% -p%mysqlpassword% –all-databases >%workdir%\backup.sql

@REM Change to working directory
CD %workdir%

@REM Zip up databases
%gzipdir%\gzip.exe backup.sql

@REM Chage the file name to a random name
MOVE backup.sql.gz backup.%random%.gz

@REM FTP file offsite
FTP -n -s:%basedir%\ftp.txt

@REM Remove old backup files
del backup.sql
del backup.*.gz

@REM Change back to base dir
CD %basedir%

Some notes on the above.

• basedir is the directory you are launching the batch file from.
• workdir is the temp directory where the files are stored until the job is done.
• mysqldir is where your mysql binaries are.
• gzipdir is where you installed GNU gzip and this is default for the installer so no need to change it.
• mysqlpassword is the password to connect to mysql.
• mysqluser is mysql usr tht can connect to mysql.

Once the backup is made and FTP was sent the script will delete the backup file. If you want to keep the backups it created remove these lines.

@REM Remove old backup files
del backup.sql
del backup.*.gz


If you want to backup only one database instead of all of them change this line:

mysqldump -u %mysqluser% -p%mysqlpassword% --all-databases >%workdir%\backup.sql

To This:

mysqldump -u %mysqluser% -p%mysqlpassword% databasename >%workdir%\backup.sql

If you noticed this line,

FTP -n -s:%basedir%\ftp-commands.txt

You’ll now need the contents of the FTP script which you will place in the basedir where the batch file is. Here it is.

open
ftp.yourftpserver.com
user
username
password
bin
put backup.*.gz
quit


That’s it. Copy the batch file code, make any of the changes outlined above and call it backuptoftp.bat and copy the FTP script and name it ftp.txt.

Read on and I’ll give you another example that will make a date based backup and store it on your server for later transfer.

I am sure most of you by now know there is a LKM (Loadable Kernel Module) exploit that is nasty and hard as heck to clean.

Read this thread at Webhosting Talk. Make sure you read it through as there is a users there that has investigated several boxes.

The original story first broke a week or so ago at TheRegister and then again a couple days ago at TheChannelRegister.

Now it seems this problem is not easily fixable yet it is very easy for your server to be infected if you are targeted.

Here is where Windows comes into this. The injected javascript looks for exploit, some already patched and one that is new. If you run any of the vulnerable software on your home computer you could be exploited and not even know it.
The vulnerable lie in these components and software

MSIE ADODB

VML

MSIE WebViewFolderIcon

MSIE RealPlayer

QuickTime

AOL Superbuddy

The first 4 are directly related to IE and were patched a while ago. Although patched some people don’t keep up so they’ll get infected.
I’m not familiar with AOL SuperBuddy so I don’t know if it is patched.

The QuickTime exploit is new as of Jan. 10TH and the alert was revised today, Jan 18TH. and affects the QuickTime Updater as well as Qucktime.

In conclusion if you have a server check the sites on it for inclusion of random javascript. Read the article or thread at WHT so you’ll know what to look for. If you’re on a shared host make sure your site isn’t serving the js.

For people using IE, I’m not sure if Firefox will make you vulnerable and from what I’ve read no one knows, make sure you either shutoff javascript or make sure all exploits are fixed. Uninstall Quicktime and QuickTime Updater. If you have it installed and make sure QuickTime is patched with the patched with the newest versions.

I hope no one that reads this is exploited.

You can find the forum at Windows Server Forums

Password protecting websites, directories and files on Windows 2003 Servers is very easy. It only takes a couple clicks and it’s done. For users to access the protected areas they’ll need to have an account on the server. There are ways to avoid this by using Passport authorization, but for this article we’ll use Integrated Windows authentication.

First thing to do is open IIS Manager. Once you have it open select the website that has the directory or file you want to protect. Click on the + next to the website to expand the directory and file list.
Right click the directory or file and select properties. A property box will popup. Now select the Directory Security tab at the top of the properties dialogue.
Select Authentication and access control by clicking the button that says edit.
Uncheck the box that says enable anonymous access. Check the box below that says Intergrated Windows Authentication.
Close the box and select apply in the properties box. The directory is now protected and can only be accessed by users that have a valid user account on your server. Test it out by going to yoursite.tld/protected_directory.

If you want to password protect a directory or file in the website click the website in the left window and when the files expand in the right window right click the directory or file and follow the procedure above to password protect it.
If you have any questions post a comment to this article ask in Windows/IIS Forum.

Right click YouServerName in the left pane of the manager and select Configure a DNS server. The wizard will open. There will be a DNS checklist that you can click to make sure you have all the information you need to set up DNS for your domain.
Once you are sure you have all the information needed click next.
The first option, create a forward lookup zone, will be checked bydefault. Leave like that and click next.
This step is to set your server as the maintainer of the zone. The correct option that you want is checked by default so go ahead and click next.
The next step is to give this server a name. The name should be your domain. If you’re domain is mydomain.com then enter mydomain.com as the name. Once you enter the name click next.
Next thing is the creation of the zone file. The zone file holds all the data for this domain. It is similar to the zone files on Linux servers. No need to change this. Leave it as default. The default will be mydomain.dns. Click next to go to the next step.
In this step you’ll choose if you want to allow dynamic updates for this zone. It is not a good idea to enable this unless you plan on running a dynamic DNS server. One that can be updated by a script if the IP to your site changes. Leave this at default which is Do not allow dynamic updates. Click next to go to the next step.
This step is for forwarders. This should be set to yes, the first option and defaut option, if you have a master DNS server and what to forward lookup request to that server. I wll assume this will be your default DNS server for your domain so uncheck the first option and check the option to not forward queries.
That’s it. A DNS server for your domain is now set up.
In DNS manager in the left window expand forward zones and you’ll see a new folder called mydomain.com. Now you can set up your host (IP) records, mx records and nameservers so that your domain resolves to your server. In the next article I write about how to set up the domains.