Netoworking

Import SSL, Auto redirect http to https, Custom Error Page lock violation

Import SSL in IIS 7

For importing SSL certificate, the certificate should have in PKCS #12 format (.pfx). If you have SSL certificate, its not in PKCS #12 format and you have Certificate and Private key you can generate the .PFX SSL certificate using OPENSSL tool or online by click here.

Once the .PFX certificate generated, go to IIS Manager by type ‘inetmgr’ in windows run. Select main not in left pane. And double click on “server certificates” from the middle pane. Then click on ‘import’ from the right pane. A dialog box will open select the SSL certificate which you have generated in .PFX format and enter the password which you had given at the time of generating the PFX certificate. Click on Ok button. Now, you can assign the certificate to your domain, using Binding.

Auto redirect http to https in IIS 7
Method 1 – Using Microsoft URL Rewrite Module

For this method of redirecting from HTTP to HTTPS, you will need to do the following;

1. Install the Microsoft URL Rewrite Module
2. Install your SSL certificate in IIS 7 and bind it to your website
3. Make sure Require SSL is NOT checked under SSL Settings for your website
4. Copy and paste the following code between the and tags in your web.config file in your website root directory.

<rule name="HTTP to HTTPS redirect" stopProcessing="true">
  <match url="(.*)" />
    <conditions>
      <add input="{HTTPS}" pattern="off" ignoreCase="true" />
    </conditions>
  <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>

5. Test the site by going to http://www.yoursite.com and making sure it redirects

Method 2 – Setting up a Custom Error Page
The second method of setting up an IIS7 redirect HTTP to HTTPS is to Require SSL on the site or part of the site and set up a custom 403.4 error page. To do this, just following these steps:

1. Install your SSL certificate in IIS 7 and bind it to your website
2. In IIS, click on the site name, and go to the SSL Settings section
3. Check Require SSL checked under SSL settings of your website
4. After doing this, users will normally receive this error 403.
5. Create a new text file and paste the following into it:

<html>
<head><title>Redirecting...</title></head>
<script language="JavaScript">
function redirectHttpToHttps()
{
    var httpURL= window.location.hostname + window.location.pathname + window.location.search;
    var httpsURL= "https://" + httpURL;
    window.location = httpsURL;
}
redirectHttpToHttps();
</script>
<body>
</body>
</html>

6. Save the file as redirectToHttps.htm in your C:\Inetpub directory
7. Back in IIS, click on the site name and double-click the Error Pages option
8. Click Add… and enter 403.4 as the Status code. Browse for the redirectToHttps.htm file you just created and click OK
9. Select the error code and press Edit Feature Settings…
10. Click the Custom error pages option and again browse for the redirectToHttps.htm file
11. Test the site by going to http://www.yoursite.com and making sure it redirects

Custom Error Page lock violation

If your IIS 7 web server doesn’t already have it, install the IIS 7.0 Administration Pack from Microsoft.

Navigate to the root web server name in IIS, and open the Configuration Editor (part of the Administration Pack). Change the dropdown to system.webServer/httpErrors, right-click on defaultPath, and choose ‘defaultPath’ Attribute -> Unlock Attribute.

Then try to change the custom error handler page again. Navigate to your site, open Error Pages under the IIS group, click Edit Feature Settings on the right, select Custom error pages and finally, put in your path for the default page.

The Manual Way

I know you can accomplish all this by direct editing in notepad of the appropriate config file on the web server. And that may be required for your particular web hosting environment or company production web server change protocols. But why make it complicated if it doesn’t need to be? Plus, this way you can do it in the GUI, and compare the before and after to see what changes you truly have to make. But if you MUST do it manually, then:

Open the file %windir%\System32\inetsrv\config\applicationHost.config in Notepad. Run Notepad as administrator if you’re having problems.

You’ll see something like this:

<httpErrors lockAttributes="allowAbsolutePathsWhenDelegated,defaultPath">

Remove the ,defaultPath section and save.

You will be able to make the changes you need.

The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020) – IIS 7 – Internet Information Service

In IIS7 I was trying to start my Default Web Site and was getting the following error screen.

IIS - Skype - Error_thumb[8]

A quick Google search turned up the following Microsoft Support Topic. Ok. Lets take a look at netstat and see what might be causing problems. Open a command prompt ([Windows Key + R] and enter cmd) and enter the command. After running netstat -ano, I noticed that there was indeed another process (with a process id of 796) accessing port 80. (You can enter netstat /? to see what the –ano flags are doing.)

netstat_thumb[12]

The offending process that is using port 80 has a process id of 796. Now, how to find out what that process 796 is?
Using the tasklist command will show a list of all processes running in windows. You can use the /fi flags to filter the results. In this case I’m using a filter that will only show processes with a PID that equals 796. tasklist /fi “PID eq 796”

Tasklist Filter Command_thumb[2]

The process with process id is Skype. Makes sense that it would be using port 80. I promptly closed down Skype and was then able to start my Default Web Site in IIS Manager. Hope this helps someone.

How to unblock port from Windows Server 2008

Many developers have complain about port could not be unblocked although they added “INBOUND/OUTBOUND” rules in “Windows Firewall Advance Security” for “Apple Push Notification Service”, “Remotely Access SQL Server” etc.

Port should not be unblocked until it should be unblocked from “Local Policy Security”.

So, Please check your local policy security. For that, click on “start-> Run-> secpol.msc”.

Software Firewalls with Windows Server 2008

Two of the methods available for configuring IP Security (ipsec) is through a packet filter policy and/or the Security Configuration Wizard.

If you do not plan on using the software firewall we recommend that you setup your own rule set in the hardware firewall as described in these

The article explaining how to log into remote desktop can be found.

For the packet filter:

1.Step:

click on the ‘IP Filter’ on the destop and then click on ‘IP Security Policies on Local Computer’.

2.Step:

If you are not planning on using the Packet Filter policy right click on it and click ‘Unassign’.

3.Step:

If you are going to use the packet filter policy then right click on ‘Packet Filter’ and click on ‘Properties’.

Please check “Block All” option is checked or not? If its checked then unchecked, press “Apply” or “Ok” button. All ports are opened. Now you can check using telnet client for example:

  • Open Commpand prompt
  • If telent client is not installed please installed it using
    pkgmgr /iu:"TelnetClient"
  • After installation, type following command.
    telnet gateway.sandbox.push.apple.com 2195 
    

    e.g. telnet {host} {portnumber}


4.Step:

On this screen you can check the boxes next to the rules you want active or remove the ckechboxes from rules you do not want active.

So for example, if you want to allow ftp incoming, then check the box next to OPen FTP Incoming. Please be aware that the packet filter policy is only compatible with active ftp and not passive ftp.

Note: There are explicit denies at the bottom of the list for ports such as MS SQL labled Close MSDE (TCP/IP) because of the security risks associated with allowing direct access to MS SQL from anywhere on the internet. You will want to take other precautions to mitigate the risk to your data before opening these ports.

From Here you can also add, edit, or remove rules.

For the Security Configuration Wizard

1.Step:

Go to 'Start' --> 'Administrative Tools' --> 'Security Configuration Wizard'

2.Step:

You will want to create a new security policy. This is not a matter of opening ports closed by other software such as the packet filter policy or the hardware firewall. This is the new security policy and you are dictating what the configuration file you will create with this wizard will allow.

3.Step:

Unless you have joined this server to a domain controller leave the server name as the default U number. If you do not know what a domain controller is then you have not joined the server to a domain controller and you should leave the name as the default.

4.Step:

The first three pages of roles list the different installed roles, features, and options. Go through the lists and check the boxes next to the items you to allow and remove the checkboxes from the items you do not want allowd. Below is a screenshot of the Installed roles page.


5.Step:

Continue through the wizard picking the different options you want. We recommend that you name the file were the configuration settings will be saved, the date and time. Then when you edit the policy later, instead of saving over the existing file you once again name the file by date and time so you can distinguish between policies by date. So for example, if you wanted to go back to the policy that was in place last May, you can easily do so.

Windows 7 couldn’t connect to work group server

Browse to “Local Policies” -> “Security Options”. Now look for the entry “Network Security: LAN Manager authentication level” and open it. Click on the dropdown menu and select “Send LM & NTLM – use NTLMv2 session security if negotiated”. Apply the settings.

In the Advanced sharing settings page of Network and sharing center, you need to have it set as Work/Home profile. Try

-Enable network discovery
-Turn on file and print sharing
-Turn off password protected sharing
-Use user accounts and passwords to connect to other computers

The other settings such as encryption I have set as use 128 bit encryption.

Please check related policies.

1. Enter “gpedit.msc” in the Start Search box.
2. Open “Computer Configuration”/Windows Settings/Security Settings/Local Policies/Security Settings.
3. In the right pane, enable the following policies:

Network access: Allow anonymous SID/name translation
Network access: Let Everyone permissions apply to anonymous users

Also please disable the following policies.

Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
————————————————————————————————————–
For my pc I set following setting:

I fixed this probleme – windows 7 can not connect to share on server 2003, by this single step:

Browse to “Local Policies” -> “Security Options”. Now look for the entry “Network Security: LAN Manager authentication level” and open it. Click on the dropdown menu and select “Send LM & NTLM – use NTLMv2 session security if negotiated”. Apply the settings.

Referecen link: http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/68ffbe2a-09a7-4e29-859c-ca1aaf75dcd1/