Getting Started with your Windows Server 2003 Dedicated Server

User Accounts
      Creating a New User
IIS 6.0 (Internet Information Services version 6.0)
      Web Server
      FTP Server
      SMTP Server
DNS
TCP Filtering (Simple Firewall)

TIPS:
Set "Non-active" Sessions to Terminate
Fool DNS!
Don't Firewall Yourself Out!

User Accounts

By default, Windows 2003 Server creates some user accounts that are used for its services. The user you will be using is Administrator. The user “adminsp” is ServePath’s administrative account. This will be used by ServePath, if the Administrator user password is lost and needs to be reset, for example. In order to change the Administrator password, access your “Start Menu”, right click “My Computer”, click “Manage” to open the “Computer Management” window, expand the “Local Users and Groups” icon, select the “Users” folder, right click the “Administrator” name, click “Set Password,” enter the new password, and click OK.

Creating a New User

In order to create a new user, follow the steps above to access “Local Users and Groups,” select the “Users” folder, right click the right pane, click “New User,” fill out the necessary information, and click “Create.” In order assign this user to be a member of a particular group, for example the “Administrators” group (full access to the server), you right click the username, click “Properties,” select the “Member Of” tab, click “Add,” select the “Administrators” group in the upper pane, click “Add,” and click “OK.” You will notice that the group in which you have added your user appears in the “Member of:” list.

IIS 6.0 (Internet Information Services version 6.0)

IIS is an integrated web server, FTP (File Transfer Protocol) server, SMTP (Simple Mail Transfer Protocol) server, and NNTP (Network News Transport Protocol) Server. NNTP will not be covered because it is beyond the scope of this tutorial. These services are installed in Windows 2003 Server by default. The following contains instructions on configuring a simple web site, FTP server, and modifying the SMTP server to not allow relaying.

Web Server

In order to access IIS, click
      Start -> Administrative Programs ->
      Internet Services Manager
Click on the computer symbol to view the services that are available. To create a new web site, perform the following:

  1. Right click on “Websites” and click on “New” and “New Website…”.  This will launch the “Web Site Creation Wizard.”

    This opens a wizard that will assist in the creation of a web site. Click “Next."
  2. Provide a description of your web site. For example, www.yourowndomainname.com. Click “Next.” In the “IP Address and Port Settings” section, click the drop-down menu under “Enter the IP address to use for this Web site” and select the IP address you want to use for your web site. (Note: Do not use the VLAN IP address for your web site). You do not have to modify the port number. The default TCP port for HTTP is 80. In this example, “Host Header for this site: (Default: None)" will be left blank. Host Headers are used to allow multiple web sites to be used on one IP address. Click “Next.”
  3. Now you must choose the hard drive location of your web site files. Click “Browse” to select the location. Then click “Next.”
  4. The next step in the wizard is to define the access permissions of your web site. The permissions that you choose here are for the root directory and are applied to any subdirectories. However, the permissions for the subdirectories can be changed. The following contains a brief description of each permission:
    Read: Allows users to view web pages on the web server.
    Run Scripts (such as ASP): This option should be enabled if you need to execute Active Server Pages (ASP) scripts.
    Execute (such as ISAPI applications or CGI): Select this option if you are going to execute CGI scripts.
    Write: This option should be enabled if a user needs to write information to a web page. An example of this would be completing an online form from their web browser. This should remain unchecked for the root directory for security purposes.
    Browse: Displays the files and subdirectories in the root directory in html format if the user does not specify a file on the web server, or the default document is not defined on the system. This feature should be left unchecked for security.
    After choosing the permissions for the default site, click “Next.”
  5. Click “Finish” to complete the Web Site Creation Wizard.
  6. In the Internet Information Services window your web site will appear. Right click your web site’s icon and click “Properties” in order to configure the properties of your web site. For a simple test web site, you will not need to modify these properties.
  7. Now open up a web browser and type http://YOUR _IP_ADDRESS in order to view your web site.

FTP Server

In order to create an FTP site, perform the following steps:

  1. Right click on “FTP Sites” and go to “New” and then ”New FTP Site…”

    This will open a wizard. Click “Next.”
  2. Provide a description of your ftp site. For example, ftp.yourowndomainname.com. Click “Next.”
  3. In the “IP Address and Port Settings” section, click the drop-down menu under “Enter the IP address to use for this FTP site” and select the IP address you want to use for your ftp site. (Note: Do not use the VLAN IP address for your ftp site). You do not have to modify the port number. The default TCP port for FTP is 21. Click “Next.”
  4. In the “FTP User Isolation” section, click the mode of isolation you desire for your FTP server.  The following contains a brief description of each of the options.
    Do not isolate users:  This means that there is no isolation for your FTP users.  If the file system permissions allow it, users will be able to, at the very minimum, look at the contents of other users’ home directories.
    Isolate users:  This means that each user on your FTP site will have to have their own home directories configured, and the users will not be able to traverse outside of the directories you specified.
    Isolate users using Active Directory:  This means that the home directories for each user will be provided as part of the account’s Active Directory information.  This option is only applicable if your server is on an Active Directory domain.
  5. Now you must choose the hard drive location of the files you want to publish on your FTP server. Click “Browse” to select the location. After, click “Next.”
  6. The next window that appears is “File Site Access Permissions.” The two choices are Read and Write. Select “Read” only, if you want to allow users to only view and download files on your FTP server. Select “Write” if you want to allow users to upload files to your server. If required, both can be selected. After selecting the permissions, click “Next.”
  7. Click “Finish” to complete the wizard.
  8. For security purposes, it is safest to disable anonymous ftp. In order to disable this feature, right click your ftp site and click “Properties.” Under the “Security Accounts” tab, uncheck “Allow Anonymous Connections.” This will force all users who want to access your ftp site to enter a valid username and password.

SMTP Server

If you decide to use the STMP service in Windows 2003, it is important that you disable relaying. Relaying is used by spammers to use your server to send tens of thousands of email messages through your server, hiding the true source of the unsolicited emails. In order to disable relaying, in Internet Information Services, right click “Default SMTP Virtual Server” and click “Properties.” Select the “Access” tab, click the “Relay” button, and select the “Only the list below” radio button. You do not need to add any domains to the “Computers:” list. Click “OK” to close that window. Click OK again to close the “Properties” window. However, if you are not going to use the SMTP Server that is installed with Windows 2003, disable this service. In order to stop the service, right click the SMTP Virtual Server, and click “Stop.”

DNS

The following are steps to create a primary DNS server. Since DNS is installed on your server by default, you can just begin configuring your server. Click Start -> Programs -> Administrative Tools -> DNS. You will notice that your server is in the left pane.

  1. Right click your server name and click “New Zone.” This opens up a “New Zone Wizard.” Click “Next.”
  2. Select the “Standard primary” radio button. Click “Next.”
  3. Select the “Forward lookup zone” radio button. Click “Next.”
  4. Provide a zone name such as yourowndomainname.com. Click “Next.”
  5. In the “Zone File” section of the wizard, you have to provide a name for the zone file. The wizard provides a default name. You can leave it at the default name. Click “Next.”
  6. Click “Finish” to complete the wizard.
  7. To view your zone, select your DNS window, click on the “+” in front of your server name, expand the “Forward Lookup Zones” folder, and your zone will appear.
  8. In order to create a record, for example an “A” record, right click the right pane of the DNS window, click “New Host,” type in the name of the host and the IP address of the server, and click “Add Host.” A message confirming that the host was added will appear. Click “OK.” Click “Done” to close the “Add Host” window.

Remember to notify your registrar that you are hosting your own DNS. For more information on DNS in Windows 2003 Server, please see DNS Basics for IIS Administrators.

TCP Filtering (Simple Firewall)

You can setup port filtering with Windows 2003 Server if you want to block unused ports to make your server more secure. Right click “My Network Places” (located on your desktop), click “Properties,” right click your network connection, click “Properties,” under “Components checked are used by this connection:” select “Internet Protocol (TCP/IP),” click “Properties,” click “Advanced…,” select the “Options” tab, select “TCP/IP filtering,” and click “Properties.” In this dialog, you can choose the ports you want filtered. (Note: Keep TCP Port 3389 open for Terminal Services. If this port is disabled, you will no longer be able to access your server though Terminal Services).

TIPS

Set "Non-active" Sessions to Terminate

If you've ever reached the maximum number of remote sessions due to dropped connections or other issues in Windows 2003 Server and had to reboot your server, you know how frustrating this can be. Here is a quick tip to prevent this from happening:

Left click “Start Menu
right click "My Computer"
left click "Manage"
expand "Local Users and Groups"
select "Users"
right click "User"
left click "Properties"
click the "Sessions" tab
Change the "Idle session limit:" to Never
Change the "End a disconnected session:" to 30 minutes
Select "End Session" from "When a session limit is reached or a connection is broken"
click "Apply"
Click "OK" and close the "Computer Management" window.
Also make sure to click "Start -> Shutdown -> Logoff" instead of just closing the window by clicking "X"

Fool DNS!

If you are testing the setup on a server that is not yet live, and you haven't pointed your DNS to your new server yet, here is a trick. You can fool your client machine into resolving the new IP by editing your local hosts file.

Here's how it works:

Your operating system will attempt to resolve domain names to IP addresses by first accessing a local file called the "hosts" file, which is simply a database of IP-to-hostname mappings. DNS is queried only if the domain name that you are looking for is not listed in this file. So, to trick your OS into resolving a "fake" IP address for your domain (pointing to your new server), just add one line to your local hosts file!

For Example:

12.13.14.15 hostname.YOUR-DOMAIN-HERE.com

Host File Locations:

C:\winnt\system32\drivers\etc\hosts

* Note that the filename has no extension, it is simply ‘hosts.’

Wildcard DNS

Get the most out of DNS with Wildcard DNS!

Do you want your users to get to your web site even if they mistype the URL? Use wildcard DNS to allow Internet users to resolve your IP address no matter what hostname they type.

How to do it:

Just use a "*" in the place of the host name in your DNS configuration (works for BIND or Windows DNS)

*.YOUR-DOMAIN-HERE.com IN A 123.123.123.123

Don't Firewall Yourself Out!

ServePath deploys your server with a software firewall to prevent unauthorized access to your server. But when making changes to your host-based software firewall, make sure that you do not block the remote administration ports and lock yourself out of your own server! Be sure to keep AT LEAST the following port open:

Port 3389/TCP for Terminal Services