htsource 0 Posted December 22, 2001 Hi, I'm trying to host my personal web site on my Windows 2000 Server, but I'm not sure where to start, can you guys shed some lights? Here's some background information: I have a Linksys router (4-port) and the 2K Server is behind the router with port 80 forward enabled. The 2K Server is a Domain Controller with a name mydomainname.com. Right now, I have bought a few domain names and I'm using URL forward to point to: http://209.xx.xx.xx/personalweb Is there any way I can point it right to my 2K Server instead of using URL forwarding? I'm sorry if this is confusing because I'm not sure how to explain it Also, is it possible to add a 2nd web site? My main one I enable Terminal Server web and my personal web is part of it. Now, what I want is to move my personal web to a separate spot so I can restrict IP incoming for the Terminal Web connection. But so far I have no luck getting it to work properly. Thanks for your help. Share this post Link to post
clutch 1 Posted December 22, 2001 All of that can be done, but I have several questions for you first: 1. IS THE SERVER COMPLETELY PATCHED? If not, kill port forwarding IMMEDIATELY, reboot the server, and then patch it. Then, you might have to reboot it. There have been several exploits found for IIS and 2K server in general, and it sounds like you haven't been an admin of any NT boxes for long. 2. Have you locked the server down against potential threats in the future (IISLockdown tool, HiSec template)? 3. Are you familiar with host header names? It sounds like you have some idea of how to use IIS, but I don't know if it's been through PWS or IIS. 4. Is your internet IP dynamic? If it is, do you have any type of dynamic service that you are working through (TZO, Dyndns, Everydns, etc)? If you are using a dynamic service, will they point all of your domian names to your IP? There's a bit of planning that goes into something like this, but overall it's quite simple. Share this post Link to post
htsource 0 Posted December 23, 2001 Hi clutch, Thanks for your reply. I've downloaded all patches from Windows Updates, is that good enough? I haven't downloaded any tools to secure the server at this point as I'm just starting. I'll check out the tools you mentioned. I used to have a web from @Home but I didn't get a chance to copy it back, I've lost my web site Now, I'm just thinking of hosting my own since I need a lot of space for storage. I'm putting up a personal web with family pictures and things like that. I'm not familar with host header name at all. However, I've read a bit in the Help about I can use the same IP address for different domain names. Yes, my IP is dynamic through cable connection. I don't have any dynamic service though. Are they free? However, from where I bought my domain names (www.buydomains.com), I can URL forward to my IP. There's also NameServer I can enter from buydomains.com but not sure what it is. Normally the IP I get will stay at least for 3 months. I should tell you my background in computer. I'm a Senior PC Technican and I'm familar with most hardware/software, Windows 2000/XP/98 registery and network settings (i.e. changing IP and DNS settings). However, I have no live experience setting up a DNS server, mail server, or similar. What exactly is reverse/forward lookup? When I set up Active Directory, it asked me to set up DNS Server and I did. When I go into DNS, I get 2 major headings - Reverse and Forward lookup. In forward lookup, I have all internal IP addresses for different computers. For Reverse lookup, there's nothing there. For each PC connected to the Linksys router, I've added the AD's IP address as DNS search list. On top of it, I also have 3 other entries from my Linksys router for my cable company. They all start with 24.xx.xx.xx Thanks again for your help. Share this post Link to post
htsource 0 Posted December 23, 2001 Would it be a good idea to put ZoneAlarm on Windows 2000 Server? Would it work on Server? Thanks Share this post Link to post
clutch 1 Posted December 23, 2001 OK bud, you are getting a *little* bit over your head here, so let's focus on simple things. First, you should read up on some of the functionality of IIS so we can be on the same page. Go here for a response I gave another user on this board who asked about IIS. It has several links on it, and gives a good overview of the system. For a "simple" overview, basically host header names are assigned to each site (like a port or IP) and when a name like www.yourdomain.com comes in, the site with that domain listed as its host header will be forwarded to the requesting client. This allows a server to host many sites on the same IP and port. The DNS part that I am mentioning has more to do with the outside world knowing what your domain name is than your internal name resolution ability on your network. If you aren't sure about what I am talking about, then check out www.tzo.com and www.everydns.net to see what they offer. That should give you a good idea of what they do and you can see if you need their services. Since you are using a dynamic IP with a fairly slow refresh period, I would suggest www.everydns.net since they are free. If you are using AD and not sure what is going on, we'll save that for later, ok? Ideally, you are going to want your internal clients to ONLY go to your internal DNS server so you have and retain proper name resolution throughout your network. I let my servers do the work via DNS and DHCP, but that's another story best left for later. As for the firewall software, I wouldn't worry about that right now as you are using a simple NAT system that "kinda sorta" acts like a firewall (it's security-through-obscurity", but it will do). So I would not install that software as it just adds another possible problem if you have configuration issues. Let's get the basics down first. As a matter of fact, I would kill all port forwarding for the time being anyway just so you can get used to setting up IIS, then open it up later. Let me know when you are ready to proceed. Share this post Link to post
htsource 0 Posted January 4, 2002 Okay clutch, I'm ready I got IIS Lockdown and URL Scan installed and configured. Right now, URL Scan will filter out everything else but HTML and ASP extensions. I checked the log files every once in a while and I do get quite a lot rejects from URLScan about CMD.EXE and others. I also checked out www.everydns.net and it looks easy to set up, but I'll wait until I have everything done. I also got another PC - P3-800 for running IIS so I can separate from the AD machine. For the IIS Lockdown, do I need to run it everytime I add a new web site to my server or after update pages? Thank you for all your help. Share this post Link to post
clutch 1 Posted January 4, 2002 Well, the current version of IISLockdown combines lockdown (which is ok) with URLScan (which is awesome). URLScan *used* to be loaded for each site independently, but now seems to load for all the sites at once (which is a drag if you want to tune each site's security). So in this respect, yes it will apply to all current and future sites. However, the lockdown portion is different in that it will not only alter the NTFS permissions of the system directories (good thing for all sites), it also *appears* (according to the setup log) to modify the permissions of the existing sites themselves. So, in this case, you wouldn't get the "full" lockdown on new sites since they haven't be modified through the installer. For your case though, since you did secure the system directories, you aren't hosting Outlook Web Access, and you have URLScan working for all your sites (be sure to check on your URLScan log occasionally for activity), you should be ok. HTH Share this post Link to post
htsource 0 Posted January 5, 2002 Thanks for the information. Now I have another question, I was checking all the settings and found out I'm running Server Extension 4.0? Am I suppose to have 5.0 with Windows 2000 Server? How did I get 4.0? Was it because of IIS Lockdown program? I also accidentally deleted a subweb and now when I right click on the default web and check for extension, it always tells me the directory doesn't exist. Is there a way to delete the reference? Thanks again for your help. Share this post Link to post
clutch 1 Posted January 5, 2002 Where are you seeing this version indication at, and, was that web a Front Page (ick) web or just a simple virtual directory? If it's a Front Page web you should be able to right click on it and use "check extensions" or "recalculate webs" (it's been a while since I have used those, gimme a break ). Share this post Link to post
htsource 0 Posted January 5, 2002 Hi Clutch, Here's where I found the version: Administrative Tools, Internet Services Manager, right-click on Default Web Site and under Server Extensions, it says 4.0.2.4426. I was getting errors this morning about my FTP couldn't be started and the error said something about IIS 4.0. Thanks again. Share this post Link to post
Lactic.Acid 0 Posted January 7, 2002 The extensions version appears to be FrontPage extensions, to me at least. The ftp error is hard to tell without details, but you can check www.eventid.net and that site will give you any reported errors and resolutions found for the specific event id that you receive. Bookmark that site as it can be a GREAT quick tool to if not solve an issue, at least show you where to start looking with your troubleshooting. /L.A Share this post Link to post
Simon Ngan 0 Posted January 10, 2002 Now I have my web site configured on port 81, but I can't access it from outside the Linksys router. I have already set up forwarding in Linksys router for port 81 to the web server. If I use 80, everything works, but not on 81. The same applies to FTP if I use ports other than default 21. Is there something to do with the IIS Lockdown or URLScan tools? Thanks for your help. Share this post Link to post
htsource 0 Posted January 11, 2002 Never mind, I solved the port forwarding problem by changing the default MTU size to 1492. Share this post Link to post
clutch 1 Posted January 11, 2002 That's weird, as I haven't had any issues with changing ports and using a Linksys router. I have another site on port 90, and it worked fine with my Linksys unit and works fine now using ISA server. In the past I was also able to host FTP sites on alternate ports, so I don't know why that would be an issue for anybody (however Atreyu has, but he has all kinds of problems anyway...). Share this post Link to post
htsource 0 Posted January 11, 2002 Hi clutch, That's weird, isn't it? I had the MTU setting like that for a long time. Our company has CheckPoint SecuRemote and I've trying to get it through Linksys with no luck. I was suggested to change the MTU setting and that's why I left it on. Few days ago, after I got the IIS server running, I went back to Linksys and thought it was time to do some clean up. I disabled the MTU and that was the time I started seeing things went wild on me. Changed the MTU setting as it was, everything was back to normal. Share this post Link to post
htsource 0 Posted January 16, 2002 Okay, the problem is happening again even with the MTU enabled. If I reset the router, it will work again but not for long. It's strange though, only IIS WEB/FTP sites are working. Everything else is fine such as pcAnywhere ports. If I change the port number to something else on both IIS and router, it will work but then it will eventually die after a while. I'm now using ports like 1600, 1700. Should I be changing to something else? If I leave the HTTP port 80, it always work so now I'm thinking the problem is IIS. Thanks, Share this post Link to post