Keeping your software and applications up to date is a crucial part of maintaining security and stability in your web hosting systems. Unfortunately, updating system components and back-end software can sometimes be a frustrating and a difficult process. However, thanks to Microsoft’s Web Platform Installer, upgrading PHP on a Windows server with IIS is as simple as a few clicks.
Standing behind our Liquid Web Cloud Sites product, are server racks full of both powerful and stable Linux and Windows servers which power well over 100,000 sites and applications. Every Windows-based package is served from these clusters that are built and optimized especially for Windows. All Linux-based packages are also served from these same brawny server clusters created and specifically optimized for Linux. We use advanced load balancing technologies to automatically detect the type of technology you are running and route each request to the proper pool of servers.
When reviewing your servers security, it is critical for businesses to ensure that while building new sections of your website, that we do not leave it unsecured or visible to users while it is being built. With this in mind, there are several ways for you to “lock” a folder or domain while it is being developed. This will safeguard a folder or an entire site using the security feature built into IIS and Plesk called password protection. In today’s article we will see how easy it is to restrict access to a site or a folder.
Reading Time: 4minutesWhen looking to host websites or services from a Windows server, there are several options to consider. It is worth reviewing the strengths and weaknesses of each server type to determine which one is most likely to meet your particular needs before you spend the time installing and configuring a web service.
Some of the most common web servers available for Windows services are Tomcat, Microsoft IIS (Internet Information Services), and of course the Apache server. Many server owners will choose to use a control panel which manages most of the common tasks usually needed to administer a web server such as e-mail and firewall configuration.
(This is the 64-bit version with OpenSSL version 1.1.1a included). If you would like to utilize an alternate version they are listed here: Available Versions Page
Install Apache on Windows
We will assume that you have installed all the latest available updates for your version of Windows. If not, it is critical to do so now to avoid unexpected issues. These instructions are specifically adapted from the directions provided by ApacheHaus where we obtained the binary package. You may find the entire document in the extracted Apache folder under the file “readme_first.html”.
Visual C++ Installation
Before installing Apache, we first need to install the below package. Once it has been installed, it is often a good idea to restart the system to ensure any remaining changes requiring a restart are completed.
Extract the compressed Apache download. While you can extract it to any directory it is the best practice to extract it to the root directory of the drive it is located on (our example folder is located in C:\Apache24). This is the location we will be using for these instructions. Please note that once installed you can see Apache’s base path by opening the configuration file and checking the “ServerRoot” directive).
Open an “Administrator” command prompt. (Click the Windows “Start” icon, then type “cmd”. Right-click the “Command Prompt” item which appears, and select “Run As Administrator.”)
Change to the installation directory (For our purposes C:\Apache24\bin).
Run the program httpd.exe.
You will likely notice a dialogue box from the Windows Firewall noting that some features are being blocked. If this appears, place a checkmark in “PrivateNetworks…” as well as “PublicNetworks…”, and then click “Allowaccess.”
As noted in the ApacheHaus instructions:
“You can now test your installation by opening up your Web Browser and typing in the address: http://localhost
If everything is working properly, you should see the ApacheHaus’ test page.“
To shut down the new Apache server instance, you can go back to the Command Prompt and press “Control-C”.
Now that you have confirmed the Apache server is working and shut it down, you are ready to install Apache as a system service.
In your Command Prompt window, enter (or paste) the following command:
httpd.exe -k install -n "Apache HTTP Server"
Installing the 'Apache HTTP Server' service
The 'Apache HTTP Server' service is successfully installed.
Errors reported here must be corrected before the service can be started. (this line should be blank)
From your Command Prompt window enter the following command and press ‘Enter.’services.msc
Look for the service “Apache HTTP Server.” Looking towards the left of that line you should see “Automatic.” If you do not, double-click the line and change the Startup Type to “Automatic.”
Restart your server and open a web browser once you are logged back in. Go to this page in the browser’s URL bar: http://localhost/
Configure Windows’ Firewall
To allow connections from the Internet to your new web server, you will need to configure a Windows Firewall rule to do so. Follow these steps:
Click the “WindowsStart” button, and enter “firewall.” Click the “Windows Firewall With Advanced Security” item.
Click “NewRule” on the right-hand sidebar.
Select “Port,” and click Next. Select the radio button next to “Specificremoteports:” Enter the following into the input box: 80, 443, 8080
Click Next, then select the radio button next to “Allowtheconnection.”
Click Next, ensure all the boxes on the next page are checked, then click Next again.
For the “name” section, enter a description that is familiar enough that you will be able to recognize the rule’s purpose later such as: “AllowIncomingApacheTraffic.”
Try connecting to your server’s IP address from a device other than the one you are using to connect to the server right now. Open a browser and enter the IP address of your server. For example, http://192.168.1.21/. You should see the test web page.
For now, go back to the Windows firewall and right-click the new rule you created under the “InboundRules” section. Click “Disable Rule.” This will block any incoming connections until you have removed or renamed the default test page as it exposes too much information about the server to the Internet. Once you are ready to start serving your new web pages, re-enable that firewall rules, and they should be reachable from the Internet again.
That’s it! You now have the Apache Web Server installed on your Windows server. From here you’ll likely want to install some Apache modules. Almost certainly you will need to install the PHP module for Apache, as well as MySQL. Doing so is beyond the scope of this tutorial; however, you should be able to find a variety of instructions by searching “How to Install PHP (or other) Apache module on Windows server,” or similar at your favorite search engine.
Reading Time: 3minutes￼As administrators for many of our VPS servers and Dedicated servers, we may find ourselves needing to do certain things while on the go. We may also not have a laptop or PC within reach. But one thing most of us have at all times is a cell phone. Whether we have an Android or an iPhone, most of us do possess a smartphone. One thing great about these smartphones is their constant connection to the Internet. Having that constant connection makes it simple to use various apps that assist with admin tasks through our smartphones. Here is a list of five applications available both on iPhone and Android. If you are interested in checking them out, click on your phone’s type next to the application name. You can also search for these applications by name in your smartphone’s app store. Continue reading “5 Android/iPhone Apps for IT Admins”→
Reading Time: 6minutesWhen investigating site infections or defacing on a Windows VPS Server, the most common root cause is poor file security or poor configuration choices when it comes to how IIS should access file content. The easiest way to prevent this is to start with a secure site.
Setting up a website in IIS is exceedingly easy, but several of the default settings are not optimum when it comes to security or ease of management. Further, some practices that used to be considered necessary or standards are no longer or were never necessary, to begin with. As such, we recommend that you follow these steps to set up a website to ensure that it is set up correctly and securely. And while some of these setting or permission changes may seem nitpicky, they go a long way on systems that host multiple domains or multiple tenants as they prevent any cross-site file access.
Add the Site to IIS
To add a website in IIS (Internet Information Services), open up the IIS manager, right-click on Sites, and select Add Website.When adding a site to IIS, we typically recommend using the domain name as the “Sitename” for easy identification. Next, under “Physicalpath”, you will need to supply the path to where your website content is located or use the “…” to navigate to and select the folder. Configuration options under “Connectas…” and “Test Settings…” do not need to be modified.
When it comes to configuring site bindings, popular belief suggests that you should select a specific IP from the “IP address” drop dropdown; however, that is based on out of date practices typically in relation to how SSLs used to require dedicated IPs. This is no longer necessary and can actually cause issues when getting into any eplicated or highly available configuration, so it is best to leave IP addresses set to All Unassigned and type the domain name you plan to host in the “Hostname” field. Do note that you can only supply one value here; additional host names can be added after creating the site by right-clicking on the site and going to Bindings. Further, depending on your needs, you may opt to select “https” instead of “http”. To host a site with an SSL, please visit our article on the subject after setting up the site to add an SSL and configure it.
Set the Anonymous User
Technically that is all you need to do to set up a site in IIS; however, the site may or may not work, and the security settings on the site are not optimum. The next step in securing your site is to configure the IIS user that will access your files. To do this, you will need to change the associated Anonymous user and make a few security changes on the website’s content folder.
In IIS, select your new site on the left, in the main window double click on Authentication, select AnonymousAuthentication, and then click “Edit…” on the right action bar.
What is IUSR in IIS?
By default, a new site in IIS utilizes the IUSR account for accessing files. This account is a built-in shared account typically used by IIS to access file content. This means that it will use the application pool’s identity (user) to access file content.
It may be okay to leave this configured if you only plan on hosting one domain; however, when it comes to hosting multiple domains, this is not secure as it would then be possible for any site using the same account to access files from another site. As such, and as a standard practice, we recommend switching away from using the IUSR account for sites, and instead selecting “Application pool identity” and clicking OK. Alternately, you could manually create a user on the system for each site; however, then you need to manage credentials for an additional user, need to configure permissions for two users (the anonymous user and the application pool user) and possible complications with password complexity and rotation requirements your server or organization may have.
There is nothing further you need to configure in IIS in terms of security; however, for reference, let’s take a look at the application pool settings really quick. To check the settings on the application pool, in IIS, select Application Pools on the left menu, select the application pool for the site you created (typically the same name as the name of the site), and then click “Advanced Settings…” on the right action bar.
In here, the related setting is the identity, which by default is “ApplicationPoolIdentity”. This means to access file content, IIS and the associated application pool will use a hidden, dynamic user based off the name of the application pool to access files. This user has no associated password, can only be used by IIS, and only has access to files specifically granted to it. As such, it removes the requirement of managing system users and credentials.
Set Folder Permissions in IIS
Now, as mentioned, the “ApplicationPoolIdentity” user has very few permissions, so the next and last step is to ensure that the website files have proper security settings set on them. Browse through your file system and find the folder where you plan on hosting your site’s files. Right-click on the folder and go to properties. In the properties interface, select the Security tab.
By default, there are a number of security permissions set up on the folder that are unnecessary and potentially insecure (there may be more than shown here). To best secure a site, we recommend removing all but the “SYSTEM” and “Administrators” groups and adding the “ApplicationPoolIdentity” user (and possibly any other user you may require, such as an FTP user); however, to do this, you will need to disable inheritance. To do this, click on “Advanced”, then click on “Disable inheritance”.
Here you will get a popup asking if you want to copy the current settings or start with no settings. Either option can work; however, it is easier to copy the current settings and then remove the unnecessary permissions. So select “ConvertConcert inherited permissions into explicit permission on this object” and then click OK.
At this point, to remove the unnecessary permissions, click Edit and remove everything other than the “SYSTEM” and “Administrators” groups. Next, you need to add the “ApplicationPoolIdentity” user to this folder. To do this, click “Add…”. Now, depending on your server configuration, you may get a pop-up asking for you to authenticate to an active directory domain. Simply click the cancel button a few times until you get the Select Users of Groups screen shown below.
On this screen, you will want to make sure that the “Location” selected is your computer. If it is not, click “Locations…” and select your computer (should be at the top; you may also need to click cancel on some authentication windows here as well).
The “ApplicationPoolIdentity” user is a hidden user, so it is not possible to search for this user. As such, you will have to type the username to add it. The username you will need to type is “IIS AppPool\<applicationpoolname>“. Please see the following example and fill yours out accordingly:
Once you type the user name, click OK. Now that you’ve added the user, which is by default only granted read permissions, you will want to verify your security settings look similar to the following image, and then click OK.
And with that, you’re done and have a secure site ready to be viewed by the masses without needing to fear that hackers will deface it.
Securing within Powershell
As a bonus, if you’re looking to get your fingers wet with some Powershell, the steps covered in this article can also be accomplished on a Windows Server 2012 or newer server through Powershell. Simply fill out the first two variables with your domain name and the path to your content, and then run the rest of the PowerShell commands to set up the site in IIS and configure folder permissions.
Additional Notes: In some cases, sites may need additional write or modify permissions on specific files or folders for file uploads, cache files, or other content. It is important that you do not apply modified permissions to the entire site. Instead, modify specific directories or files as needed. To apply these settings, go to the file or folder that needs modification, right-click on it, and select Properties. Switch to the Security tab and click Edit. In there, select the user that has the name of the website (liquidweb.com in my example above), select modify under the Allow column, and then click OK. This will give the ApplicationPoolIdentity and IIS the ability to write to or modify the file(s) or folder(s).
Still need additional protection for your Liquid Web server? Our Server Protection packages provides a suite of security tools especially for Windows servers. You’ll get routine vulnerability scans, hardened server configurations, anti-Virus and even malware cleanup, should your site get hacked. Don’t wait another vunerable minute, check out how we can protect you.
Checking a server’s load allows us to evaluate server resources and confirm they are sufficient for any running application. It enables us to troubleshoot slow performance and reliably pinpoint any server resource that may need attention.
While there are many tools and options available, today let’s focus on our Windows VPS Task Manager as a means to help us quickly see what is going on, and interact with applications, processes, and services to identify the load. This article will also include an introduction to Resource Monitor as it can be opened from Task Manager to provide more detail.
You may be working from a local machine that has an IP that is not scoped on that RDP port, making it impossible for you to gain remote access to add the IP address to the RDP rule’s scope. Do not fret; there is a simple and quick way to add your IP to the RDP scoping (or any other entities such as MySQL or MSSQL) right through your Plesk interface in your local browser. You can watch this video, or scroll down for step-by-step directions.
For security purposes, it is always recommended that you scope off your Remote Desktop Protocol (RDP) connection on your server. Putting a scope on the RDP rule in the Windows Firewall will allow only the indicated IP addresses to gain access to the server through Remote Desktop Protocol. The issue is that many of us do not have static IP addresses, but rather Dynamic IP addresses. This means that while once our IP address may be 120.32.111.01, it may change to something like 95.42.121.01 later. So if you were to add 120.32.111.01 to the RDP firewall for a customer or a system administrator, then you may need to add another rule for a different IP address.
Adding Your IP in Plesk
Step 1: Log in to Plesk
First, we need to make sure we know how to get to that Plesk login page. By default, the Plesk login page is https://<YourServerIP>:8443. For example, https://127.0.0.1:8443
We should arrive at a page with this in the center. Go ahead and type in Admin for the username and your password for Plesk. Usually, that password is set up by our team and is the default Server Administrator Password. Sometimes the username is Administrator, depending on a few variables. But one of the two user names should be fine.
Step 2: Tools & Settings
The first thing we need to do after we log into Plesk through the previous page is to navigate to the Firewall Rules. Go ahead and click on Tools & Settings. It will be located in the right sidebar near the bottom as shown below.
Step 3: Firewall
Once we pull up Tools & Settings go ahead and click on our destination, Firewall. You will find that option under the Security section. It will be the second option, just under Security Policy.
Step 4: Firewall Rules
After we are in the Firewall management, go ahead and click on Firewall Rules. This is where we will add the rule to allow a certain IP address to gain RDP access.
Step 5: Add a Firewall Rule
Under Tools, after going into the Firewall Rules, we will see the option labeled Add Firewall Rule. Go ahead and click on that, bringing us to our next step.
Step 6: Add Detail the New Rule
This is the page that we see after clicking on Add Firewall Rule. It can seem to be complicated and intimidating for some beginner level System Administrators, but it is simple.
If you or your client are not sure what that IP address that needs RDP access is, Liquid Web has a great site to visit that will display your IP address.
Here is an example of what you will find at https://ip.liquidweb.com.
While this particular example IP will not be the one that the customer or the System Administrator will see, (when visited on the local machine) the page will display the IP address that needs to be added to the rule for this RDP session to connect. That will be the only information that will be displayed on this page. Simply copy that IP address and use it in the instructions below.
Once you enter the IP address into the text box under Remote addresses, you do need to click the ADD button before clicking on OK.
As mentioned above, after clicking the ADD button while the IP address is entered into the Add an IP address or a network text box, it will be placed into the left text box. After that step, you will then be able to click OK to apply this rule to the firewall for the server.
Step 7: Connect to RDP
The individual at that IP address can now access the server via RDP. If you would like to review an article explaining how to use Remote Desktop Connection, or if you need further assistance, you can locate more info at our internal help center after logging into your Liquid Web account.
Congratulations! You now know how to add an IP address to an RDP rule that will allow a user to connect if the RDP is scoped off to the public. This can be done many times. Although Plesk does not allow you to edit the rule, you will have to create a new one each time. But this shouldn’t cause any issues. Also, keep in mind that this method can be used for any port, including MySQL and MSSQL.
This is handy when you need to run software that is only available on one Operating System, for example, if you wanted to run Windows software on your Ubuntu computer or vice versa. The only limitations are RAM and disk space for running each virtual machine. Continue reading “How to Install VirtualBox on Ubuntu 16.04”→