Basic installation
I'll start off with the basic installation. In the table below you'll find the complete list of commands you need. Of course you’ll have to customize some settings, like your network configuration, username and password. These settings are highlighted in the script.I’m assuming you have a Windows Server Core R2 server installed and have the administrator account password set.
netsh interface ipv4 set address name=IFINDEX source=static address=IP mask=MASK gateway=GW netsh interface ipv4 add dnsserver name=IFINDEX address=DNS cscript C:\Windows\System32\Scregedit.wsf /ar 0 netdom renamecomputer %COMPUTERNAME% /Force /NewName:COMPUTERNAME netsh firewall set icmpsetting 8 start /w pkgmgr /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel DISM /Online /Enable-Feature /FeatureName:NetFx2-ServerCore DISM /Online /Enable-Feature /FeatureName:NetFx3-ServerCore DISM /Online /Enable-Feature /FeatureName:IIS-ISAPIFilter DISM /Online /Enable-Feature /FeatureName:IIS-ISAPIExtensions DISM /Online /Enable-Feature /FeatureName:IIS-NetFxExtensibility DISM /Online /Enable-Feature /FeatureName:IIS-ASPNET start /w pkgmgr /iu:IIS-FTPSvc;IIS-FTPServer c:\windows\system32\inetsrv\appcmd.exe set config "Default Web Site" /section:system.ftpserver/security/authorization /+[accessType='Allow',permissions='Read,Write',roles='',users='administrator'] /commit:apphost c:\windows\system32\inetsrv\appcmd.exe set site /site.name:"Default Web Site" /+bindings.[protocol='ftp',bindingInformation='*:21:'] c:\windows\system32\inetsrv\appcmd.exe set site /site.name:"Default Web Site" /ftpServer.security.ssl.controlChannelPolicy:SslAllow c:\windows\system32\inetsrv\appcmd.exe set site /site.name:"Default Web Site" /ftpServer.security.ssl.dataChannelPolicy:SslAllow c:\windows\system32\inetsrv\appcmd.exe set site /site.name:"Default Web Site" /ftpServer.security.authentication.basicAuthentication.enabled:true /commit:apphost netsh advfirewall firewall add rule name="AllowFTP" protocol=TCP dir=in localport=21 action=allow |
IFINDEX: The index of your network interface. You will find this by running netsh interface ipv4 show interfaces and reading the column named idx for the row of your network adapter. This is usually a number below 10.
IP: Your IP address, given that you want a static IP. For dynimic IP configuration see below
MASK: The network mask, i.e. 255.255.255.0
GW: The IP of your gateway DNS: IP of the DNS server
COMPUTERNAME: What you want to name your computer (Netbios name)
What it does, line by line
The scripts sets up the following:- IIS7 web server on port 80 with ASP.NET support
- FTP server on port 21 with basic authentication
- The Administrator account is granted access to the FTP
- SSL is disabled on the FTP
Line 1 and 2: These two lines configures the networks settings for static IP address setup. If you want dynamic IP, switch line 1 with the following, and skip line 2: netsh interface ipv4 set address name=IFINDEX source=dhcp
Line 3: This opens the server for Remote Desktop Connections (RDP). From now on you are able to remotely administer this server from another machine by launching mstsc.exe and connecting to the IP specified for the server.
Line 4: This gives the server a name
Line 5: This tells the firewall to allow ICMP requests – Pings. Try pinging from a remote server and test. Of course, this setting is optional.
Line 6-12: These lines set up IIS7 with basic components and installs .NET framework 3.5 along with ASP.NET support in IIS7.
Line 13: This installs the FTP server for IIS7. It is configured to host c:\inetpub\wwwroot, but no users are granted access so far.
Line 14: The Administrator user is given access to log in to the FTP server
Line 15: The server is told to listen at port 21 for incoming FTP connections
Line 16-17: These two lines disable SSL for communication to the FTP. I did this because I basically don’t know how to set up SSL and don’t need that level of security on my test project. If anyone know how to make SSL work, I’d be glad to hear.
Line 18: This line tells the FTP service to use the Windows users as source for authentication. Now you’ll be able to log in with the Administrator account from a local shell.
Line 19: Finally, we open port 21 (FTP) in the firewall for incoming connections.
Setting up a dedicated FTP user
You might want to shut out the Administrator account from the FTP users and create a dedicated user for that purpose instead. These four lines should take care of that:
net user FTPUSER PASSWORD/Add icacls c:\inetpub\wwwroot /grant FTPUSER:(OI)(CI)F c:\windows\system32\inetsrv\appcmd.exe set config "Default Web Site" /section:system.ftpserver/security/authorization /+[accessType='Allow',permissions='Read,Write',roles='',users='FTPUSER'] /commit:apphost c:\windows\system32\inetsrv\appcmd.exe set config "Default Web Site" /section:system.ftpserver/security/authorization /-[users='administrator'] /commit:apphost |
Line 1:This creates a local user with the specified username (FTPUSER) and password (PASSWORD)
Line 2: This grants full access (read+write) to FTPUSER to c:\inetpub\wwwroot. Without this command, you would not be able to upload anything to the server
Line 3: User FTPUSER is added to the list of approved accounts for FTP login-
Line 4: User Adminstrator is removed from the same list
Enabling passive mode
Finally you would probably want to enable passive mode for the FTP server making it less troublesome to connect from clients behind firewalls. This is done with the following commands:
c:\windows\system32\inetsrv\appcmd.exe set config /section:system.ftpServer/firewallSupport /lowDataChannelPort:LOWPORT /highDataChannelPort:HIGHPORT c:\windows\system32\inetsrv\appcmd.exe set config /section:system.applicationHost/sites /siteDefaults.ftpServer.firewallSupport.externalIp4Address:IP netsh advfirewall set global StatefulFtp enable sc stop ftpsvc sc start ftpsvc |
LOWPORT is the lower bound of the port range, eg. 50000
HIGHPORT is the upper bound of the port range, eg. 50100
IP is the external ip for your server, eg. 10.22.8.58
Line 1: This configures the lower and upper bounds of the port range for incoming data connections.
Line 2: Here you provide the external IP for your server.
Line 3: This tells the firewall to enable StatefulFtp. This is a mode where the firewall dynamically detects which ports the incoming FTP data connections come at.
Line 4-5: Restart the FTP service. You need to wait a couple of seconds for it to shut down before executing the start command.
Sources/Further reading:
In closing I’d like to provide som links I found useful writing this post. You should look into these sites if you want to dive deeper into the realm of Windows Server Core.Configuring FTP Firewall settings (Robert McMurray, learn.iis.net)
Administer Windows Server 2008 Server Core from the Command Prompt, Microsoft TechNet
Administering FTP 7, Microsoft TechNet
Installing FTP with IIS7 on 2008 Server Core, Blog: joreko
Understanding Windows Server 2008 Server Core - Daniel Petri
How to Setup User Authentication in FTP 7 on IIS 7.0 - Trainsignaltraining. If you're running standard Windows Server 2008.
f ff ff fffff
ReplyDelete