WSUS on WINDOWS SERVER 2008

WSUS Pre requisites

Before you start, make sure the server you are going to use is fully updated, and has theMicrosoft Report Viewer Redistributable 2008 installed on it. (Report Viewer 2010 is available but WSUS 3 needs the 2008 version at time of writing).

You will also need 6GB (Approx) to hold the updates.

Step 1 Add and Configure the Windows Server Update Services Role

1. On the WSUS Server run the ServerManager (CompMgmtLauncher.exe) > Roles > Add Role > If you see the “Before you begin page” click Next > Select “Windows Server update Services” > At this point if IIS is not installed it will ask to add the required role service > Let it do so > Next.

Add WSUS Role

2. Next > Next > Next > Install > During the install the WSUS Setup Wizard will start > Next > Accept the EULA > Next > Specify a location to store the updates > Next.

WSUS Install Direcotry

3. You can choose an existing Database or click next to install and use SQL Express > Choose your web site settings > Next.

WSUS Web Site Settings

Note: The default setting will install and configure web services on TCP Port 80 (http). If you have another service or program using that port you will have a problem, (i.e. a program that uses Apache web server, or UPS software that has a management console on port 80, etc). If you choose the second option it will set the site up on TCP port 8530 for http and 8531 forhttps.

4. Next > Finish > Now the configuration wizard will open > Next > Next > If you are going to pull your updates from another WSUS server enter it here > If not click Next > If you need to enter proxy server details do so > Next > Click “Start Connecting” (this can take a while > Next.

WSUS Connecting to Microsoft

5. Select the languages you want to download > Next > Select the products you would like to download updates for > Next.

WSUS Products to Update

6. Select the ‘Classifications’ (types of update) you want to serve > Next > Set your sync schedule (I usually do this once a day) > Next.

WSUS Syncronization Schedule

7. Next > Finish > Close.

Step 2 Group Policy Settings for WSUS Clients.

Remember these policies are Computer Policies NOT User Policies, you need to link the GPOto your computers, If you link it to an OU containing users nothing will happen!

1. On a domain controller > Start > Administrative Tools > Group Policy Management > Locate the OU containing your computers > Right click and create a new GPO.

WSUS GPO Creation

2. Give the GPO a name > The Edit the new GPO > Navigate to:

WSUS GPO Settings

3. Edit the settings on the right to suit your requirements. > Close the group policy editor Window, (to see what settings I usually set see the video above).

WSUS Group Policy Settings

4. You clients will get these settings next time they boot, after a maximum of two hours, or after you run “gpupdate /force” on them.

5. If you check your clients you will see their Windows Update settings are now “Grayed Out”

Windows Update Controlled by GPO

Step 3 Configure Windows Server Update Services.

1. WAIT a while before returning to the WSUS server to configure it, (I typically wait a few days). Assuming your computers are now appearing in the “Computers Section” you need to either manually approve the updates or set them to automatically update.

WSUS Imported Computers

If your computers fail to ‘appear” see Windows Client(s) not ‘appearing’ in WSUS

2. If you want to simply “Auto approve” all new updates then navigate to Options > Automatic approvals > And Select the “Default Automatic Update Rule” > Click the Hyperlinks in the rule to edit them > Apply > Run Rule > Select ‘Yes’ to save and run.

WSUS Auto Approval

3. If you want to create computer groups and roll out updates in a more staged manner, you can create different computer groups, and add your computers to those groups.

WSUS Computer Groups

4. If you want to manually approve updates navigate to Updates > All updates > Select the “Unapproved” updates > Right Click > Approve > Select your computer groups as appropriate.

Note: You can select mass select the updates by holding down Shift, or individually by selecting them while pressing Ctrl.

WSUS Update Approval

Related Articles, References, Credits, or External Links

Windows Client(s) not ‘appearing’ in WSUS

WSUS Install Error – ‘The update could not be found. There may be a network connection issue.’

Message ID 6600: sms wsus configuration manager failed to configure upstream server

WSUS Install Error on Windows Server 2008 R2

Microsoft Lync 2010 – Install and Configure

Pre-Requisites

1. Download and install, Microsoft Silverlight. (link)
2. IIS (Roles > Add Roles > Web Server IIS) > Next.

install iis

Also add:

i. ASP.NET
ii. Logging Tools
iii. Tracing
iv. Client Certificate Mapping Authentication.
v. Windows Authentication
vi. IIS Management Scripts and Tools

install role services

install role services

Next > Install > Finish.
3. RSAT Tools (Features > Add Features > Remote Server Administrative Tools > AD DS andLDS Tools) > Next > Install > Close > Select Yes to Reboot > Post Reboot Installation will continue > Close.

RSAT Tools

4. Have a Certification authority set up in your domain. OR a certificate ready for the Lync Server to import.

Install

1. Run Setup > It will ask to Install C++ let it do so.
2. Once it’s finished, It will ask for the install location > change if required > Install.
3. Accept the EULA > OK.
4. When the Deployment Wizard starts > Select “Prepare Active Directory”.

lync prepare ad

5. Prepare Schema > Run > Next > Finish.
6. Allow domain replication.
7. Prepare Current Forest > Run > Select Local Domain > Next > Finish.
8. Allow domain replication.
9. Prepare Domain > Run > Next > Finish.

lync prepare schema

10. When all are completed, add your administrators to the newly created AD group CSAdministrators > Then click “Back” to return to the main page of the Deployment Wizard.

csadministrator group

11. Prepare First Standard Edition Server > Next > SQL Express will install > Finish.

Lync prepare server

12. Install Topology Builder > It installs very quickly and gets a green tick when complete.

Lync Topology Builder

13. Start > All Programs > Microsoft Lync Server 2010 > Lync Server Topology builder > When promoted select > New Topology > OK.

Lync New Topology

14. Save the topology as requested.

Save Topology

15. Under “Primary SIP Domain” > enter your domain name > Next.

SIP Domain Name

16. Enter any additional domains if required > Next.

11. Give the site a name and description > Next.

12. Enter site details > Next > With the option to “Open the new front end wizard..” selected > Finish.

Lync Toplology

13. At the “Define a new front end pool” wizard > Next > Enter the FQDN of the server and select Standard Edition > Next.

Lync Front End Pool

14. Select features (Everything except PSTN, because I don’t have a PSTN gateway) > Next.

Lync Features

15. Choose to Collocate Mediation Server > Next.
16. Don’t add any further server roles > Next > Next.
17. Let it create a new share > Next.
(Note manually create the share and make sure it has appropriate permissions).

Lync Share

Create share

18. Set external URL if required > Next > we are not adding PSTN > Finish.
19. On the Topology Builder Select > Edit Properties > Central Management Server.

Lync Edit Properties

20. Add in the admin URL (Note: Make sure this resolves in DNS), and FQDN of the server > OK.

Lync CMS URL

21. Select Publish Topology > Next > Next > Finish.

Lync Publish Topology

22. Re-launch or swap back to the Lync Server Deployment Wizard > Select Install or Update Lync Server System.

Install or update Lync

24. Run step one “Install Local Configuration Store” > Select “Retrieve directly…” > Next > Finish.

Lync Deployment

25. Run Step two “Setup or Remove Lync Server Components” > Next > (If you get aPrerequisite installation failed: Wmf2008R2 click the link) > Finish.
26. Run Step three “Request, Install, or Assign Certificates” > Request > Next > Send request immediately > Next.

Lync Local CA

27. Select your CA > Next > Next > Next.
28. Choose a friendly Name > Next.

Certfiicate Friendly Name

29. Fill in your Organisation information > Next > Enter country > State and City > Next > Next > Next > Next > Next > Next > Finish. > Close.
30. Run Step 4 “Start Services” > Next > Finish.

Lync Delpoy

31. Check the service status if you wish.
32. Close the deployment wizard.

Launch “Lync Server control Panel” and Configure

1. Launch the ” Lync Server Control Panel” > Log in with an admin account (created above at step 10).

Lync Server Control Panel

2. Navigate to Users > Add.

Lync Enable Users

3. Add in your users and assign them to your pool.

Lync Assign Users to Pool

Lync Pc-to-PC-only

Post Install Tasks

1. You need to create a DNS SRV (Service Location) so the client can locate the Lync server:

DNS Create SRV

i. service: _sipintenaltls
ii. Protocol: _tcp
iii. Port Number: 5061
iv. Host offering service: the FQDN of the Lync Server.

Port 5061

Install the ‘Lync Client’ on the client machines.

Lync Client

KMS Server for Windows Server 2008 R2, Windows 7, and Office 2010

Problem

Given the amount of deployments I do, it’s surprising that I don’t use KMS more often. Like most technical types, I find a way that works for me, and that’s the way I do things from then on. However these last few weeks I’ve been putting in a new infrastructure for a local secondary school. Their internet access is through a proxy server, that refuses to let Windows activation work. Unfortunately the “Administrators” of this proxy server were not disposed to give me any help, or let me anywhere near it, to fix it.

So after activating a dozen servers over the phone, I decided enough was enough “I’m putting in a KMS Server!”

I’m deploying KMS on Windows Server 2008 R2, and it is for the licensing and activation of Serer 2008 R2 and Windows 7. I will also add in the licensing KMS mechanism for Office 2010 as well.

Note: If you are using Server 2003 it will need SP1 (at least) and this update.

Solution

To be honest it’s more difficult to find out how to deploy a KMS server, than it actually is to do. I’ve gone into a fair bit of detail below but most of you will simply need to follow steps 1-4 (immediately below). In addition, after that I’ve outlined how to deploy KMS from command line. Then how to test it, and finally how to add Microsoft Office 2010 Licenses to the KMS Server.

Install Microsoft Windows 2008 R2 Key Management Service (EASY)

1. The most difficult part is locating your KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Windows Server 2008 Std/Ent KMS B”

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

Locate 2008 KMS Key

2. Armed with your new key, you simply need to change the product key on the server that will be the KMS server, to the new key. Start > Right Click “Computer” > Properties. (Or Control Panel > System). Select “Change Product Key” > Enter the new KMS Key > Next.

Install KMS Key

3. You will receive a warning that you are using a KMS Key > OK. You may now need to activate your copy of Windows with Microsoft, this is done as normal, if you can’t get it to work over the internet you can choose to do it over the phone.

KMS Key Warning

4. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

KMS Firewall Exception

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

That’s It! That is all you should need to do, your KMS Server is up and running.

Install Microsoft Windows 2008 R2 Key Management Service from Command Line

You will notice below that I’m running these commands from command windows running as administrator (Right click “Command Prompt” > Run as administrator).

1. Locate your “Windows Server 2008 Std/Ent KMS B” Key > From command line issue the following command;

cscript c:\Windows\System32\slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

Install KMS Key from Command Line

2. Providing the command runs without error, we have just changed the product key for this Windows server to be the KMS key.

Change Server Product Key

3. Now we need to activate the Windows Server > Run the following command;

c:\Windows\System32\slui.exe

Select “Activate Windows online now” > Follow the on screen prompts.

Activate KMS Key

4. When complete, it should tell you that it was successfully activated.

KMS Activation Sucessfull

5. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

KMS Firewall Exception

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

That’s It! That is all you should need to do, your KMS Server is up and running.

Testing the Key Management Server

Before it will start doing what you want it to, you need to meet certain thresholds, with Windows 7 clients it WONT work till it has had 25 requests from client machines. If you are making the requests from Windows 2008 Servers then the count is 5. (Note: For Office 2010 the count is 5 NOT 25)

Interestingly: On my test network I activated five Windows 7 machines, then one server, and it started working.

Windows 7 and Windows 2008 R2 have KMS Keys BUILT INTO THEM, if you are deploying/imaging machines you should not need to enter a key into them (unless you have entered a MAK key on these machines then you will need to change it to a client KMS Key). These are publicly available (see here).

1. The service works because it puts an SRV record in your DNS, when clients want to activate, they simply look for this record before they try and activate with Microsoft, if they find the record, they activate from your KMS Server instead. If you look on your domain DNS servers, expand “Forward Lookup Zones” > {your domain name} > _tcp > You will see an entry for _VLMCS that points to your KMS Server.

KMS DNS Resord

2. From your client machines you can test that they can see the SRV record, by running the following command;

nslookup -type=srv _vlmcs._tcp

Note: If this fails, can your client see the DNS server? And is it in the domain?

Query KMS DNS Record

3. There is no GUI console for KMS to see its status, so run the following command on the KMS server;

cscript c:\Windows\System32\slmgr.vbs /dli

Check KMS Server Status

4. As I’ve mentioned above, with Windows clients you need 25, and Windows Servers you will need 5 requests before KMS will work, before this you will see;

Windows Activation
A problem occurred when Windows tried to activate. Error Code 0xC004F038

Activation Error 0xC004F038

5. For each of these failures, look-in the KMS Server, and the “Current count” will increment by 1 till it starts to work). In a live environment this wont be a problem, (You probably wont be looking at KMS with less than 25 clients!). On a test network just clone/deploy a load of machines until you hit the threshold.

KMS Current Count

Troubleshooting KMS Clients

To make things simple the command to execute on the clients, is the same command that you run on the KMS server to check the status.

cd c:\windows\system32
slmgr /dli

KMS Client Initial Grace Period

KMS CLient Licenced

KMS CLient Licenced

For further troubleshooting, see the following links.

How to troubleshoot the Key Management Service (KMS)

Managing License States

Adding an Office 2010 KMS Key to Your KMS Server.

In addition to servers and clients, KMS can activate and handle Office 2010 licenses as well. You simply need to add in Office support, and your Office 2010 KMS key. As mentioned above, unlike Windows clients, you only need five requests to the KMS server before it will start activating Office 2010 normally.

If you want a KMS Server for JUST OFFICE 2010 and not Windows, then simply install and run the Office 2010 Key Management Service Host.

1. First locate your Office 2010 KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Office 2010 Suites and Apps KMS”

Locate Office 2010 KMS Key

Note: As with Windows 7, and Server 2008 R2, Office 2010 comes with a KMS key already installed, if you have changed the key to a MAK key you can change it back using the Microsoft public KMS keys (see here).

2. Download and run the “Microsoft Office 2010 KMS Host License Pack“.

KMS Office 2010 License Pack

3. When prompted type/paste in your “Office 2010 Suites and Apps KMS” product key > OK.

Add Office 2010 KMS Key

4. It should accept the key.

Add Office Activation to KMS Host

5. Press {Enter} to close.

KMS Server Updated for Office 2010

6. Once you have five Office 2010 installations they should start to activate from your KMS server.

Office 2010 KMS Activation

Troubleshooting Office 2010 KMS Activation

If you have a client that refuses to work you can manually force it to activate against your KMS server;

x64 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

cscript “C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS” /sethst:kms.domaina.com
cscript “C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS” /act

x32 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

cscript “C:\Program Files\Microsoft Office\Office14\OSPP.VBS” /sethst:kms.domaina.com
cscript “C:\Program Files\Microsoft Office\Office14\OSPP.VBS” /act

Install Exchange 2007 on Windows Server 2008

Problem

Assumptions

You have an x64 Bit server (x32 is not supported for production).
You have an x64 Bit copy of Server 2008 or Server 2008 R2 (Note: Exchange 2007 SP2 not supported on R2 YET).

Solution

Pre site visit

To save time onsite it may be worth (If remote connection is available) downloading the relevant install media and service packs beforehand.

Pre requisites
1. .net 2.0 – pre installed in Server 2008 and Server 2008 R2
2. MMC 3.0 – pre installed in Server 2008 and Server2008 R2
3. Powershell needs to be installed, its pre installed on Server 2008 R2, on Server 2008 do the following > Start > run > cmd {Enter}> enter the following command,

Note: It may look like it’s hung but after a while it will say “Success: Installation succeeded.”

4. You now need to add a server role > Start > Server Manager > Roles > Add Roles > IIS (Web Server) > Start > Server Manager > Roles > Add Roles > Next > Tick “Web Server IIS” > Next.

add iis role

5. Security Section > Add Basic Authentication, Digest Authentication, and Windows Authentication.

digest authentication

6. IIS 6 Management Compatibility Section > Add IIS 6 Metabase Compatibility and IIS 6 Management Console > Performance section > Tick Static and Dynamic Content compression.

iis management compatability

7. Click Next > Install > Close.

8. Now Select Features > Ad Features > Expand Remote server Administration Tools > Expand Role Administration Tools > tick AD DS and AD LDS Tools > Add Required Features > Next > Install > Close > Reboot when promoted.

ad ds and ad lds tools

9. Run Windows update.

Pre Install Tasks
Assuming you’re installing from CD/DVD (if not change E: to the correct path.)
If you are going to do the via RDP you MUST! Be on the console session.
1. From command line Execute the following command,

prepareschema

2. When it’s done Execute the following command,

preparead

3. When its done Execute the following command,

preparedomain

Install Exchange 2007

I have on one occasion needed to copy all the DVD/CD’s contents to the server for Installation to be successful.

1. Assuming the CD/DVD from which you are deploying Exchange 2007 from is E: > Start > Run > CMD {enter}.
2. Execute the following command,

setup exchange

3. Click Step 4 > Introduction Screen > Next > Tick “I accept the terms….” > Next > Next > Select Typical > Next.

install exchange 2007

4. You will then be asked if you have and Outlook 2003 or earlier clients Answer Yes or No > Next.

client settings

5. Exchange 2007 will now do some checks > Click Install > When done > Finish >Reboot the server.

exchange 2007 setup

6. Launch the Exchange Management Console > Ignore any Licence warnings.
7. Select Server configuration > Select the new Server > Action > Enter Product Key > Type in your Key > Read the Warning > Finish > either reboot or restart the “Microsoft Exchange Information Store” service.

enter exchange 207 key

8. At time of writing SP2 is not supported on R2 (Note: This will change). But run Windows update to get any further updates/roll ups.

Error:
This compuer is running Windows Server R2 Enterprise. Exchange Server 2007 is not supported on this operating system.

install 2007 on 2008 r2

9. The new 2007 Organisation will have one mailbox database and one Public folder database (If you said “Yes” I have Outlook 2003 or earlier during install) > Expand Microsoft Exchange > Server configuration > Mailbox > Select the server > The Databases will be displayed in the center panel at the bottom.
10. You can select the databases > Right Click > “Move Database Path” to move them onto another partition.

move exchange database

11. Point SMTP Feed to the New Server, the MX Record should now be pointing to the public IP of the new server OR the Firewall SMTP Port re-directs needs changing to the new server.

12. Once the SMTP Feed has swapped across, inbound mail may fail and return the following error,

mail.domainc.com #530 5.7.1 Client was not authenticated ##

To fix that you will need to allow anonymous access on the servers default receive connector. > Launch Exchange Management Console > Server Configuration > Hub Transport > right click the “Default {server name}” connector > Permission groups > tick “Anonymous users” > Apply >OK.

receive connector permissions

5. You may also find outbound mail will fail, and sit on the outbound queue with the following error,

A matching connector cannot be found to route the external recipient

To fix that you will need to create a “Send Connector”. Launch the Exchange 2007 Management Console > Organization Configuration > Hub Transport > Send Connectors > New Send Connector > Give it a name and CHANGE the intended use from Custom to Internet > Next > Add > In the address box type a single asterisk * > tick Include all subfolders > OK > Next > Add a smart host IF you use one > Next > Next > New > Finish.

send connector

Install Antispam Agents
1. Start > All Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
2. Execute the following commands,

exchange install antispam agents

3. Stop and restart the Exchange Management Console (NOT the exchange Management Shell).
Note: If the antispam Agents are installed remove the following folder from the backup (Or it will error). C:\Program Files\Microsoft\Exchange Server\TransportRoles\
Post Install Tasks
1. You may need to exclude the following folder from the backup.
C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\CONFIG\
2. If OWA displays “Service Unavailable” See here and run through the ASP.NET 2.0, 64-b
it version section.

LINUX HARDENING

Steps for Linux Hardening

  1. Always use a password protected Grub boot loader for protecting the linux system. So as to prohibit unauthorised user access to single user mode and access the root account on the system.

  1. Always ensure that only authorised services are running on the Linux System. This can be done by checking the boot time scripts that are located under /etc/rc.d directory.

  1. Never run a publicly accessible service with root previliges. Instead run the service with a normal user account. Also ensure that user doesnot have shell access on to the server.

  1. Always take the backup of critical data.

  1. Always use a secure session like ssh for remote administration of Linux Server.

  1. Install the publicly accessible applications in a chroot environment, so that the expoitation of this service doesnot effect remaining part of the system.

  1. Update the Operating System and applications installed on the system in time, so as to avoid vulnerabilities up to possible extent.

  1. If the information ptovided by the publicly accessible web servers is critical, then provide the services using HTTPS connections.

  1. To avoid denial of service type attacks, define number of requests accepted by the web server in a particular given time.

  1. Configure the DNS server not to receive dynamic updates from unauthorised DNS servers. As this may make the user to access a website that he is not intended to access.

  1. Implement access control lists for having better control over file level previliges given to user.

  1. Use TCPwrappers and Xinetd services, in order to filter the authorised users from internet for accessing the services on the system up to some extent. Also we can have a better control over the services that are provide to the internet users.

  1. Always use a well defined firewall on the Linux Server side, so as to provide only legitimate services to the outside world and blocks access to all the remaining ports /services that are required for the internet user.

  1. Always use Network Information Service in a well protected network. This service is normally used to store centralised user database which is similar to Active directory Server in windows. Instead it is recommended to use LDAP( Lightweight Directory Access Protocol), which can serve the same purpose in a secured manner.

  1. Linux Mail servers uses SMTP protocol for transferring emails and POP or IMAP protocol for retreiving the mails from users mailbox. In an Organisation, in order to transfer mails from internal network to internet a SMTP gateway will be used. If it is not well secured it may result two types of well known attacks.

  • One type of attack is called relaying. Any unauthorised user once he is aware the SMTP server details, he can transfer the mails to other domain mail servers without any authentication at the SMTP server. In this type of attack, the unauthorised user is interested in propagating malicious content to other mail server domains instead of gaining access to it.
  • Other type of attack involves the unauthorised user in exploring the mail account information by using SMTP commands like PASV, VERB, VRFY, EXPN and then gaining access to the internal network further

Disabling the SMTP verberose mode is recommended on the SMTP server which is connected directly to the internet.

SECURE WEB BROWSER

The Web browser is used to gain  access to  information and also resources on the World Wide Web. It is a software application used to trace and display the web pages .The main purpose of a web browser is to bring the information resources to the user. The process begins with uniform resource identifier (URI) or uniform resource locator.

Uniform Resource Locator (URL)

Consider an example of the URL : http://www.infosecawareness.in
Each URL is divided into different sections as shown below
http:// –  In short, http means the hypertext transfer protocol and the file is a web page and every time you don’t need to type the http, it is automatically inserted by the browser.
www –World Wide Web
infosecawareness – site name
.in –It is one of the domains name, which is basically a country name.
Other domain names are .com (commercial organization), .net (network domain) etc.
(The organization address and location of the organization address are known as the domain name).
co.in –suffix or global domain name shows the type of organization address and the origin of the country like the suffix co.in indicates a company in India.
Generally a web browser connects to the web server and retrieves the information.Each web server contains the IP address, and once you are connected to the web server by using http, it reads the hyper text mark-up language (HTML) which is a language used to create document on World Wide Web in which the same document is displayed in the web browser .
In short, a browser is an application that provides a way to look at and interact with all the information on the World Wide Web.

  1. Understanding the usage of the Web Browser
  2. How to secure your web browser
    1. Mozilla firefox
    2. Internet Explorer 8
    3. Safari v 4.0
    4. Google Chrome

Understanding usage of Web Browsers

 A  Web browser is a software application that runs on the internet and allows viewing the web pages, as well as content, technologies, videos, music, graphics, animations and many more. In other words, a browser is an application that offers a method to look at and interact with the entire information on the World Wide Web.

Types of Web Browser

browsers.jpg There are different types of web browsers available with different features. A web browser is a tool used not only on the personal computers, but is also used on mobile phones to access the information. There are different technologies that support web browsers like Java, frames, XHTML and many more. Web browsers are also available in different languages like English, German, Chinese, Arabic and many more .By knowing all the web browsers and their uses, it will become easier to improve the internet usage.

 

Risks towards Web Browser

There are increased threats from software attacks taking advantage of vulnerable web browsers. The vulnerabilities are exploited and directed at web browsers with the help of compromised or malicious websites.Exploiting vulnerabilities in web browsers have become a popular way for attackers to compromise computer systems, as many users do not know how to configure their web browser securely or are unwilling to enable or disable functionality as required to secure their web browsers.

Secure web browser

By default, a Web browser comes with an operating system, and it is set up with default configuration, which  does’nt have all secure features enabled in it. There are many web browsers installed in computers like Internet explorer, Mozilla, Google Chrome, etc. that are used frequently. Not securing a web browser leads to problems caused by anything like spyware, malware, viruses, worms, etc. Being installed into a computer   this may cause intruders to take control over your computer.
There is an increased fear of threat from software attacks which may take advantage of vulnerable web browsers. Some softwares of a web browser like Javascript, Active X, etc may also cause vulnerabilities to the computer system. So it is important to enable security features in the web browser you use which will minimize the risk to the computer.  Web browsers are frequently updated. Depending upon the software, features and options may change.It is therefore recommended to use the updated web browser.

How to secure your web browser?

Features and Security Setting of Mozila Firefox v3.6 Browser

It is a free, open source web browser developed by Mozilla corporation .The browser can be used in different operating systems like windows, MAC, Linux, etc.

Anti-Phishing
Shop and do business safely on the Internet. Firefox gets a fresh update of web forgery sites 48 times in a day, so if you try to visit a fraudulent site that’s pretending to be a site you trust (like your bank), a browser message—big as life—will stop you.
Anti-Malware
Firefox protects you from viruses, worms, trojan horses and spyware delivered over the Web. If you accidentally access an attack site, it will warn you away from the site and tell you why it isn’t safe to use.
Anti-Virus Software
Firefox integrates elegantly with your Windows antivirus software. When you download a file, your computer’s antivirus program automatically checks it to protect you against viruses and other malware, which could otherwise attack your computer.
Instant Web Site ID
Want to be extra sure about a site’s legitimacy before you make a purchase? Click on a site favicon for an instant identity overview. Another click digs deeper: how many times have you visited? Are your passwords saved? Check up on suspicious sites, avoid Web forgeries and make sure a site is what it claims to be.
Private Browsing
Sometimes it’s nice to go undercover, so turn this feature on and protect your browsing history. You can slip in and out of private browsing mode quickly, so it’s easy to go back to what you were doing before as if nothing ever happened. It’s great if you’re doing your online banking on a shared computer or checking email from an Internet café.
customized Security Settings
Control the level of scrutiny you’d like Firefox to give a site and enter exceptions—sites that don’t need the third degree. Customize settings for passwords, cookies, loading images and installing add-ons for a fully empowered Web experience.

Enable security options
Firefox checks every part of a Web page before loading it to make sure nothing harmful is sneaking through the back door.
Security settings in a firebox control the level of examination you’d like Firefox to give a site and enter exceptions—sites that don’t need the third degree. Customize settings for passwords, cookies, loading images and installing  to add-ons for a fully empowered Web experience as shown below .

From the tool’s menu of the firebox browser select the options and then click on the security tab.

 

  • Under security tab enable the options like warn me when sites try to install the add-ons in and to add or remove the sites click on the exceptions tab and add or remove the sites you want.
  • Enable the option tell me if the site I’m visiting is a suspected attack site.
  • Enable the option tell me if the site I am using is a suspected forgery Firefox gets a fresh update of web forgery sites 48 times in a day, so if you try to visit a fraudulent site that’s pretending to be a site you trust a browser prompts you a message and will stop you.
  • Disable the option remember passwords for sites Firefox integrated the feature into your surfing experience. Choose to “remember” site passwords without intrusive pop-ups. Now you’ll see the “remember password” notification integrated into your view at the top of the site page, and if you choose the never remember passwords for sites it will not show any notification.
  • Select the advanced tab and enable the encryption tab in order to have a secure data transfer and use SSL 3.0.

 

  • The other features are automated updates. This lets us to find the security issues and fix updates and make the safe surfing and receive automatic notification or wait until you are ready.
  •  Privacy settings in a Firefox control the level of examination you’d like Firefox to give a site and enter exceptions—sites that don’t need the third degree. Customize settings for, cookies, Remembering passwords, downloads and History storage.

Features and Security Setting of Internet Explorer (IE Version 8)

It is known as Microsoft Internet Explorer in short IE. It is one of the most popular web browsers and latest edition of IE is available with some of the Windows operating system like Windows XP, Windows 2003, Windows Vista and Windows 2007 .

  • From the menu select tools and choose the smart screen filter and click on the turn on smart screen filter and enable the smart screen filter which is recommended, this option is used to “Avoid phishing scams and malware” .It alerts you if a site you are trying to open has been reported as unsafe.
  • In the internet explorer, there is an option called “Identify fake Web addresses”, this helps you to avoid false Web sites that are designed to trap you with misleading addresses. The domain name in the address bar is highlighted in black and the rest of the address is in grey to make it easy to identify a Web site’s true identity.
  • From the tools menu select the option, In private filtering settings, this option is used for “Browse privately”. If you want to protect yourself from fraud when you use a public computer, it’s a good idea to erase your tracks. In Private Browsing it is told to the  Internet Explorer not to record or save your browsing history, temporary Internet files, from data, cookies, and user names and passwords?
  • There is one feature in internet explorer that is “Detect malicious code”. The new Cross Site Scripting (XXS) Filter helps detect malicious code that’s running on compromised Web sites. This type of code is used in identity theft.
  • From the tool’s menu of internet explorer select the internet options and then click on the security tab and check the current security settings and change the settings of the security zone as per the necessisity.
  • To change the security setting under security level move the slider up to increase the security level from a medium to high level.
  • Enable the protected mode using this option, all the websites are opened in protected mode.
  • To add or remove trusted or restricted websites, click on the sites option and then click on the add or remove button and enter your list of site’s for the selected zone.
  • Select the advanced tab and select the options as you want like enable “Use SSL 3.0, Use TLS 1.0”.
  • For more settings and controls click on the custom level and then select the options you want.
  • In the browser settings from the menu bar click tools–> select Pop-up blocker
  • Turn-on pop-up blockers.  Alternatively In Internet Explorer click –> Internet Options–>Select Privacy
  •  Mark Turn on Pop-up Blocker as shown below

                                                   .

 

Features and Security Settings of Safari v 4.0

It is a web browser developed by Apple Corporation. It is a default web browser of MAC OS X .This browser also works on Windows XP  Windows Vista and Windows 7

The following are the features of safari secure web browser
Phishing Protection
Safari protects you from fraudulent Internet sites. When you visit a suspicious site, Safari warns you about its suspect nature and prevents the page from loading.
Malware Protection
Safari recognizes websites that harbour malware before you visit them. If Safari identifies a dangerous page, it warns you about the suspect nature of the site.
Antivirus Integration
Thanks to support for Windows Attachment Monitor, Safari notifies your antivirus software whenever you download a file, image, application, or other item. This allows the antivirus software to scan each download for viruses and malware.
Secure Encryption
To prevent eavesdropping, forgery, and digital tampering, Safari uses encryption technology to secure your web communications. Safari supports the very latest security standards, including SSL versions 2 and 3, Transport Layer Security (TLS), 40- and 128-bit SSL encryption, and signed Java applications.
Automatic Updates
Get quick, easy access to the latest security updates. Safari takes advantage of Apple Software Update, which checks for the latest versions of Safari when you’re on the Internet.

Pop-Up Blocking
By default, Safari intelligently blocks all unprompted pop-up and pop-under windows, so you can avoid distracting advertisements while you browse.
Cookie Blocking
Some companies track the cookies generated by the website you visit, so they can gather and sell information about your web activity. Safari is the first browser that blocks these tracking cookies by default, better protecting your privacy. Safari accepts cookies only from your current domain.

Features and Security Settings of GoogleChrome

It is a web browser designed for a Windows operating system. This browser works on windows XP , Windows Vista, MAC OS and Linux.

The following are the features and security settings of Google chrome web browser

  • From the setting menu select the Incognito window a new window appears. Pages you view from this window won’t appear in your web browser history or search history.They won’t leave any traces like cookies after you close the incognito window any files you download or bookmarks will be preserved.
  • Chrome there is a new feature that has an own Task Manager that shows you how much memory and CPU usage each tab and plug-in is using. You can open it by clicking Shift-Esc from within Chrome or place the cursor on a window and right click and select the Task Manager. You can get more details by clicking the “Stats for nerds” link, which is on the Task Manager, and it will open a page with full details of memory and CPU usage for each process within the browser. It is used to close a bad process in one tab and won’t kill your whole browser session.
  • One of the features of chrome is dynamic tabs . Here you can drag tabs out of the browser to create new windows, gather multiple tabs into one window or arrange your tabs. However, you wish and it becomes quick and easy to login into  the desired sites i.e. reopen the closed sites.
  • The safe browsing feature in the Google Chrome displays a warning if the web address listed in the certificate doesn’t match the address of the website .The following are the steps for  safe browsing setting in  Google Chrome.
  •  From the settings tab select the options and select under the hood under privacy enable the option show suggestions for navigation error.

  • Enable the option use a suggestion service to help complete searches and URLS typed in the address bar.
  • Enable DNS pre-fetching to improve page load performance.
  • Enable the phishing and malware protection.
  • Under minor tweaks enable  the never save passwords.
  • Under computer wide SSL settings enable the option use SSL 2.0.
  • From the page menu select the create application shortcuts, this is used if you want some websites to be viewed regularly, and you may want to create application shortcuts for the desired websites that can be placed on your desktop, Start menu or quick launch menu so you can choose any one of these options .After creating, if you double-click on the shortcut icon on the desktop or start menu, the websites open in a special window that don’t display tabs, buttons, address bar or menus.
  • Many of the browser functions are available instead in the drop-down menu that appears when you click the page logo in the upper-right corner of the window. If you click a link that takes you to a different website, the link opens in a standard Google Chrome window so you won’t lose track of your website.

OPENSTACK -WINDOWS IMAGE CREATION

Windows Image Creation

Requirements :

 

  • ISO image of the Windows OS.
  • VirtIO driver for Windows.
  • Cloud init drivers for Windows.

Procedure :

Download the VirtIO drivers from below links –

https://launchpad.net/kvm-guest-drivers-windows/20120712/20120712/+download/virtio-win-drivers-20120712-1.iso

Create a target hard drive to install the Windows Server 2008 R2 Operating System.

$ cd ~ && mkdir KVM && cd KVM

$ qemu-img create -f qcow2 WIN2K8R2.qcow2 20G

Attach Windows Server 2008 R2 ISO and boot the same.

$ qemu-system-x86_64 –enable-kvm -m 2048 -boot d -drive file=WIN2K8R2.qcow2,if=virtio -cdrom Win2K8X64R2Ent.iso -drive file=virtio-win-drivers-20120712-1.iso,media=cdrom -net nic,model=virtio

Once installation is started you need to connect to VM using tight VNC viewer.
Follow the below mentioned steps to install the drivers & operating system.

  • Click Install
  • Select your Operating System type
  • Accept License Terms
  • Select Custom Installation
  • Click ‘Load Driver’
  • Click Browse
  • Navigate to the cdrom ‘Virtio Drivers’ You should see two cdroms attached. One is the install cdrom and the other the ‘Virtio Drivers’
  • Select ‘Virtio Drivers’ => STORAGE => SERVER2008R2 => AMD64
  • Click OK
  • The ‘Red Hat VirtIO SCSI controller’ driver should be highlighted. If not then you have done something wrong.
  • Click Next Driver should load without error and take you back to the screen to select the hard drive to install the Operating System on
  • Click ‘Drive options’
  • Click ‘New’ Ensure the entire drive space is being used – in our case the entire 20G
  • Click ‘Apply’
  • Click ‘OK’
  • Click ‘Next’ The Operating System will install. This process may take awhile depending on resources you gave initially.
  • Once completed you should be prompted to changed the Administrator password.

Set the Date and Time

  • From the ‘Initial Configuration Tasks’ screen
  • Click ‘Set time zone’
  • From the ‘Date and Time’ window Click ‘Change time zone…’
  • From the ‘Time zone:’ drop-down select your time zone.
  • Click ‘OK’
  • Click ‘OK’

Enable Remote Desktop

  • From the ‘Initial Configuration Tasks’ screen scroll down to the option ‘3. Customize This Server’
  • Click ‘Enable Remote Desktop’
  • At the ‘System Properties’ window the ‘Remote’ tab under ‘Remote Desktop’ select your preferred level .
  • Click ‘OK’

Once remote desktop enable for the VM, establish a remote desktop connection & install cloud init driver in the VM from below links :-

From the below links you are able to download cloud init package for window .
http://www.cloudbase.it/cloud-init-for-windows-instances/

Once cloud init installed sucessfully it will ask you to run sysprep at end to installation of cloud init package.

After cloud init is installed you need to check “Cloud Initialization Service” running in services.

Reboot the VM.

Now import the qcow2 image in glance .

# glance image-create –name window –is-public=true –disk-format=qcow2 –container-format=bare –file (location of qcow2 image that you want to import into glance )