Category: Security


I am going to glaze over the beginning processes, because I have already performed and documented them here.
This is a Lync Server 2010 install on a domain member server running Windows Server 2008 R2 Enterprise.

I will pick up: Prepare First Standard Edition Server.

This goes through the process, and completes this time, installing SQL 2008 Express and an instance named RTC, which is started and running.

Next, select Install Topology Builder, and let the tool complete.

Topology Builder
Topology Builder

Now let’s do some prep. First, add the account you are using to DomainAdmins and RTCUniversalServerAdmins groups. You can do this via ADUC, by double clicking the group, selecting the members tab, and adding the name of your account.

RTCUniversalServerAdmin

RTCUniversalServerAdmin

Next, create the share you will be using during your topology setup. The default sharename is share, on the server you are installing Lync 2010 on. I will name it LyncShare, as this server has little else to do besides Lync, and no other shares. I create a new folder on any drive, right-click it and select share with, specific people. I then add Domain Users and Everyone with read/write permissions. We can change these to least access later on.
File Sharing

File Sharing

Make sure the account you are using is in there as well- and this should be a domain account.
DNS Records for your Server Pool need to exist, as well as simple URL’s. We will add those after we build the topology, before we publish it.

Now, go to Start>All Programs>Lync Server 2010, and select Topology Builder.

Click on New Topology.

The Primary SIP Domain can be any domain name that you use, I leave mine set to my internal domain name. For this example, I will use company.local.

Primary SIP Domain

Primary SIP Domain

Click Next. I am not adding any added domains, so click Next again.

Under Site Name, name your site something nice, like CompanyLync.

First Site

First Site

Click Next. Enter your City, State, and Country.

Check the box: Open the New Front End Wizard… and click Finish.

New Front End Wizard

New Front End Wizard

Click Next.

Select Standard Edition Server, and enter the domain member server’s FQDN.

Front End FQDN

Front End FQDN

Click Next. Check no boxes, click Next.

Select Features

Select Features

Uncheck Mediation Server, and hit Next.

Collocated Server Roles

Collocated Server Roles

Enable anything you want, I leave all unchecked. Click Next.

Associated Server Roles

Associated Server Roles

Click Next on the grayed out options screen for SQL Store, to leave them at the default settings for new.

Select the name of a File Share, leave File Server alone or set to your company’s file server- in this case it is all on one server, so enter that servers FQDN. Click Next.

File Share

File Share

Leave Web Services URL alone- remember this is going to be used for internal IM only. You can change this as you see fit, if you will be hosting external access.

Web Services URL
Web Services URL

I named my External URL ExternalPool.company.local. I will now create DNS records for both pools. Open up DNS MMC, and add an Alias(CNAME) entry for both internal and external base urls, pointing to the correct FQDN address of the server.

DNS Alias for Pool

DNS Alias for Pool

You can now view the properties of everything you have configured.

Properties
Properties

Click Edit Properties from the menu on the right. Click Simple URLs on the left of the window that opens.

Add an Administrative access URL. I did mine to match the other too, changing the first word to admin.
Click Central Management Server and select the only option.
Simple URLs

Simple URLs

Now let’s add DNS entries for these three Simple URLs.
Back in the DNS MMC, add a Alias(CNAME) for dialin, meet, and admin.

In the menu on the right, click Publish Topology.

Read the requirements, and when ready, click Next.

Leave this to default and click Next.

Central Management Server

Central Management Server

Now I decided to change my pool name, and I got all sorts of problems. If you get warning messages about your pool not existing in AD, then you can use Lync Management Shell to remove the pool, and redo the set up. The post on how to do this is here.

Now when I hit Publish, it completed successfully.

Publish Progress

Publish Progress

Publish Success
Publish Success

Nice, but we still have more to do. Microsoft says that this is the point in which you rerun the setup on all servers that will be handling Lync. Since I am only using one, we do not need to do this. Go back to the Lync Server Deployment Wizard. This time click on the link to the left- Install or Update Lync Server System.

Install or Update Lync Server System

Install or Update Lync Server System

Click Run next to Install Local Configuration Store. Leave the default options on both screens, and click next.
Let the Wizard complete. Hopefully you will receive success on all the prerequisites.
NOTE: Make sure to always expand the prerequisites tab before each item and make sure you are in compliance.
Installing Local

Installing Local

Once complete, click Run next to the next item, Lync Server Components.

Click Next.

IIS Roles

IIS Roles

I get an error about IIS features. I remember when I added the Feature IIS, I left most of the boxes cleared by default. Lets enable all of that now.

Click Server Manager, and select Roles. At this point you will have IIS installed, so click on the link. Scroll down a bit and click Add Role Services. I then added all of the roles that the error message mentioned. I suppose you could add all, but why add extra stuff that you do not need?

IIS Role Services

IIS Role Services

Click Next, click Install.

It will complete (no reboot needed), and go back to your Lync Deployment screen, and re-run Setup Lync Server Components.

Click Finish once that completes without errors.

Run the next task: Request, Install, or Assign Certificates.

A box appears with a Default Certificate, which is unassigned. Click Request next to it. You could also click request, and formulate a CSR to an Offline CA. I will select send the request immediately to an online CA, and click Next.

Certificate Wizard
Certificate Wizard

It should automatically pull up your CA server, which in my case is my DC. I will click Next if this is correct. You can then specify alternate credentials, if you are not signed in as a domain admin account. I am, so I will leave this alone. Click Next.

Click Next pas the Alternate Template page.
Specify a friendly name. I used lyncfriendly
Ill let you decide what to put here, for OU and Organization. Consult the Lync Documentation if you need help with this. Click Next and fill out your locale.
Click Next twice.
Check the box next to your SIP Domain, and click Next.
SIP Domain

SIP Domain

Click Next.

Click Next again.

And Again, and let the wizard do it’s thing.

Certificate Request Completed

Certificate Request Completed

You will get a message about thumbprints, make sure the box is checked, and click Finish.

Online Certificate Request Status

Online Certificate Request Status

Now you will be ported to the Assignment screen. Click Next.

Click Next again- I won’t show you all of my company internal information. Once the wizard completes, click Finish.

Click Close, and select Run on the next object: Start Services.

On the wizard that opens, click Next.

Cross your fingers! Yay! It completed successfully. Click Finish.

Click on Service status to see if they are all running.

Lync Services

Lync Services

Close out everything, and open Lync Control Panel from the Start Menu. It should open and look like this.

Lync Control Panel

Lync Control Panel

Now I am going to end this God awful long post, and go about adding my users. If there is an area I could be clearer, please comment. If I did something wrong, please let me know! I posted this mainly for my own documentation purposes, and to help out the next guy who is not comfortable with certificates, pools, SIP domains, etc. Thanks for reading!

Update: I stumbled across this post, by Jeff Guillet. He is the author of some of the books I have read, and this post and tool are amazing. Thanks for the GREAT contribution Jeff!

http://www.expta.com/2011/01/introducing-lyncaddcontacts.html

A tool to add contacts to a users Lync over and over. Say you have a domain of 20 users who will use Lync (as I did). Adding 20 people, 20 times (as I did) takes forever. Use this tool to set up one client once, and then re-run it to perform the same actions on other clients. Ingenious.

 

UPDATE: When you first install the client, the initial sync can take a while. If you are like me, you need to get it up an running quick so you do not further disturb the network or desktops. There is a registry entry you can add. What I do is install Lync Client. Then I import the company contacts from the GAL to the users contacts list. Then exit the client.

Now open an elevated command prompt. Type this command:

reg add hklm\software\policies\microsoft\communicator /v GalDownloadInitialDelay /t REG_DWORD /d 0 /f             (And that is a zero at the end).

Now wait one minute, and restart the Lync Client. It will now have all of the users contacts synced up and ready to add.

So the search service that comes with SBS 2008 is not installed by default. Desktop Search is, but not Server Search, which lets you index shared files and the like. Out of the box, WSS Search SHOULD work. In all three of my SBS set-ups, it has not worked, and this has plagued me for ages, so I finally set about fixing it today. I can’t tell you the exact reason that it is broken for me, but it is most likely caused by an update, service pack, hardware change, or just plain old incorrect permissions or WSS set-up.

First thing I did was install Windows Search Service.
Open up Server Manager, and select File System. Click Add Services on the right.
Click to check Windows Search Service.

Windows Search Service

Windows Search Service

This took about 15 minutes, and at the end an error was displayed. Closing the windows, I noticed that Windows Search Service was installed and running, and the service was also running under the Services Console.

Hrmmph. At this point I go into Sharepoint Central Administration, and Search still will not work. So now I set about making two new accounts to run the search.

I created WSS_Search, set a password, and added it to the group Administrators.

I then created WSS_Content, and added it to two groups:

SQL Accounts

SQL Accounts

These two accounts might differ from what you have. What we need is an account that has READ access to the Sharepoint Content Database. It can not be an administrator account, or a system account, though I believe it can be Local Service.

Now I tried my search and it still would not work. As a matter of fact, I could not start the search service at all now. So I go to Services Console, scrolls down to Windows Search Service. Right click it and select Properties. Make sure Local System is selected under the Log On tab. Exit out, and go to Windows Sharepoint Services Search. For this Log On, select This Account: and enter the information you used for the WSS_Search account. Change type to automatic, and click apply and start.

Log On Properties

Log On Properties

You will receive a message about the account being granted run as a service privileges.

So far all is well, though Sharepoint still wont Search. Open up Sharepoint Central Administration 3.0 under Administrative Tools.

Click Operations Tab, and then Services on Server.

Services on Server

Services on Server

Click on Windows Sharepoint Services Search.

Now fill in the fields.

  • Service account is WSS_Search, and password.
  • Content Access Account is WSS_Content and password.
  • Database server is grayed out, but should me by default np:\\.\pipe\MSSQL$Microsoft##SSEE\sql\query
  • Database name is grayed out, but it will be your Search database, such as WSS_Search_WIN-EUGSO7LO7PY
  • Authentication is whatever method you use. Default, it is Windows Authentication. This must be left alone for Microsoft##SSEE. If your database is different, configure the login that would be used to access the database.
  • You can change the time if you wish, I set mine to default every 5 minutes, as we do not have a ton of content on the server.
Search

Search

Click ok. Close all browsers.

Open a command prompt and type iisreset.

Restart both Windows Search and Sharepoint Search Services. Good to go- your site should now be searchable.

I have been tasked with redesigning my company’s web site. Looking at it, it really is poorly designed, hard to navigate, and a little bit lackluster in graphics and design. While I am no designer, I do have a skill with the web, an objective view of the site, and the drive to fix this. I have been making changes to the live site, testing out templates, changing graphics. This is a really lame thing to do to a live site.

This post is long and can be complex. If you get stuck on a certain part- please post a comment. I will get back to you within an hour or two.

We run Hostmonster.com web hosting.

This runs a Joomla! 1.5.15 website.

All files are transferred via FTP to Hostmonster.com.

All configurations take place in the Administrator section of Joomla!

I had the epiphany that it is pretty dangerous to mess with a live site, so I decided it would be in my best interest to download a copy of the site to my PC, edit it, then replace the current site when it is done. To do this I need a copy of the web server at Hostmonster.com. They use a LAMP, which is Linux-Apache-MySQL-PHP. Now I could use VirtualBox to install Ubuntu on my laptop, and run a LAMP from there. the problem with that is then I would have to configure the virtual OS to communicate via my network, which in my experience can be a pain in the butt.

So instead, I will use a WAMP server. WAMP Server 2 has been released while it is not the recommended program levels listed by Joomla!, it is what I will use.

First, uninstall IIS if it is on your computer. My laptop did have it installed, so go to Add/Remove Programs, then turn Windows Features On or Off. Uncheck Internet Information Services, uninstall, and reboot.

Now, go and download WAMP Server 2 from here.

Once you download the file, run it, and click-through the install steps. I put mine on the D:\ drive because it has good space. I also left all of the install options at default values, such as Browser Choice, SMTP Server, and Email Address. This may not be what you want personally, but for me it works. There is a great tutorial with pictures listed here– Thanks TeamTutorials!

A good way to see if your server is online is to left-click the icon in your tray, and then select Localhost. If you get a page looking like this one, WAMP Server 2 is configured and running.

WAMP Server 2

WAMP Server 2

Keep in mind, that I have very little experience with Apache, PHP, MySQL including setup and install of a web site. In the past I used IIS 5, 6, and 7, SQL Server Express 2005, and Standard 2006. As much as I would love to copy this website using those technologies, the migration would be more trouble than it is worth.

So, now let’s get Joomla up and running.

Go to the Joomla! website and download the package, which can be found here. They only have the full install for 1.5.22 available, though there are updates for 1.5.15. I will have to deal with installing the newest version and see if it works- if it doesn’t I can always start over.

Upon further exploration, they do have the full package of 1.5.15 available here, so I downloaded that instead. Note: Make sure you download the release.ZIP file, which is appropriate for Windows installations.

I also went here, and downloaded the Installation Manual PDF and printed it.

Before we start the Joomla! install, you can double-check that MySQL, XML, and Zlib functionality is enabled by checking the PHP.ini file, which is located at: %installdir%/camp/bin/php/php5.3.0

Furthermore, lets check the installation using a PHP script. Open Notepad (Start>Run>Notepad)m and type the following into the text file.

<?php
//Show all information
phpinfo();
?>

Save this file and name it as phpinfo.php, and put it in the root of your site, which is Localhost at this time. This is located at: %installdir%/wamp/www

So save the file phpinfo.php in that directory, which will only have one file in it, index.php. Open up the web browser you used for the WAMP Server 2 install, and type http://localhost/phpinfo.php in the address bar. It should display a page like this:

PHPInfo.PHP Output

PHPInfo.PHP Output

After you check this output- which contains information about your system and WAMP, MAKE SURE TO DELETE THE PHPINFO.PHP FILE!

 Now we unzip the Joomla! zip file we downloaded from their site. I extracted it to a folder on my desktop for ease of moving. I use WinRAR, there is also WinZIP, 7-ZIP, Windows built-in, and many more.

Unzipping

Unzipping

Before beginning the Joomla! install, which will add and edit files to the WAMP Server 2 installation, I would like a backup in case things go wrong, so that I can start over. I will let you choose how to back them up, I simply created a restore point of that drive, as well as copied the WAMP folder to a remote location. Overkill maybe, but we will see.

Since we are doing a Localhost install, we simply need to copy the unzipped Joomla! files into our web root, which is located at: %installdir%/wamp/www/

You will get a pop-up asking if you want to overwrite index.php– select copy and replace.

Copy and Replace

Copy and Replace

Now navigate to http://localhost, or click the WAMP server icon from your task bar and select Localhost.

Select your language and click next.

Make sure a green Yes is displayed next to all items of the pre-installation check. If any of them say no (They shouldn’t if you follow these instructions), you should stop here and correct the problem by installing a supported version of the problem, or by Googling the exact problem.

Recommended settings are nice, and typically I would follow them. In this instance, I am going to leave them alone- which is with two red items. They are for Display Errors, and Output buffering- both of which I want.

Joomla! Checks

Joomla! Checks

Hit next a few times untill you get to the Database Configuration screen.

Database type is MySQL.

Host name is Localhost.

If you did the default install the user name is root.

There is no default password. I am not a fan of not having a password, so I am going to add-on. Click the wamp icon in your tray. Click MySQL>MySQL Console.

This opens up a DOS looking box asking for a password. Hit enter. You are now at the MySQL command prompt. Use this command to set the root password.

MySQL Password

MySQL Password

SET PASSWORD = PASSWORD(‘password‘);

The italicized text is your actual password. Hit enter, and exit out of the MySQL Console. Back in your Joomla! Installation, enter the password you just set in the password field.

At this point I realize I am going to be restoring a backup of my already configured remote web site, which has a user name and password, a database name, etc. I went to my hostmonster account and clicked MySQL Databases from the control panel, and found out my information is:

Manage User Privileges

User: ********_jml01
Database: ********_jml01

Since I have no ide what is going on with MySQL, I am going to use the default set up, root, with my password, and default database. Ill remember this spot if I run into problems later.

After a few tries of not being able to create or connect to any database, I checked MySQL and found out that there was no database. At the MySQL prompt type SELECT DATABASE(); and it will return a value of NULL.

Click on the wamp icon in your tray, and select PHPMyAdmin

MyPHPAdmin

MyPHPAdmin

Enter the database name for Create New Database. In this case I named it the same name that the one on my Hostmonster.com server is named.

Back on the Joomla! install, enter that database name and hit next. I entered the site name of my live site, which is found under Global Configuration on the site. I set up my user name/email and password. I also did not select migrate or local files. Once you enter the top information just hit next.

You now have to remove the installation directory from the %installdir%/wamp/www/ directory. Just delete it.

Now, enter http://localhost/administrator in your web browser.

Login with the user name admin, and whatever password you just entered several seconds ago.

Alright, this is where things got confusing for me. I have working backups of my live site using Hostmonster.com’s backup utility, which is in the control panel. This is not what we need, or at least what i need.

What we will do now is download two packages.

Akeeba Backup  3.1.4which needs to be installed of both live and local Joomla! sites, and

Akeeba Kickstart 3.1.5, which needs to be installed only on the local Joomla! site.

This will take different setup on both the live and localhost sites.

Live site:

Go to your sites administration, click Extensions>Install/Uninstall.

Akeeba Install

Akeeba Install

Click browse, and select the file. I downloaded this file to the computer I am installingmy Joomla! local site to. Now click upload and install. You will get a success page.

Might as well start the backup now. Go to Components>Akeeba Backup, and select backup now.

Akeeba Backup

Akeeba Backup

 

Now on your Local server (PC):

Install it the same way, except we don’t need to upload it to Hostmonster.com. Go to your localhost administrator settings, Extensions>Install/Uninstall. Select the file from your local PC, and install it. Now extract the kickstart zip. You will be looking at some files. Select them all drop drop them into the root of your site on localhost, or %installdir%/wamp/www/

Now we need to get the Akeeba backup onto our localhost. I downloaded vie the web browser- you should not do this, it may corrupt the file. The reason I did this was because I could not find the backup vie FTP on my site.

Once you have the backup file, put it in the same directory of your localhost that you put the kickstart files into, which is the root directory WWW.

You will get a bar like this one.

Akeeba Kickstart

Akeeba Kickstart

Once this completes, you will se a green button, click it to run the installer and restore.

You can check over the things on this page, specifically check the directories tab near the bottom to make sure your directories are correct.

Akeeba Backup Installer

Akeeba Backup Installer

Click Next.

Set Connection Parameters to match what you selected when setting up Joomla!. User root, the password, and the database. Mine is ********_jml01.

Click next, leave the default values alone. I entered my sites public address, and did not force overwrite temp directory placement. Hit finish, close the window back to Akeeba Kickstart, and select clean up now.

Click view your site’s front end- there is your copy!

I just developed some IT Security Policies for my small company. These will of course vary greatly depending upon your needs, applications, structure, and operations. I am posting a copy of the document up here in case someone wants to download it as a template, and go through sentence by sentence to fit it to their own company. Use these policies as you will, word for word if you want.

It Policies

It Policies

I take no credit for the Templates I used to create my policies, and I did in some instances copy word for word from the template. I will take credit for any changes that you see. the original templates can be found on SANS website at http://www.sans.org/security-resources/policies/

Very good site, very good templates. Thanks guys!

Here it is-

Generic IT Security Policy Whole

%d bloggers like this: