Saturday, August 27, 2011

How to implement LimitLogin


Limitlogin V1.0

LimitLogin is an application that adds the ability to limit concurrent user logins in an Active Directory domain.
It can also keep track of all logins information in Active Directory domains.

LimitLogin capabilities include:
·         Limiting the number of logins per user from any machine in the domain, including Terminal Server sessions.
·         Displaying the logins information of any user in the domain according to a specific criterion (e.g. all the logged-on sessions to a specific client machine or Domain Controller, or all the machines a certain user is currently logged on to).
·         Easy management and configuration by integrating to the Active Directory MMC snap-ins.
·         Ability to delete and log off user session remotely straight from the Active Directory Users and Computers MMC snap-in.
·         Generating Login information reports in CSV (Excel) and XML formats.

Download the LimitLogin: link 1  link 2

Configuration:

Setting up LimitLogin

Prerequisites
1)      Before setting up LimitLogin on the web server, you will need to make sure that ASP.NET is installed on the Windows 2003 server.
2)      Make sure the following Web Extension is set to Allowed in IIS Services: ASP.NET v1.1.4322.

Limitlogin setup components

LimitLogin set-up is combined of three different components: IIS (Web Service), Active Directory and Client.
The set-up should be done in this order since there are dependencies between the components.

LimitLogin is set-up through 3 different MSI installers:
  1. LimitLoginIISSetup.msi, which installs the LimitLogin Web Service (WSLimitLogin)
  2. LimitLoginADSetup.msi, that sets up the Active Directory changes needed for LimitLogin to work.
  3. LimitLoginClientSetup.msi, which installs the client-side requirements for LimitLogin.

LimitLoginIISSetup 1:

The 1st step is to setup up the LimitLogin Web Service and make sure its up and running before we can further continue.
The system requirements for this setup are:
  • Windows Server 2003 with IIS installed


1)      Add WSLimitLogin.asmx to the top of list in the Documents tab of the website.
2)      Verify “Integrated Windows Authentication” is set on the “Directory Security” tab of the website under “Authentication and Access Control”.
Note: Web site must integrated authentication not anonymous.
3)      Attempt to connect to http://hostname/WSLimitLogin.

LimitLoginADSetup 2:


Once the LimitLogin Web Service is set-up and running, you can continue with running the Active Directory Setup.
The Active Directory Setup portion is divided into 2 main parts:

  1. The Forest Setup (or "forestprep")
  2. The Domain Setup (or "domainprep")

The system requirements for this setup are:
  • Windows XP with .NET Framework version 1.1 or Windows Server 2003 (Recommended: Windows 2003 Domain Controller)
  • At least one Windows Server 2003 Domain Controller in the domain

In the 'Installation Options' screen you have 3 options:

    1. 'Prepare your Active Directory Forest for LimitLogin' option should run first.
    2. 'Prepare your Active Directory Domain for LimitLogin'.
    3. 'Install LimitLogin AD MMC add-in tools on this machine' option should run last, after the Forest and Domain preparations have successfully completed

On the first installation, all three check-boxes should be checked.

Prepare your Active Directory Forest for LimitLogin.

This option performs the following operations:

  • Modifies the Configuration Partition to add the LimitLogin AD MMC integration menus.
  • Extends the Forest schema to include the LimitLogin Class and Attributes.

Once this step is successfully completed, you may move to prepare you domain to LimitLogin.

Prepare your Active Directory Domain for LimitLogin.

This option performs the following operations:

  • Creates and configures the llogin.vbs, llogoff.vbs and limitlogin.wsdl files.
  • Creates an Application Directory Partition for LimitLogin.

In the 'Domain Setup' screen, you need to provide the following three parameters:

  • UNC path of the file share where the login scripts will go (e.g. \\Servername\Share).
            Note: This can be a hidden share).
  • Host name of the Web server
  • The LimitLogin Web Service (Default is WSLimitLogin)
  • Optional Use SSL - check this box if you configured the LimitLogin Web Service to use SSL for greater security.

Install LimitLogin AD MMC add-in tools on this machine

This option should run last, after the Forest and Domain preparations have successfully completed.
You will get a pop-up telling you to copy the llogin.vbs, llogoff.vbs and limitlogin.wsdl files to your share. Copy the files at this time.

LimitLoginClientSetup 2:

In order for the domain clients to work with the LimitLogin server-side components, there are client side requirements that need to be installed on every domain member machine. These requirements are installed using the LimitLoginClientSetup.msi installer.

The client setup installs the following:
  1. SOAP Runtime (needed to connect the Web Service)
  2. WTSApiAx.dll (Needed to collect the Session ID before it is sent to the Web Service)

The system requirements for installing the client for LimitLogin
  • Client machines must have .NET Framework version 1.1.4322 or higher to install the client.

Click here to download: .NET 1.1.4322

How to implement LimitLogin part2

Tuesday, August 16, 2011

How to implement SelfSSL for IIS 6.0


What is SSL?
The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between your web server and your visitors' web browser allowing for private information to be transmitted without the problems of eavesdropping, data tampering, or message forgery.
The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions.

What is Certificate Authority?
A certificate authority or certification authority (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate.
Certificate Authorities (CAs) are organizations that are used as Trusted Third Parties, that is, an independent party, which both sides of a transaction (client and server) trust.

To enable SSL on a website, you will need to get an SSL Certificate that identifies you and install it on the server. The use of an SSL certificate on a website is usually indicated by a padlock icon in web browsers but it can also be indicated by a green address bar. Once you have done the SSL install, you can access a site securely by changing the URL from http:// to https://. When an SSL certificate is installed on a website, you can be sure that the information you enter (contact or credit card information), is secured and only seen by the organization that owns the website.

To implement SSL CA on your web server.

You have the following two choices:
1.         To purchase a certificate
2.         To use a self-signed certificate

SelfSSL version 1.0 is a command-line executable tool that you can use to generate and install a self-signed Secure Sockets Layer (SSL) certificate for Internet Information Services (IIS) 6.0. This allows programmers to test the HTTPS protocol for development purposes without having to go through the effort of getting a certificate signed by a trusted authority.
SelfSSL generates a self-signed certificate that does not originate from a commonly trusted source,
Use this tool only to create a secure private channel between your server and a limited user group, such as exists in a software test environment.

System Requirements
SelfSSL is compatible with IIS 6.0 running on the Microsoft® Windows® Server 2003 operating system.

Installing SelfSSL
To install SelfSSL download the IIS 6.0 Resource Kit Tools.


SelfSSL Parameters

/T
Adds the self-signed certificate to the "Trusted Certificates" list. The local browser trusts the self-signed certificate only if this parameter has been specified.
/N:cn
Specifies the common name of the certificate. The computer name is used if you do not specify a common name.
/K:keylength
Specifies the certificate key length. The default is 1024.
/V:duration-of-validity
Specifies the duration for which the certificate is valid. The default is 7 days.
/S:site-id
Specifies the site ID of the SSL-protected site. The default is 1 for the default Web site.
/P:port
Specifies the SSL port. The default is 443.
/Q
Specifies Quiet mode. In Quiet mode, any existent settings for the site are overwritten silently.

Example:
selfssl.exe  /T  /N:CN=domainname  /K:1024  /V:7  /S:I  /P:443