Appendices

  • Article

Appendix A: Set UAC Behavior of the Elevation Prompt for Administrators

This appendix describes how to change the default User Account Control (UAC) behavior in Windows Server 2008 R2 and Windows 7.

By default, UAC is enabled in Windows Server 2008 R2 and Windows 7. This service will prompt for permission to continue during several of the configuration tasks described in this guide. In all cases, you can click Continue in the UAC dialog box to grant this permission, or you can use the following procedure to change the UAC behavior of the elevation prompt for administrators.

To set UAC behavior of the elevation prompt for administrators

  1. Click Start, point to All Programs, click Accessories, and then click Run.

  2. Type secpol.msc, and press ENTER.

  3. In the console tree, open Local Policies, and then click Security Options.

  4. In the contents pane, double-click User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode.

  5. Click Elevate without prompting in the list, and then click OK.

  6. Close the Local Security Policy window.

Appendix B: Resulting Configuration

This appendix describes the results of configuring the Base Configuration test lab in terms of the following:

  • Computers

  • Active Directory and DNS infrastructure

  • Web infrastructure

  • PKI

Computers

The Base Configuration test lab contains the following computers:

  • DC1

  • APP1

  • EDGE1

  • INET1

  • CLIENT1

DC1

Operating system

Windows Server 2008 R2 Enterprise

Domain membership

Member of the corp.contoso.com domain

TCP/IP configuration on the Corpnet subnet network adapter

IP address: 10.0.0.1

Subnet mask: 255.255.255.0

No default gateway

Connection specific DNS suffix: corp.contoso.com

Roles
  • Domain controller for the corp.contoso.com domain

  • DNS server

    Configured to accept secure dynamic registrations.

    Manual Host (A) records:

    • crl.corp.contoso.com at the IPv4 address 10.0.0.3

  • DHCP server

    Scope: 10.0.0.100-10.0.0.150/24

    DNS server scope option: 10.0.0.1

  • Enterprise root certification authority (CA) for corp.contoso.com, configured through Group Policy for autoenrollment of computer certificates

Installed certificates

Computer certificate: dc1.corp.contoso.com

APP1

Operating system

Windows Server 2008 R2 Enterprise

Domain membership

Member of the corp.contoso.com domain

TCP/IP configuration on the Corpnet subnet network adapter

IP address: 10.0.0.3

Subnet mask: 255.255.255.0

DNS server: 10.0.0.1

No default gateway

Connection specific DNS suffix: corp.contoso.com

Roles
  • Web server (IIS)

    HTTPS (SSL bound to app1.corp.contoso.com certificate)

    CRLD virtual web site mapped to the CRLDist folder to store CRL files

  • File server

    CRLDist$ share, DC1 has full control NTFS and Share permissions

    Files share that contains the Example.txt file

Installed certificates

Computer certificate: app1.corp.contoso.com

EDGE1

Operating system

Windows Server 2008 R2 Enterprise

Domain membership

Member of the corp.contoso.com domain

TCP/IP configuration on the Corpnet subnet network adapter

IP address: 10.0.0.2

Subnet mask: 255.255.255.0

DNS server: 10.0.0.1

No default gateway

Connection specific DNS suffix: corp.contoso.com

TCP/IP configuration on the Internet subnet network adapter

IP address: 131.107.0.2 and 131.107.0.3

Subnet mask: 255.255.255.0

No default gateway

Connection specific DNS suffix: isp.example.com

Installed certificates

Computer certificate: edge1.corp.contoso.com

Note that EDGE1 is not configured to provide Internet connectivity for hosts on the Corpnet subnet or intranet connectivity for CLIENT1 when it is connected to the Internet subnet. Subsequent modular TLGs can provide this functionality.

CLIENT1

Operating system

Windows 7 Enterprise or Ultimate

Domain membership

Member of the corp.contoso.com domain

TCP/IP configuration on the network adapter

Automatic (DHCP client)

Installed certificates

Computer certificate: client1.corp.contoso.com

INET1

Operating system

Windows Server 2008 R2 Enterprise

Domain membership

None (standalone)

TCP/IP configuration on the Internet subnet network adapter

IP address: 10.0.0.1

Subnet mask: 131.107.0.1

No default gateway

Connection specific DNS suffix: isp.example.com

Roles
  • DNS server

    Does not accept dynamic updates.

    Manual Host (A) records:

    • inet1.isp.example.com at the IPv4 address 131.107.0.1

    • edge1.contoso.com at the IPv4 address 131.107.0.2

    • www.msftncsi.com at the IPv4 address 131.107.0.1

    • dns.msftncsi.com at the IPv4 address 131.107.255.255

  • Web server (IIS)

    Ncsi.txt in the Web root folder

  • DHCP server

    Scope: 131.107.0.0.100-131.107.0.150/24

    Router scope option: 131.107.0.1

    DNS domain name option: isp.example.com

    DNS server option: 131.107.0.1

Installed certificates

None

Active Directory and DNS infrastructure

The Active Directory infrastructure consists of a single domain in a single forest, corp.contoso.com, and a single domain controller, DC1.

The DNS infrastructure consists of two separate DNS servers:

  • DC1 is the corp.contoso.com intranet DNS server, which supports DNS dynamic updates

  • INET1 is an Internet DNS server, which does not support DNS dynamic updates

The example Contoso Corporation uses a split-DNS configuration: contoso.com on the Internet and corp.contoso.com on the intranet.

DC1 has the following manually created Host (A) records:

  • crl.corp.contoso.com with the IP address 10.0.0.3

    Resolves the URL of the CRL distribution point to APP1.

INET1 has the following manually created Host (A) records:

  • inet1.isp.example.com with the IP address 131.107.0.1

    Resolves the inet1.isp.example.com name to INET1’s address.

  • edge1.contoso.com with the IP address 131.107.0.2

    Resolves the Internet name of EDGE1 to its Internet address.

  • www.msftncsi.com with the IP address 131.107.0.1

    Resolves the www.msftncsi.com name to INET1’s address for Internet detection.

  • dns.msftncsi.com with the IP address 131.107.255.255

    Resolves the dns.msftncsi.com name to the expected address for Internet detection.

Web infrastructure

On the Corpnet subnet, APP1 is a Web server with the IIS server role and supports unprotected (https://app1.corp.contoso.com) and protected Web pages (https://app1.corp.contoso.com). The SSL binding is configured for the auto-enrolled computer certificate with the subject name app1.corp.contoso.com.

On the Internet subnet, INET1 is a Web server with the IIS server role and supports unprotected Web pages (https://inet1.isp.example.com). To provide support for Network Connectivity Status Indicator (NCSI) Internet detection, INET1 is also known as www.msftncsi.com and hosts the Ncsi.txt file in the WWWRoot folder.

PKI

The PKI in the base configuration test lab consists of the following:

  • DC1 acting as an Enterprise Root CA for the corp.contoso.com domain

  • The default Group Policy object configured for computer certificate autoenrollment

  • All of the domain member computers have a computer certificate installed (DC1, APP1, EDGE1, CLIENT1), with the Subject field set the FQDN of the computer name and with the Server Authentication and Client Authentication OIDs

  • AD CS on DC1 is configured to store the CRL files on the \\app1\crldist$ share, which corresponds to the CRLD virtual web site on APP1

  • Certificates issued by DC1 are configured with the additional CRL distribution point of https://crl.corp.contoso.com/crld/corp-DC1-CA.crl.

When performing certificate revocation on the Corpnet subnet, a computer attempts to access the path https://crl.corp.contoso.com/crld/corp-DC1-CA.crl. The manually configured Host (A) record on DC1 resolves crl.corp.contoso.com to 10.0.0.3, the IP address of APP1.