Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

In ramping up for this project, the first thing to do was to get a Windows Server instance running on EC2 and deploy a test web application to it. I figured that that experience would be typical of what most developers will need to do as they experiment with this cloud computing platform. In fact, it was easier than I thought it would be. Here are my “lab notes”:

I started with the existing AWS Management Console (I’d signed up for an account previously; you’ll need one in order to try any of this). The first step was to create a new machine Instance. I used the public one named “ami-45bf582c,” which is basically Windows Server 2003. I selected the medium CPU load, just because I wanted reasonable responsiveness while experimenting with things.

Next, I created and attached an “Elastic Block Store” volume. In other words, a persistent drive. Note that anything you save on a non-EBS drive is gone forever once the virtual host reboots. I actually ended up not needing the EBS volume for this testing, but it was comforting to know it was there in case, in the middle of my work, I decided I wanted to save something!

If you do create an EBS volume, be sure it’s in the same zone as the machine instance that you want to attach it to (currently, Windows machines can only run in zone us-east-1b, but that’s not the default zone when creating a new volume). Also, the current version of the AWS console has a bug in selecting the target instance when attaching a volume. The available instance (I had only one) doesn’t appear, even though it is in the same zone. Just hit okay on the dialog anyway; the volume will attach to the default instance (again, not sure what will happen if you’ve got more than one).

A few additional notes about preparing the Windows instance before deploying a test website:

  1. A static IP can be allocated and bound to the machine for testing, but that’s not required for this test. The public DNS name assigned to the instance is fine.
  2. Enable RDP for the machine group in question via the AWS console. There’s a built-in setting for this (called “RDP”), but it’s filtered (blocked) by default. I also opened up HTTP this way.
  3. Once I’d connected to the test machine instance via RDP, I removed the Windows Server 2003 IE hardening settings via appwiz.cpl in order to have a more functional Internet Explorer. That’s something you wouldn’t want to do for a production deployment.
  4. Also using appwiz.cpl, I installed the ASP.NET feature under Application Server in Windows components. That may not be a required step, though.
  5. In the IIS Management MMC snap-in, I enabled all of the web service extensions. Again, for a production deployment, you’d want to do this only selectively.

Now, what about the test web application? Visual Studio has a great feature for deploying web applications, namely, the Web Setup Project type. There’s a reasonable introduction to that feature here. I decided to use that approach for my test deployment.

However, once the MSI CAB built has been built for the test web site, there’s still the question of how to get it onto the EC2 machine instance. The ports I’d opened - RDP and HTTP - aren’t much help when it comes to copying files.

To digress briefly, I decided to experiment with using SMB (i.e., file shares) to copy the web site installer. Thus, I returned to the AWS console security group settings and opened up a few additional ports: 135, 139, and 445. To my chagrin, that doesn’t work; Amazon still blocks them:

>nmap.exe -v  -PN X.X.X.X -p T:80,135,139,445,3389

Starting Nmap 4.68 ( http://nmap.org ) at 2009-02-04 14:35 Pacific Standard Time
Initiating Parallel DNS resolution of 1 host. at 14:35
Completed Parallel DNS resolution of 1 host. at 14:35, 6.50s elapsed
Initiating SYN Stealth Scan at 14:35
Scanning ABC.compute-1.amazonaws.com (X.X.X.X) [5 ports]
Discovered open port 80/tcp on X.X.X.X
Discovered open port 3389/tcp on X.X.X.X
Completed SYN Stealth Scan at 14:35, 2.58s elapsed (5 total ports)
Host ABC.compute-1.amazonaws.com (X.X.X.X) appears to be up … good
.
Interesting ports on ABC.compute-1.amazonaws.com (X.X.X.X):
PORT     STATE    SERVICE
80/tcp   open     http
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
3389/tcp open     ms-term-serv

What to do instead? I took the easy way out: zip up the web installer MSI, email it to myself, and open it on the EC2 instance. Note - this is one reason that you’d need to disable IE hardening for testing purposes, otherwise you probably wouldn’t be able to logon to your webmail site.

What to do for deployment into production? Amazon suggests using FTP or FrontPage Server Extensions. I wouldn’t recommend the former, since the password is sent cleartext, unless you’re piping it through (a Windows build of) SSH. Regarding FPSE, I tried installing them via Add/Remove Programs and got an error about missing installation media. Thus, the solution will be some combination of scripting and keeping certain tools and media on an EBS volume.

In any case, once I’d installed the test web site via the email attachment, it worked fine the first time around, including remotely via the public DNS name.

Permalink |

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment