Amazon.co.uk Widgets

Log in

X
AWS

The reason for doing this was that a client asked me to help with some enterprise software in Amazon Web Services (AWS). I haven't touched Windows Server in anger for over a decade and really never imagined I ever would again. This is despite long ago being one of the first Microsoft Certified Systems Engineers in the UK. My certification has long expired and I have absolutely no intention of taking it again but this is an interesting project in an industry vertical I know well, with people I really like. So I thought I'd build out my own private Windows Server infrastructure on AWS first, in order to see what I was letting myself in for.

What I was able to do

  • Set up a FREE tier eligible AWS account with a new domain name and email address.
  • Install Windows Server 2019 in an Amazon EC2 instance, securely.
  • Install Internet Information Server, Microsoft's venerable web server.
  • Add a Let's Encrypt SSL certificate, trusted and supported by all major browsers.
  • Set the Let's Encrypt SSL certificate to auto renew through a scheduled task.
  • Replace Internet Explorer (IE) with Chrome as the default browser on the Server because IE is so utterly unusable now that it is laughable that it is provided with Windows Server at all.

TL:DR — It is relatively simple to set up a FREE Windows Server based web server with a Lets Encrypt SSL certificate in AWS. There are a few hurdles to jump over but once you get past them it works fine.

Before you start building a FREE Windows web server with a Lets Encrypt SSL certificate in AWS

If you want to try this you should be aware that you can get a FREE year of AWS Amazon Elastic Compute Cloud (EC2) by signing up for AWS with a new account. The EC2 instance you can build and run for free is not going to win any prizes for Windows Server performance but it can run 24x7 for free for a year and is perfectly good enough to test out your Windows Server administration skills. (See links below for details of what is free tier eligible).

Installation and testing

Create your AWS environment

The first thing you need to do is create a nice new AWS account in order to take advantage of a free 750 hours per month of EC2 for 12 months offer. If you have had an existing AWS account for more than 12 months you can't do this so it is worth spending the time to set up a new one. It is pretty simple to do. Just create a new domain name, with a working email address at your favourite webhost, and use it to sign up for AWS. Once you have signed up you have everything you need to get going in a low cost test environment.

Now you have your new AWS account set up you can deploy a Windows Server Amazon Machine Image (AMI) into an instance type that is supported by the free tier. The AWS console clearly identifies these instances. They are either t2.micro or t3.micro instances dependent on region. Choose wisely otherwise your Windows Server AWS costs will end up on your credit card bill!

Install Windows Server 2019 in an Amazon EC2

  • Once you have created your account you can visit the AWS console.
  • I created a regular user in addition to the root user and added the user to a group with full access to Amazon EC2, and nothing else.
  • I then made sure my user is set for Multi factor authentication (MFA) using a USB security key - I chose a (a - Yubikey USB-C security key).
  • In the AWS console, type EC2 in the search bar (you can click the star to add it as a favourite so you can easily load it again. Load the EC2 management console. From here you can choose an AMI from the Applications and OS images section.
    Screenshot of AWS Console 'Launch an instance' page highlighting the 'free tier eligible' Windows Server 2019 Amazon Machine Instance
    AWS Console 'Launch an instance' page highlighting the 'free tier eligible' Windows Server 2019 Amazon Machine Instance
  • Click 'Windows' and scroll through the quick starts until you find the AMI you wish to try. I need Windows Server 2019 for this installation. Note that it is 'free tier eligible' only if you choose a t2.micro instance in my particular AWS region.
  • Click 'Launch Instance'
  • in a short while your instance will be running. Select the instance in the console and click 'Actions --> Connect'
    Screenshot of EC2 Console showing how to connect to an instance.
    EC2 Console showing how to connect to an instance.
  • You will need to decrypt the password, or already have previously done so. Download the remote desktop shortcut and double click on it to open a connection to your new Windows Server.
    Screenshot showing how to download a Microsoft Remote Desktop (RDP) connection profile which will enable you to connect to your new servers Windows user interface.
    How to download a Microsoft Remote Desktop (RDP) connection profile which will enable you to connect to your new servers Windows user interface.

Install Internet Information Server

  • IIS doesn't seem to have really changed for decades. Our Windows Server is a full installation so just run 'Server Manager', choose 'Add roles and features', skip the 'before you begin' screen by clicking 'Next' and then on the 'Select installation type' screen, select 'Role-based or feature-based installation' and click 'Next' again and then 'Add Features' on the resulting dialog box.
  • You can click through the complexity of the 'Server selection' screen, as this is the only server.
  • Now on the 'Select server roles' screen you need to just check 'Web Server (IIS)' and click 'Next' again. Some more features may be needed, just click theough the 'Next' buttons until you reach the end of this so called 'wizard' and reach an 'Install' button. Finally IIS will be added to your server.

Add a Let's Encrypt SSL certificate

  • Download the win-acme client for Windows, which is a Windows client for Let's Encrypt, the industry standard and nowadays the best practice for SSL certificates supported in all major browsers and sponsored by the major titans of the software industry.
  • Let's Encrypt certificates are free and fabulous. Theres absolutely no reason to buy certificates or use self signed certificates anymore.
  • Point your Internet domain at the External IP address of your Windows Server. (An Elastic IP address is better for the longer term, but not essential for this stage).
  • Now Follow the command line defaults for IIS to validate your IP address and set up then store your certificate and you'll be running in no time!
    screenshot of win-acme at https://www.win-acme.com/
  • It could not be easier, and certificates can be hard!
  • Remember to enable the automatic renewal capability, and provided your Windows server can access the Internet you can forget aboutmanually managing SSL certificate renewal.
  • At this point you should be able to access your server, using https, with a padlock in the browsers, from the Internet.
  • To access it correctly from itself, instead of via localhost, add an entry to the hosts file, usually in C:\windows\system32\drivers\etc for the domain to which you registered the certificate. Local domain resolution goes via the hosts file first, before attempting a DNS lookup and this is perfectly fine for a single Windows Server lab type environment. You can install Chrome to test everything is how you expect it to be.

Replace Internet Explorer with Google Chrome as the default browser

You can't do this manually for large scale deployments, where you should use AWS Code Deploy or Windows policy management. For a lab server though theres an easy manual powershell command which can install Google Chrome.

Run this Powershell Command as Administrator. Read it first obviously. It downloads and runs the Chrome installer, silently, waits till it finished and cleans up. I found it at the cited link. It isn't my code so it isn't subject to my code licencing! It works though. Nice job!

$LocalTempDir = $env:TEMP; $ChromeInstaller = "ChromeInstaller.exe"; 
(new-object System.Net.WebClient).DownloadFile('http://dl.google.com/chrome/install/375.126/chrome_installer.exe', "$LocalTempDir\$ChromeInstaller"); 
& "$LocalTempDir\$ChromeInstaller" /silent /install; $Process2Monitor =  "ChromeInstaller"; 
Do { $ProcessesFound = Get-Process | ?{$Process2Monitor -contains $_.Name} | Select-Object -ExpandProperty Name; 
If ($ProcessesFound) { "Still running: $($ProcessesFound -join ', ')" | Write-Host; Start-Sleep -Seconds 2 } 
else { rm "$LocalTempDir\$ChromeInstaller" -ErrorAction SilentlyContinue -Verbose } }
Until (!$ProcessesFound)

https://www.snel.com/support/install-chrome-in-windows-server/ — snel.com

Licences, trademarks, source code licences and attributions

Licences, trademarks, source code licences and attributions

Multizone and this site is not affiliated with or endorsed by The Joomla! Project™. Any products and services provided through this site are not supported or warrantied by The Joomla! Project or Open Source Matters, Inc. Use of the Joomla!® name, symbol, logo and related trademarks is permitted under a limited licence granted by Open Source Matters, Inc. 928uk® is a trademark of Multizone Limited, registered in the UK. AdMob™, AdSense™, AdWords™, Android™, Chrome OS™, Chromebook™, Chrome™, DART™, Flutter™, Firebase™, Firestore™, Fuchsia™, Gmail™, Google Maps™, Google Pixel™, Google Play™, Pixelbook Go™, and Pixel™ and other trademarks listed at the Google Brand Resource center are trademarks of Google LLC and this site is not endorsed by or affiliated with Google in any way. Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. The OSI logo trademark is the trademark of Open Source Initiative. Microsoft, CoPilot, Microsoft 365, Microsoft Teams, and Windows are trademarks of the Microsoft group of companies. ROKU, the ROKU Logo, STREAMING STICK, ROKU TV, ROKU POWERED, the ROKU POWERED Logo, ROKU READY, the ROKU READY Logo, the purple fabric tag design,and the purple d-pad design are trademarks and/or registered trademarks of Roku, Inc. in the UK, the United States and other countries. UNIX® and the X® logo are registered trademarks of The Open Group. Any other product or company names may be trademarks™ or registered® trademarks of their respective holders. Use of these trademarks in articles here does not apply affiliation or endorsement by any of them.

Where the source code is published here on ezone.co.uk or on our GitHub by Angus Fox, Multizone Limited it is licenced according to the open source practice for the project concerned.

BSD 3-Clause "New" or "Revised" Licence
Original source code for mobile apps are licenced using the same licence as the one used by "The Flutter Authors". This Licence, the BSD 3-Clause "New" or "Revised" Licence (bsd-3-clause) is a permissive licence with a clause that prohibits others from using the name of the project or its contributors to promote derived products without written consent.
GNU General Public Licence v2.0 or later
Original source code for Joomla! published here on ezone.co.uk by Angus Fox, Multizone Limited is licenced using the same licence as the one used by Joomla!. This Licence, the GNU General Public Licence Version 2 or later (gpl-2.0) is the most widely used free software licence and has a strong copyleft requirement. When distributing derived works, the source code of the work must be made available under the same licence.

You can use any code you find here, just respect the licences and dont use the name of this site or our company to promote derived products without written consent. I mean, why would you? You're not us!

Amazon Associate
As an Amazon Associate we earn from qualifying purchases.
Logo
Our Logo Image is by Freepik. We chose it because its an M and also the letter A twice - and that represents us.