Re: IIS infection prevention from W32.Nimda.A@mm/TROJ_NIMDA.A

From: Runza, Michael (mrunza@BESICORP.COM)
Date: 10/10/01 

Message-ID:  <52FBB3C470ACD411B38B00D0B7E80BC04F6E5E@smtp.Besicorp.com>
Date:         Wed, 10 Oct 2001 09:53:07 -0400
From: "Runza, Michael" <mrunza@BESICORP.COM>
Subject:      Re: IIS infection prevention from W32.Nimda.A@mm/TROJ_NIMDA.A
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Per Sharon's comment, this is coming from an associate of mine within MS for
use with OWA 5.5

IIS Lockdown-

Express Mode install

This utility is used to disable functionality on an IIS server. When run in
"Express Mode" it will disable .asp pages and will disable OWA 5.5.

NOTE: This will also disable the change password functionality utilized by
OWA

To allow OWA 5.5 to run on a machine that has had the "Express Mode" IIS
lockdown run you first need to make sure the server is patched to MS01-44
and has the IE 5.5 sp2 or IE6.

With this run the IIS server will return the "HTTP- 404 File not found"
error page to users accessing the IIS server and an "Object Disabled" if you
are logged on interactively to the IIS server.

To enable OWA 5.5 after an "Express Mode" setup we need to reMap the ".asp"
Extension to "C:\WINNT\System32\inetsrv\asp.dll"

Steps:

We need to right click on the Server name in the Internet Services Manager
and choose "Properties", make sure the Master properties are set to "WWW
service", then click on the "Edit" button. Next click on the "Home
Directory" tab and then the "Configuration" button. This is where you will
see the Application Mappings. You will see that all have been set to point
to a file called "404.dll" this is what is returning the Error messages.

Now we need to enable, or reMap the .asp extension.

Highlight the .asp Extension and then click "Edit"

Now we need to Browse to "C:\WINNT\System32\inetsrv\asp.dll" and click "OK"
You can leave everything else as it is in this window.

"Apply" these changes and "OK" out.

Stop and Restart W3SVC.

I have tested most all OWA 5.5 functionality and it all has worked, please
let me know if you find something that does not.

Advanced Mode Install

When I ran IIS lockdown in "Advanced Mode" I was able to UNcheck the
"Disable the support for Active Server Pages (.asp)" option in the Remove
Script Mappings and then continue and finish the install.

NOTE: This will also disable the change password functionality utilized by
OWA

With this configuration OWA 5.5 seemed to be unaffected, I tested as many
different things as I could and they all worked,

URL Scan-

This is an ISAPI filter that "filters" many types of activities that have
been exploited by viruses.

It installs an ISAPI filter at the Server or Master Properties level called
Urlscan. This will filter ALL traffic going to this web server.

I installed it and was unable to see any problems with it and OWA 5.5 <G>

Summary

This email ONLY applies to OWA 5.5, we are working on another email on OWA
2000 and these IIS tools.

URL Scan does not seem to present any problems at all to OWA 5.5.

An "Express mode" setup of IIS lockdown WILL break OWA 5.5, use the steps
above to enable OWA 5.5.

An "Advanced Mode" install of IIS lockdown allows you to uncheck "Disable
the support for Active Server Pages (.asp)" option and allow OWA 5.5 to
function properly.

I was also able to have URL scan AND IIS Lockdown with .ASP's active and it
worked.

NOTE: I have tested all these steps and as many OWA 5.5 functions as time
permitted, if you find any errors or have information to add please email me
directly.

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&BI;=245&UL;=http://www.ant
ivirus.com/smex2000_rebate