Re: Auto deploy from W2K machine w/IIS Lockdown applied

From: Norm Dotti (normd@knorrassociates.com)
Date: 12/23/02 

From: normd@knorrassociates.com (Norm Dotti)
Date: 23 Dec 2002 05:15:04 -0800

Bassel,

Thanks for your response. None of my application files are under the
Windows directory, so I'm not clear why I'm getting a 404.

Where can I go to change these settings or somehow override them for
my particular app?

basselt@online.microsoft.com (Bassel Tabbara [MSFT]) wrote in message news:<b2E$OsEqCHA.1488@cpmsftngxa06>...
> Hi Norm,
>
> The Lockdown tool secures system utilities by putting a deny execute ACE
> for the Web Applications group and the Web Anonymous Users group on all
> files in underneath the Windows directory. This is done to prevent
> successful attacks from executing command-line tools. The Lockdown tool
> ACL's the file if it meets the following criteria:
> " *.exe
> " *.com
> There is one exception:
> It doesn't put a deny execute ACE for "Web Applications" on DLLHOST.EXE.
> This is the executable that hosts out-of-process applications. DLLHOST.EXE
> is the executable that the members of the "Web Applications" group have to
> start.
>
>
>
> Thanks,
> Bassel Tabbara
> Microsoft, ASP.NET
>
> This posting is provided "AS IS", with no warranties, and confers no rights.
> --------------------
> | Content-Class: urn:content-classes:message
> | From: "Norm Dotti" <normd@knorrassociates.com>
> | Sender: "Norm Dotti" <normd@knorrassociates.com>
> | Subject: Auto deploy from W2K machine w/IIS Lockdown applied
> | Date: Fri, 20 Dec 2002 07:28:28 -0800
> | Lines: 11
> | Message-ID: <048001c2a83c$71ecbe80$cef82ecf@TK2MSFTNGXA08>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="iso-8859-1"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> | Thread-Index: AcKoPHHspc8v/fjcQXWIJI2RzC/hfQ==
> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> | NNTP-Posting-Host: TK2MSFTNGXA08 10.40.1.160
> | Path: cpmsftngxa09!TK2MSFTNGP08!cpmsftngxa06
> | Xref: cpmsftngxa09 microsoft.public.dotnet.framework.aspnet.security:3449
> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> |
> | I can't seem to get autodeploy to work from a W2K Server
> | machine w/the IIS Lockdown applied. I keep getting a 404
> | when I try to get the exe (e.g. http://webserver/app.exe).
> | If I turn on directory browsing I can see the exe file
> | there so I know I'm asking for it correctly. I've got the
> | app set up for Script-only in IIS. I've got anonymous
> | access set up. I've removed .config from the list of files
> | to not download. Does the lockdown tool somehow prevent
> | the detection of a .net exe? I'm not all that familiar
> | w/what the lockdown tool does behind the scenes. Any help
> | would be appreciated.
> |