Re: Auto deploy from W2K machine w/IIS Lockdown applied
From: Norm Dotti (normd@knorrassociates.com)
Date: 01/13/03
- Next message: Jordan: "RE: ASP.NET on SAN - not working"
- Previous message: Rey Rivera: "Re: .Net and CAPICOM"
- In reply to: Mike Moore [MS]: "Re: Auto deploy from W2K machine w/IIS Lockdown applied"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: normd@knorrassociates.com (Norm Dotti) Date: 13 Jan 2003 08:42:16 -0800
Mike,
The problem is related to URLScan. In the URLScan.ini file one of the
entries is UseAllowExtensions which was set to 0, meaning it will use
the [DenyExtensions] section. FYI, these are the default settings. The
[DenyExtensions] section looks like the following:
[DenyExtensions]
; Executables that run on the server
.exe
.bat
.cmd
.com
By commenting out the ".exe" line and restarting IIS the problem went
away. Sorry for the delayed response (holiday and all). I'm guessing
other people will run in to this as these are the default settings for
URLScan.
michmo@online.microsoft.com ("Mike Moore [MS]") wrote in message news:<ZDKhpOuqCHA.1488@cpmsftngxa06>...
> Hi Norm,
>
> * Check the configuration for LockDown.
> LockDown comes with a help file named iislockd.chm. If your double-click
> it, you can see help information. It also comes with RunLockdUnattended.doc.
>
> Find the file iislockd.ini on your machine and open it in NotePad. You will
> see that it has several sections. At the top is the [info] section. If the
> info section contains "Unattended=TRUE:, then the setting
> "UnattendedServerType" should designate which of the several sections below
> is currently active on your machine. If Unattended is set to FALSE, then
> look in the folder that contains iislockd.exe. In that directory, look for
> Oblt-log.log. This should show the settings that were used when LockDown
> was installed. Then you can determine which of the sections within
> iislockd.ini is the active section.
>
> If you cannot determine which section is active, you can experiment to find
> it. If you can browse ASP files, then sections disabling ASP are not
> active. Of the remaining sections, set them consecutively to disable ASP
> until ASP stops working. That's the active section.
>
> In the active section, review the settings to see if any of them prevent
> activities that you want to allow, or if any allow activities that you want
> to prevent. Change the settings as appropriate and experiment with any
> settings you don't know. For all settings, make note of what they were
> previously so you can put them back if needed.
>
>
> * Check the configuration for UrlScan
> UrlScan comes with UrlScan.doc and urlscan_unattend.txt and readme.txt. It
> also comes with multiple INI files.
>
> Within the active section of iislockd.ini, look for an entry named
> UrlScan_IniFileLocation. This will indicate which of the UrlScan INI files
> is active. If you have trouble determining which INI file is active,
> experiment by setting the INI files consecutively to disable ASP. When ASP
> is actually disabled, that is the active INI file. It will probably be
> "urlscan_dynamic.ini".
>
> Examine the settings within the INI file and change them as needed.
>
> NOTE: the UrlScan INI file has multiple sections and only some of them are
> active. At the top of the file, look for:
> - UseAllowVerbs
> - UseAllowExtensions
>
> Further down you will see sections for
> [AllowVerbs]
> [DenyVerbs]
> [DenyHeaders]
> [AllowExtensions]
> [DenyExtensions]
> [DenyUrlSequences]
>
> If "UseAllowVerbs" is set to zero, then all verbs will be allowed except
> those listed in the DenyVerbs section. If UseAllowVerbs is set to 1, then
> all verbs will be denied except those listed in AllowVerbs.
> "UseAllowExtensions" is similar. The other two sections, "DenyHeaders" and
> "DenyUrlSequences" are active regardless of the settings at the top of the
> INI file.
>
> Change the settings as appropriate and experiment with any settings you
> don't know. For all settings, make note of what they were previously so you
> can put them back if needed.
>
>
> * Check NTFS permissions for the EXE (and its related files such as
> application.config). Change the NTFS permissions to allow your visitors to
> read, but not execute the EXE (if you want to, you can also allow them
> execute, but that will allow them to run the EXE on the server, compared to
> allowing them to only download it and run it on their own machines). You
> need to be sure to allow access to the user account actually being used by
> your visitors. With anonymous access, this will usually be either ASPNET or
> Iusr_machine, where "machine" is the machine name of the server. With
> non-anonymous access and with impersonation, this account can vary. What
> ever it is, that's the account(s) you need to grant access.
>
> ---
> If it still fails after all of the above, then try some experiments.
> If this server is connected to the internet, then modify your IIS settings
> to restrict access, such as restrict access by IP address.
>
> * grant "everyone" full access to your whole directory
> * make backups of the above INI files and change the settings to allow
> maximum access (such as, use DenyVerbs and leave the DenyVerbs section
> empty). You can even change the IIS settings to remove the LockDown and
> UrlScan filters.
> *** Remember to put these things back.
>
> --
> If it's still failing, then repost with the following additional
> information.
> 1) Anything you learned from all of the above.
> 2) A list of your ISAPI filters
> To get this list: In Internet Services Manager, the first entry is
> "Internet Information Services". Just one level down from that is the name
> of the server. Right click on this entry for the server and select
> "properties". From the Master Properties drop list, select WWW Service.
> Then click Edit. Select the ISAPI Filters tab. Starting at the top, select
> the entries one by one and click Edit. Select the text from the two fields
> "Filter Name" and "Executable" and paste them into your response.
>
> Please let me know if this solves the problem.
>
> Thank you, Mike Moore
> Microsoft, ASP.NET
>
> This posting is provided "AS IS", with no warranties, and confers no rights.
>
> --------------------
> >From: normd@knorrassociates.com (Norm Dotti)
> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> >Subject: Re: Auto deploy from W2K machine w/IIS Lockdown applied
> >Date: 23 Dec 2002 05:15:04 -0800
> >Organization: http://groups.google.com/
> >Lines: 67
> >Message-ID: <219f4ebc.0212230515.242897d5@posting.google.com>
> >References: <048001c2a83c$71ecbe80$cef82ecf@TK2MSFTNGXA08>
> <b2E$OsEqCHA.1488@cpmsftngxa06>
> >NNTP-Posting-Host: 67.80.145.26
> >Content-Type: text/plain; charset=ISO-8859-1
> >Content-Transfer-Encoding: 8bit
> >X-Trace: posting.google.com 1040649304 29975 127.0.0.1 (23 Dec 2002
> 13:15:04 GMT)
> >X-Complaints-To: groups-abuse@google.com
> >NNTP-Posting-Date: 23 Dec 2002 13:15:04 GMT
> >Path:
> cpmsftngxa06!TK2MSFTNGP08!cppssbbsa01.microsoft.com!news-out.cwix.com!newsfe
> ed.cwix.com!news.maxwell.syr.edu!sn-xit-03!sn-xit-01!sn-xit-09!supernews.com
> !postnews1.google.com!not-for-mail
> >Xref: cpmsftngxa06 microsoft.public.dotnet.framework.aspnet.security:3450
> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >
> >Bassel,
> >
> >Thanks for your response. None of my application files are under the
> >Windows directory, so I'm not clear why I'm getting a 404.
> >
> >Where can I go to change these settings or somehow override them for
> >my particular app?
> >
> >
> >
> >
> >basselt@online.microsoft.com (Bassel Tabbara [MSFT]) wrote in message
> news:<b2E$OsEqCHA.1488@cpmsftngxa06>...
> >> Hi Norm,
> >>
> >> The Lockdown tool secures system utilities by putting a deny execute ACE
> >> for the Web Applications group and the Web Anonymous Users group on all
> >> files in underneath the Windows directory. This is done to prevent
> >> successful attacks from executing command-line tools. The Lockdown tool
> >> ACL's the file if it meets the following criteria:
> >> " *.exe
> >> " *.com
> >> There is one exception:
> >> It doesn't put a deny execute ACE for "Web Applications" on DLLHOST.EXE.
> >> This is the executable that hosts out-of-process applications.
> DLLHOST.EXE
> >> is the executable that the members of the "Web Applications" group have
> to
> >> start.
> >>
> >>
> >>
> >> Thanks,
> >> Bassel Tabbara
> >> Microsoft, ASP.NET
> >>
> >> This posting is provided "AS IS", with no warranties, and confers no
> rights.
> >> --------------------
> >> | Content-Class: urn:content-classes:message
> >> | From: "Norm Dotti" <normd@knorrassociates.com>
> >> | Sender: "Norm Dotti" <normd@knorrassociates.com>
> >> | Subject: Auto deploy from W2K machine w/IIS Lockdown applied
> >> | Date: Fri, 20 Dec 2002 07:28:28 -0800
> >> | Lines: 11
> >> | Message-ID: <048001c2a83c$71ecbe80$cef82ecf@TK2MSFTNGXA08>
> >> | MIME-Version: 1.0
> >> | Content-Type: text/plain;
> >> | charset="iso-8859-1"
> >> | Content-Transfer-Encoding: 7bit
> >> | X-Newsreader: Microsoft CDO for Windows 2000
> >> | X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> >> | Thread-Index: AcKoPHHspc8v/fjcQXWIJI2RzC/hfQ==
> >> | Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> >> | NNTP-Posting-Host: TK2MSFTNGXA08 10.40.1.160
> >> | Path: cpmsftngxa09!TK2MSFTNGP08!cpmsftngxa06
> >> | Xref: cpmsftngxa09
> microsoft.public.dotnet.framework.aspnet.security:3449
>
> >> | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >> |
> >> | I can't seem to get autodeploy to work from a W2K Server
> >> | machine w/the IIS Lockdown applied. I keep getting a 404
> >> | when I try to get the exe (e.g. http://webserver/app.exe).
> >> | If I turn on directory browsing I can see the exe file
> >> | there so I know I'm asking for it correctly. I've got the
> >> | app set up for Script-only in IIS. I've got anonymous
> >> | access set up. I've removed .config from the list of files
> >> | to not download. Does the lockdown tool somehow prevent
> >> | the detection of a .net exe? I'm not all that familiar
> >> | w/what the lockdown tool does behind the scenes. Any help
> >> | would be appreciated.
> >> |
> >
- Next message: Jordan: "RE: ASP.NET on SAN - not working"
- Previous message: Rey Rivera: "Re: .Net and CAPICOM"
- In reply to: Mike Moore [MS]: "Re: Auto deploy from W2K machine w/IIS Lockdown applied"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
