Re: Editing Script Mappings
From: David Wang [Msft] (someone@online.microsoft.com)
Date: 04/08/03
- Next message: Mike: "Re: IIS banner"
- Previous message: BB: "Re: IIS banner"
- In reply to: Ray: "Editing Script Mappings"
- Next in thread: Ray: "Re: Editing Script Mappings"
- Reply: Ray: "Re: Editing Script Mappings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Wang [Msft]" <someone@online.microsoft.com> Date: Tue, 8 Apr 2003 02:05:50 -0700
There is no absolute answer to your question. I can only provide you with
an explanation and let you make the appropriate choice(s).
"Check that file exists" means that IIS will attempt to open what it thinks
the Scriptmap will most likely try to open as a script file (for execution
by the Scriptmap Engine).
What it realistically means is that IIS attempts to check the existence of a
script file prior to passing it to the Scriptmap for execution. If it fails
the validity check, IIS won't even bother invoking the Scriptmap. This
single check will prevent Code Red, which relies on making a request to a
non-existent .ida resource purely to exploit the defective Index Server
ISAPI. The astute reader will realize that this is an ATTEMPT by IIS to
check the existence of a script file; how an ISAPI Extension determines the
true path of its script file is arbitrary, and if you enable this check on a
Scriptmap that uses a different means of specifying path of its script fail,
that Scriptmap will appear to fail far more than it should. For example,
Exchange Server's ISAPI Extension falls under this category.
"Script Engine" means that IIS will run what it deems to be an "Executable"
in a vdir that has only "Scripts" permissions for the sole purpose of using
that "Script Engine" to execute the scripts in that vdir. This is mostly a
hold-over concept from prior IIS versions and you should not worry about its
setting. If a script engine needed it to work and you unchecked it, it that
script engine will cease to work; if a script engine did not need this
setting, it wouldn't matter which way you checked it.
As far as Verbs are concerned, it depends on the IIS version. IIS5
interprets it in this manner -- if no verbs are given, then all verbs are
allowed. If any verbs are given, then only those verbs are allowed.
All of this is scriptable. You can either construct your own ADSI script,
or you can use %SYSTEMDRIVE%\Inetpub\AdminScripts\ADSUTIL.VBS from the
commandline to make the changes. i.e.
CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\ADSUTIL.VBS SET
W3SVC/1/ROOT/ScriptMaps
.asp,%SYSTEMROOT%\System32\inetsrv\asp.dll,4,GET,HEAD
.stm,%SYSTEMROOT%\System32\inetsrv\ssinc.dll,5
Adds to the Default Website's root directory
.asp mapping to ASP.DLL with only GET and HEAD verbs allowed, Check if File
exists enabled
.stm mapping to ssinc.dll with all verbs allowed, Check in File exists and
ScriptEngine enabled
As for how inheritance of Scriptmap works -- you will notice that it follows
an overriding model -- if you set this on a node, it overrides (not merges)
with any scriptmaps inherited from the parent node. This differs from the
UI behavior because the UI does a little bit of fixup behind the scenes to
give the appearance of editing scriptmaps in-place.
--
//David
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Ray" <res0cu5i@verizon@net> wrote in message
news:OPPEVXT$CHA.2072@TK2MSFTNGP10.phx.gbl...
I just came across a paragraph on editing script mappings and the
"Script Engine" check box. It stated, "If this check box is not checked,
then IIS will not allow the executable to run with the Scripts Only
permissions. This checkbox is how IIS knows that an executable should be
performed to run with the Scripts Only permission instead of requiring the
full Scripts and Executables permission. Without an option like this, how
would IIS know that a given executable is a script engine as opposed to some
other type of program?" This wasn't entirely clear to me so I looked in the
IIS ResKit, but didn't find anything. In the MS IIS 5.0 Documentation, page
57 it has a couple of sentences on it this, but it still isn't clear.
Is there a link to some additional information or a better explanation
in regards to this? When I harden an IIS server, should I be selecting bot
h the "Script Engine" & "Check that the file exists" boxes? For the
remaining script mappings should I be removing some of the HTTP verbs (HEAD
& OPTIONS) unless specifically needed? Can this be scripted?
TIA
Ray
- Next message: Mike: "Re: IIS banner"
- Previous message: BB: "Re: IIS banner"
- In reply to: Ray: "Editing Script Mappings"
- Next in thread: Ray: "Re: Editing Script Mappings"
- Reply: Ray: "Re: Editing Script Mappings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
