Re: Editing Script Mappings
From: Ray (res0cu5i@verizon@net)
Date: 04/08/03
- Next message: x y, mvp: "Re: IIS banner"
- Previous message: user: "IIS 5.0 and security"
- In reply to: David Wang [Msft]: "Re: Editing Script Mappings"
- Next in thread: David Wang [Msft]: "Re: Editing Script Mappings"
- Reply: David Wang [Msft]: "Re: Editing Script Mappings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ray" <res0cu5i@verizon@net> Date: Tue, 8 Apr 2003 07:33:48 -0400
Thanks David,
This is some nicely detailed info. If I understand it all correctly
then I'm fine with the default settings - whether or not the Script Engine &
Check if File Exists boxes are selected. I do reduce the number of script
mappings when I configure a server. Presently this is done in the UI
(property for the entire server). I plan to incorporate this into a script,
since I used a standard set (of script mappings) across our servers. Your
examples on scripting the allowed verbs is helpful. Can you point me to a
reference for that? Short of the IIS ResKit & the MS Press "IIS 5.0
Documentation", can you recommend any additional reference material?
Thanks Again,
Ray
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:uHmLQ4a$CHA.1692@TK2MSFTNGP12.phx.gbl...
> There is no absolute answer to your question. I can only provide you with
> an explanation and let you make the appropriate choice(s).
>
> "Check that file exists" means that IIS will attempt to open what it
thinks
> the Scriptmap will most likely try to open as a script file (for execution
> by the Scriptmap Engine).
>
> What it realistically means is that IIS attempts to check the existence of
a
> script file prior to passing it to the Scriptmap for execution. If it
fails
> the validity check, IIS won't even bother invoking the Scriptmap. This
> single check will prevent Code Red, which relies on making a request to a
> non-existent .ida resource purely to exploit the defective Index Server
> ISAPI. The astute reader will realize that this is an ATTEMPT by IIS to
> check the existence of a script file; how an ISAPI Extension determines
the
> true path of its script file is arbitrary, and if you enable this check on
a
> Scriptmap that uses a different means of specifying path of its script
fail,
> that Scriptmap will appear to fail far more than it should. For example,
> Exchange Server's ISAPI Extension falls under this category.
>
> "Script Engine" means that IIS will run what it deems to be an
"Executable"
> in a vdir that has only "Scripts" permissions for the sole purpose of
using
> that "Script Engine" to execute the scripts in that vdir. This is mostly
a
> hold-over concept from prior IIS versions and you should not worry about
its
> setting. If a script engine needed it to work and you unchecked it, it
that
> script engine will cease to work; if a script engine did not need this
> setting, it wouldn't matter which way you checked it.
>
> As far as Verbs are concerned, it depends on the IIS version. IIS5
> interprets it in this manner -- if no verbs are given, then all verbs are
> allowed. If any verbs are given, then only those verbs are allowed.
>
> All of this is scriptable. You can either construct your own ADSI script,
> or you can use %SYSTEMDRIVE%\Inetpub\AdminScripts\ADSUTIL.VBS from the
> commandline to make the changes. i.e.
>
> CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\ADSUTIL.VBS SET
> W3SVC/1/ROOT/ScriptMaps
> .asp,%SYSTEMROOT%\System32\inetsrv\asp.dll,4,GET,HEAD
> .stm,%SYSTEMROOT%\System32\inetsrv\ssinc.dll,5
>
> Adds to the Default Website's root directory
> .asp mapping to ASP.DLL with only GET and HEAD verbs allowed, Check if
File
> exists enabled
> .stm mapping to ssinc.dll with all verbs allowed, Check in File exists and
> ScriptEngine enabled
>
>
> As for how inheritance of Scriptmap works -- you will notice that it
follows
> an overriding model -- if you set this on a node, it overrides (not
merges)
> with any scriptmaps inherited from the parent node. This differs from the
> UI behavior because the UI does a little bit of fixup behind the scenes to
> give the appearance of editing scriptmaps in-place.
>
> --
> //David
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Ray" <res0cu5i@verizon@net> wrote in message
> news:OPPEVXT$CHA.2072@TK2MSFTNGP10.phx.gbl...
> I just came across a paragraph on editing script mappings and the
> "Script Engine" check box. It stated, "If this check box is not checked,
> then IIS will not allow the executable to run with the Scripts Only
> permissions. This checkbox is how IIS knows that an executable should be
> performed to run with the Scripts Only permission instead of requiring the
> full Scripts and Executables permission. Without an option like this, how
> would IIS know that a given executable is a script engine as opposed to
some
> other type of program?" This wasn't entirely clear to me so I looked in
the
> IIS ResKit, but didn't find anything. In the MS IIS 5.0 Documentation,
page
> 57 it has a couple of sentences on it this, but it still isn't clear.
> Is there a link to some additional information or a better explanation
> in regards to this? When I harden an IIS server, should I be selecting
bot
> h the "Script Engine" & "Check that the file exists" boxes? For the
> remaining script mappings should I be removing some of the HTTP verbs
(HEAD
> & OPTIONS) unless specifically needed? Can this be scripted?
> TIA
> Ray
>
>
>
- Next message: x y, mvp: "Re: IIS banner"
- Previous message: user: "IIS 5.0 and security"
- In reply to: David Wang [Msft]: "Re: Editing Script Mappings"
- Next in thread: David Wang [Msft]: "Re: Editing Script Mappings"
- Reply: David Wang [Msft]: "Re: Editing Script Mappings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
