Re: How to get IIS5 functional again
From: Michel Gallant (neutron@istar.ca)
Date: 06/03/02
- Next message: David Dickinson [MVP]: "Re: attack on port 1254?"
- Previous message: Lanwench: "Re: e-mail in outlook express"
- In reply to: Michel Gallant: "Re: How to get IIS5 functional again"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 02 Jun 2002 19:55:45 -0400 From: Michel Gallant <neutron@istar.ca>
(Win2000 Pro. SP2 fully patched)
As promised, continuing from where I left off below, which was:
IIS5 was reinstalled and fully patched and everything (asp, asp.net) works
fine.
Now, IIS lockdown (2.1) was run. This time, it reverts to previous backed-up
settings (since Lockdown had already be run):
- IIS Lockdown (revert)
- checked IIS5 functionality (asp and asp.net) : OK
(note that some settings, as configured based on BSA recommendations, were
also reverted by this Lockdown run!)
Now, run IIS Lockdown again to set new configuration:
- IIS Lockdown with "Dynamic Web Server" template used and with most recommended settings
- rebooted (not required)
- checked IIS5 (asp & asp.net) and all functionality is OK.
(note that IIS Lockdown, as reported in the report window, shows that the two IIS related accounts
(which previously, on IIS5 install, were members of the GUEST GROUP), have
been also added to two new GROUP accounts:
"Added user 'IUSR_<userid>' to local group 'Web Anonymous Users'.
Added user 'IWAM_<userid>' to local group 'Web Applications'. "
The checkboxes in Admin Tools\Computer Management\Local Users and Groups\Users\[General Pane]
for these two accounts remain the same as just after IIS5 fresh install as:
"User cannot change password" (checked)
"Password never expires" (checked)
all others unchecked and/or greyed out.
---- Summary -----------------------------
So, there does NOT seem to be a problem with IIS5 functionality and asp/asn.net
applications on Win2000 Pro. sp2, after installing IIS Lockdown 2.1 with
the "Dynamic Web Server" template selected
----------------------------------------------
I must conclude that some setting which was done AFTER IIS Lockdown was
performed, based on recommendations of BSA caused problems with the
IUSR and IWAM, as well as the ASPNET accounts and disabled IIS active functionality.
Again, the only evidence I have is that both these 3 accounts, when IIS was not working looked
like this:
http://www3.sympatico.ca/mitchg/tech/aspnet.jpg
- Mitch Gallant
Michel Gallant wrote:
> Yes, there are errors in the event log (I mentioned them earlier in this thread).
> Basic html pages worked, but nothing with any asp active content.
>
> Anyhow, I finally recovered the basic functionality of IIS5 with asp & aspnet back
> by doing this:
>
> - uninstall IIS5
> - delete C:\Inetpub directory (as it persists with uninstall)
> - reinstall IIS5 as admin
> - started service and default (asp enabled) home page works properly
> - checked the IUSR_ .. and IWAM_... and they now are as
> shown in URL in previous message
>
> Reinstalled required IIS 5 MS cumulative patches:
> MS02-012
> MS02-018
> Verified by hfnetchk that IIS is now fully patched again .... OK.
>
> To get asp.net working (with .net Framework SDK), I needed to restore and
> re-register the ASPNET account using:
> aspnet_regiis.exe -i (tool with .net Framework SDK installation)
> iisreset.exe
> (this fixed the ASPNET "blanked out" settings to the usual checkable (via admin) settings.
>
> Then, the virtual IIS directories for .net QuickStart samples (which were removed
> with IIS5 uninstall) had to be regenerated, using the .net SDK config. utility:
> ConfigSamples.exe
>
> Now, everything is back to normal; asp.net samples run properly, usual asp pages
> display as expected.
>
> What I will do NEXT, is carefully run IIS Lockdown again (with advanced settings to
> allow asp engine to run).
>
> I am *pretty* sure that the problems originated from some setting that was suggested to
> be changed when I ran the Baseline Security Analyzer (BSA). After I run IIS Lockdown,
> I will run BSA again and check the status log to see which setting(s) have reverted to
> ones that should be locked down.
> This might lead me back to the original setting I changed that caused all these problems!
>
> Thanks for all help, and probably more to come here in a day or so.
>
> - Mitch Gallant
> http://home.istar.ca/~neutron/wsh
>
> "Dominick Roselli [MS]" wrote:
>
> > What happens when you try to browse to an asp page?
> > Do you get an error in the browser? In the even log?
> > Do HTML pages work?
> > If you temporarily dump the IWAM and IUSR account in the local
> > administrators group, does that change the behavior?
> >
> > Regards,
> > Dominick Roselli
> > domironline@microsoft.com
> >
> > This posting is provided “AS IS” with no warranties, and confers no rights.
> > You assume all risk for your use. © 2001 Microsoft Corporation. All rights
> > reserved.
- Next message: David Dickinson [MVP]: "Re: attack on port 1254?"
- Previous message: Lanwench: "Re: e-mail in outlook express"
- In reply to: Michel Gallant: "Re: How to get IIS5 functional again"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
