|
|
You're in the
iis security
group:URLSCAN & FrontPage2003 on WIN2000 Server
iis security:
Hi David,
That is a limitation of UrlScan, unfortunately. It's all or nothing -- --Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC] http://www.visualwin.com - A Windows Server 2003 visual, step-by-step tutorial site :-) http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004? Find out here Only reply by newsgroup. I do not do technical support via email. Any emails I have not authorized are deleted before I see them. [quoted text, click to view] "David Martin" <David.Martin@skill-it.com> wrote in message news:%23S1rwXL%23DHA.132@TK2MSFTNGP09.phx.gbl... > I have URLSCAN setup as per KB article 307608. > What the article does not mention is that some FrontPage functionality will > be lost - for example : > > [02-21-2004 - 19:01:17] Client at 192.168.0.4: URL contains extension > '.exe', which is disallowed. Request will be rejected. Site Instance='1', > Raw URL='/Pontacq/_vti_bin/fpcount.exe/Pontacq/' > > Is there any way to allow specific exe's rather than open the door to > potentially all ? > > David. > >
I have URLSCAN setup as per KB article 307608.
What the article does not mention is that some FrontPage functionality will be lost - for example : [02-21-2004 - 19:01:17] Client at 192.168.0.4: URL contains extension '.exe', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/Pontacq/_vti_bin/fpcount.exe/Pontacq/' Is there any way to allow specific exe's rather than open the door to potentially all ? David.
[quoted text, click to view]
> Is there any way to allow specific exe's rather than open the door > to potentially all ? Not with IIS5/5.1. It is technically impossible to implement what you are asking without modifying IIS5/5.1 directly. IIS6 natively does this, with better granularity than URLScan. -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "David Martin" <David.Martin@skill-it.com> wrote in message I have URLSCAN setup as per KB article 307608.news:%23S1rwXL%23DHA.132@TK2MSFTNGP09.phx.gbl... What the article does not mention is that some FrontPage functionality will be lost - for example : [02-21-2004 - 19:01:17] Client at 192.168.0.4: URL contains extension '.exe', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/Pontacq/_vti_bin/fpcount.exe/Pontacq/' Is there any way to allow specific exe's rather than open the door to potentially all ? David.
Hi David,
If there are 2 EXEs in a folder served by IIS 6, you can make it so only one is downloadable? -- --Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC] http://www.visualwin.com - A Windows Server 2003 visual, step-by-step tutorial site :-) http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004? Find out here Only reply by newsgroup. I do not do technical support via email. Any emails I have not authorized are deleted before I see them. [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:ukDU1rR%23DHA.1632@TK2MSFTNGP12.phx.gbl... > > Is there any way to allow specific exe's rather than open the door > > to potentially all ? > > Not with IIS5/5.1. It is technically impossible to implement what you are > asking without modifying IIS5/5.1 directly. > > IIS6 natively does this, with better granularity than URLScan. > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "David Martin" <David.Martin@skill-it.com> wrote in message > news:%23S1rwXL%23DHA.132@TK2MSFTNGP09.phx.gbl... > I have URLSCAN setup as per KB article 307608. > What the article does not mention is that some FrontPage functionality will > be lost - for example : > > [02-21-2004 - 19:01:17] Client at 192.168.0.4: URL contains extension > '.exe', which is disallowed. Request will be rejected. Site Instance='1', > Raw URL='/Pontacq/_vti_bin/fpcount.exe/Pontacq/' > > Is there any way to allow specific exe's rather than open the door to > potentially all ? > > David. > > >
O well, What does anyone think of the following :
1. Remove .exe from [DenyExtensions] 2. Modify security settings for counters to read/write for the IISuser. 3.. Add the following [DenyUrlSequences] cmd.exe winnt system Now I know that these sequences should not be reachable anyway - but my logs show that is exactly what is attempted. Dave. p.s.- This is what worries me (a spammer I have upset I think with my very prompt spamcop reporting. [02-11-2004 - 11:06:12] ---------------- Initializing UrlScan.log ---------------- [02-11-2004 - 11:06:12] -- Filter initialization time: [02-03-2004 - 03:07:02] -- [02-11-2004 - 11:06:12] Client at 62.101.126.236: URL contains extension '.exe', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/MSADC/root.exe' [02-11-2004 - 11:06:12] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe' [02-11-2004 - 11:06:13] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe' [02-11-2004 - 11:06:13] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe' [02-11-2004 - 11:06:14] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe' [02-11-2004 - 11:06:14] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe' [02-11-2004 - 11:06:14] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe' [02-11-2004 - 11:06:15] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe' [02-11-2004 - 11:06:15] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe' [02-11-2004 - 11:06:16] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe' [02-11-2004 - 11:06:16] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system3 2/cmd.exe' [02-11-2004 - 11:06:17] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe' [02-11-2004 - 11:06:17] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../win nt/system32/cmd.exe' [02-11-2004 - 11:06:17] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe' [02-11-2004 - 11:06:18] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe' [02-11-2004 - 11:06:18] Client at 62.101.126.236: URL contains extension '.exe', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd ..exe' [02-11-2004 - 11:06:19] Client at 62.101.126.236: URL contains extension '.exe', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe' [02-11-2004 - 11:06:19] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd. exe' [02-11-2004 - 11:06:20] Client at 62.101.126.236: URL contains extension '.exe', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd ..exe' [02-11-2004 - 11:06:20] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd ..exe' [02-11-2004 - 11:06:20] Client at 62.101.126.236: URL contains extension '.exe', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cm d.exe' [02-11-2004 - 11:06:21] Client at 62.101.126.236: URL contains extension '.exe', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/c/winnt/system32/cmd.exe' [02-11-2004 - 11:06:21] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.e xe' [02-11-2004 - 11:06:22] Client at 62.101.126.236: URL contains extension '.exe', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd. exe' [02-11-2004 - 11:06:22] Client at 62.101.126.236: URL contains extension '.exe', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/d/winnt/system32/cmd.exe' [02-11-2004 - 11:06:23] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd ..exe' [02-11-2004 - 11:06:23] Client at 62.101.126.236: URL contains extension '.exe', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cm d.exe' [02-11-2004 - 11:06:23] Client at 62.101.126.236: URL normalization was not complete after one pass. Request will be rejected. Site Instance='1', Raw URL='/msaDC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe'
Yes. AccessFlags has granularity down to per-URL, so you can set it at a
per-file level. i.e. Suppose I have a download folder of EXEs that are pointed to by a vdir, and I only want ONE of the EXEs in the folder to be executable via HTTP. What I can do is set up the vdir to have Read but NO "Execute Permissions" (so EXEs are downloaded by default), and then create a IIsWebFile for that one EXE underneath the vdir (I don't see this in the UI, but I can modify the metabase directly to do this) and set the IIsWebFile's AccessFlags property value to be 517 "Scripts and Executables". Now, when you retrieve URLs from this vdir, this one EXE is executed, but everything else is downloaded. -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Jonathan Maltz [MS-MVP]" <jmaltz@mvps.org> wrote in message Hi David,news:OcUlI7R%23DHA.4088@tk2msftngp13.phx.gbl... If there are 2 EXEs in a folder served by IIS 6, you can make it so only one is downloadable? -- --Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC] http://www.visualwin.com - A Windows Server 2003 visual, step-by-step tutorial site :-) http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004? Find out here Only reply by newsgroup. I do not do technical support via email. Any emails I have not authorized are deleted before I see them. [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:ukDU1rR%23DHA.1632@TK2MSFTNGP12.phx.gbl... > > Is there any way to allow specific exe's rather than open the door > > to potentially all ? > > Not with IIS5/5.1. It is technically impossible to implement what you are > asking without modifying IIS5/5.1 directly. > > IIS6 natively does this, with better granularity than URLScan. > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "David Martin" <David.Martin@skill-it.com> wrote in message > news:%23S1rwXL%23DHA.132@TK2MSFTNGP09.phx.gbl... > I have URLSCAN setup as per KB article 307608. > What the article does not mention is that some FrontPage functionality will > be lost - for example : > > [02-21-2004 - 19:01:17] Client at 192.168.0.4: URL contains extension > '.exe', which is disallowed. Request will be rejected. Site Instance='1', > Raw URL='/Pontacq/_vti_bin/fpcount.exe/Pontacq/' > > Is there any way to allow specific exe's rather than open the door to > potentially all ? > > David. > > >
Wow, that's pretty interesting.
Thanks for the info, -- --Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC] http://www.visualwin.com - A Windows Server 2003 visual, step-by-step tutorial site :-) http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004? Find out here Only reply by newsgroup. I do not do technical support via email. Any emails I have not authorized are deleted before I see them. [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:eb4KO5d%23DHA.1672@TK2MSFTNGP12.phx.gbl... > Yes. AccessFlags has granularity down to per-URL, so you can set it at a > per-file level. > > i.e. Suppose I have a download folder of EXEs that are pointed to by a vdir, > and I only want ONE of the EXEs in the folder to be executable via HTTP. > What I can do is set up the vdir to have Read but NO "Execute Permissions" > (so EXEs are downloaded by default), and then create a IIsWebFile for that > one EXE underneath the vdir (I don't see this in the UI, but I can modify > the metabase directly to do this) and set the IIsWebFile's AccessFlags > property value to be 517 "Scripts and Executables". > > Now, when you retrieve URLs from this vdir, this one EXE is executed, but > everything else is downloaded. > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Jonathan Maltz [MS-MVP]" <jmaltz@mvps.org> wrote in message > news:OcUlI7R%23DHA.4088@tk2msftngp13.phx.gbl... > Hi David, > > If there are 2 EXEs in a folder served by IIS 6, you can make it so only one > is downloadable? > > -- > --Jonathan Maltz [Microsoft MVP - Windows Server, Virtual PC] > http://www.visualwin.com - A Windows Server 2003 visual, step-by-step > tutorial site :-) > http://vpc.visualwin.com - Does <insert OS name> work on VPC 2004? Find out > here > Only reply by newsgroup. I do not do technical support via email. Any > emails I have not authorized are deleted before I see them. > > > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > news:ukDU1rR%23DHA.1632@TK2MSFTNGP12.phx.gbl... > > > Is there any way to allow specific exe's rather than open the door > > > to potentially all ? > > > > Not with IIS5/5.1. It is technically impossible to implement what you are > > asking without modifying IIS5/5.1 directly. > > > > IIS6 natively does this, with better granularity than URLScan. > > > > -- > > //David > > IIS > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > // > > "David Martin" <David.Martin@skill-it.com> wrote in message > > news:%23S1rwXL%23DHA.132@TK2MSFTNGP09.phx.gbl... > > I have URLSCAN setup as per KB article 307608. > > What the article does not mention is that some FrontPage functionality > will > > be lost - for example : > > > > [02-21-2004 - 19:01:17] Client at 192.168.0.4: URL contains extension > > '.exe', which is disallowed. Request will be rejected. Site Instance='1', > > Raw URL='/Pontacq/_vti_bin/fpcount.exe/Pontacq/' > > > > Is there any way to allow specific exe's rather than open the door to > > potentially all ? > > > > David. > > > > > > > > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |