iis security: We are running applications via distributed assemblies on our intranet
site. This requires a stub executable to load the assembly. After
running the IIS Lockdown tool 2.1 on IIS 5.0, Win2k server (SP4 with
all the latest updates and patches from MS) the executables will no
longer run. We get a 404 error.

I have attempted to review the options in IIS lockdown but cannot find
any setting that will deny access to system utilities like tftp.exe and
cmd.exe yet allow our stub executable to run.

Also I have an issue with wsh scripts that we execute on request that
is related to the IIS Lockdown tool not allowing access to this system
utility.

What do I need to do before or after running the IIS Lockdown tool that
will allow our wsh scripts and selected executables to still run?

IIS Lockdown by default will install URLScan, which denies all requests
contain ".exe" with 404. It is not possible to configure it to disallow all
..exe except foo.exe and bar.exe. Read documentation for IIS Lockdown and
URLScan for configuration options.

http://www.microsoft.com/technet/security/tools/urlscan.mspx


[quoted text, click to view]

I do not think IIS Lockdown has any direct effect on your WSH scripts. There
are two ways that these scripts can be invoked:
1. Directly via the URL. This requires a ScriptMap entry in IIS telling it
what executable to execute to handle URL with the given extension. IIS
Lockdown won't remove/disable such ScriptMap entries, so it cannot affect
WSH scripts.
2. Indirectly via something ELSE lauched via the URL (i.e. an EXE makes a
call to the WSH scripts and you make a request to the .EXE). In this case,
IIS has no effect on code launched by something ELSE, like WSH scripts.
However, IIS Lockdown can prevent the "something ELSE" from being directly
launched

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
We are running applications via distributed assemblies on our intranet
site. This requires a stub executable to load the assembly. After
running the IIS Lockdown tool 2.1 on IIS 5.0, Win2k server (SP4 with
all the latest updates and patches from MS) the executables will no
longer run. We get a 404 error.

I have attempted to review the options in IIS lockdown but cannot find
any setting that will deny access to system utilities like tftp.exe and
cmd.exe yet allow our stub executable to run.

Also I have an issue with wsh scripts that we execute on request that
is related to the IIS Lockdown tool not allowing access to this system
utility.

What do I need to do before or after running the IIS Lockdown tool that
will allow our wsh scripts and selected executables to still run?

Thank you David for your quick response.

1.) I read up on URL Scan and had to comment .exe under
[DenyExtensions]. It would be nice if you could specify the executable
to allow while denying everything else.
Thanks for the info, it worked just fine.

2.) The WSH script is invoked by ASP code like so:
Set obj = CreateObject("WScript.Shell")
obj.Run "cscript template.vbs"
The intention is to run a report handled by the WSH cscript when the
user clicks a button so that the user does not have to wait for the
database to respond to the query.

After IIS Lockdown is run the Web Anonymous Users and Web Applications
groups have deny (everything) on cscript.exe. Changing that to allow
Read/Execute does not seem to help. I believe there may be supporting
DLLs or files that also need their NTFS permissions changed. Do you
have any thoughts on this? I really appreciate your help!


Sincerely,

Tim Frawley

*** Sent via Developersdex http://www.developersdex.com ***

WenJun,

Thank you for the information. I managed to fix my first issue with
David's response. My second issue concerning WSH executing behind the
scenes is still a problem and is described here:

2.) The WSH script is invoked by ASP code like so:
Set obj = CreateObject("WScript.Shell")
obj.Run "cscript template.vbs"
The intention is to run a report handled by the WSH cscript when the
user clicks a button so that the user does not have to wait for the
database to respond to the query.

After IIS Lockdown is run the Web Anonymous Users and Web Applications
groups have deny (everything) on cscript.exe. Changing that to allow
Read/Execute does not seem to help. I believe there may be supporting
DLLs or files that also need their NTFS permissions changed. Do you
have any thoughts on this? I really appreciate your help!

Sincerely,

Tim Frawley

*** Sent via Developersdex http://www.developersdex.com ***

Hi Tim,

Open \WINNT\system32\inetsrv\urlscan\urlscan.ini and you should see
exe is in [DenyExtensions] by default. Also if UseAllowExtensions=1
then all file extensions not in [AllowExtensions] will be denied as
404.

I also suggest you look at the site's IIS log:
\WINNT\system32\LogFiles\W3SVC[n]
Search the 404 errors in it and determine which ones are related to
the problem basing on the URI. This may help you find out which kind
of file or exection is denied and then fix it. If you need any help
on this, feel free to paste the log content here.

Thanks.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no
rights.

1. It is a frequent request (fine-grained control over resource/extension),
but it is technically impossible to build on IIS4/IIS5/IIS5.1 (ultimately,
you are trying to deny binary code, not URL extensions, from running, and
that info is not available on any ISAPI interface so it cannot be controlled
with 100% accuracy) -- such control is available on IIS6 in Web Service
Extensions because we designed it from the beginning as a control mechanism.
2. Try FileMon from www.sysinternals.com to see what exactl DLL files are
getting access-denied.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]


Thank you David for your quick response.

1.) I read up on URL Scan and had to comment .exe under
[DenyExtensions]. It would be nice if you could specify the executable
to allow while denying everything else.
Thanks for the info, it worked just fine.

2.) The WSH script is invoked by ASP code like so:
Set obj = CreateObject("WScript.Shell")
obj.Run "cscript template.vbs"
The intention is to run a report handled by the WSH cscript when the
user clicks a button so that the user does not have to wait for the
database to respond to the query.

After IIS Lockdown is run the Web Anonymous Users and Web Applications
groups have deny (everything) on cscript.exe. Changing that to allow
Read/Execute does not seem to help. I believe there may be supporting
DLLs or files that also need their NTFS permissions changed. Do you
have any thoughts on this? I really appreciate your help!


Sincerely,

Tim Frawley

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

David and WenJun,

Thank you for your responses. FileMon was a big help in finding the
files that were accessed in order to process the WSH script. Mainly it
showed me that everything was working fine. Due to this I was able to
determine what the problem was and fix it.

My main mistake was placing the template vbs file in the
InetPub\AdminScripts directory. I noticed that after the Lockdown tool
was run my template script was restored to an older version. Four
months ago I rewrote our reporting site along with the template. After
restoring the template from backup I was able to get it working again.

Thanks for all your help!

Sincerely,


Tim Frawley

*** Sent via Developersdex http://www.developersdex.com ***

Hi Tim,

I have the same opnion of David. You may first look at the following
file permssions:

1) The script file and cscript.exe.
2) The output filename directory in case the script writes something
into the disk.
3) \WINNT\system32\wshom.ocx
4) \WINNT\system32\scrrun.dll
5) \WINNT\system32\shell32.dll

If still no sucess, use filemon to trace the I/O of inetinfo.exe and
cscript.exe. First you have to set the site's application protection
to low to make sure it's running in inetinfo.exe. Then launch filemon
and input inetinfo.exe;cscript.exe as the included filter string.
This will help you track down the I/O of them. Browse to the web page
to reproduce the issue. If the error is actually on file permission
layer, you should see some access denied error in the trace.

Feel free to past the filemon log here if you need assistance on it.
Thanks.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no
rights.

You are welcome. :-)

Best regards,

WenJun Zhang
Microsoft Online Partner Support

This posting is provided "AS IS" with no warranties, and confers no
rights.