internet information server 4.0 (and 5.0)
DESCRIPTION
Internet Information Server 4.0 (and 5.0). By Nicolas PAOUR 12 January 2004. Introduction Required configuration to setup IIS IIS Setup (HowTo) Web Setup FTP Setup SMTP Setup. Security within IIS What are FrontPage extensions Using FrontPage with IIS Frequent TroubleShooting. Contents. - PowerPoint PPT PresentationTRANSCRIPT
12/02/2004 Nicolas Paour 1
Internet Information Server4.0 (and 5.0)
By Nicolas PAOUR
12 January 2004
12/02/2004 Nicolas Paour 2
Contents
• Introduction
• Required configuration to setup IIS
• IIS Setup (HowTo)
• Web Setup
• FTP Setup
• SMTP Setup
• Security within IIS
• What are FrontPage extensions
• Using FrontPage with IIS
• Frequent TroubleShooting
12/02/2004 Nicolas Paour 3
Overview
• What is IIS– Questions/Answers
• Aim– Product overview
– Getting information
– Understanding security
– Managing IIS & FrontPage
12/02/2004 Nicolas Paour 4
• Basic concepts under NT
Fat : No Valid Security NTFS : Security Possible
Any user who reaches a NT station by shared or Internet must be identified by Login and Password (Local or Global)
Overview
12/02/2004 Nicolas Paour 5
Required configuration to set up IIS
• Windows NT4 Server– Partition NTFS (Yes)– Index Server (Yes)– Multi Virtual Site (Yes)
• Windows Workstation– Partition NTFS (Yes)– Index Server (No)– Multi Virtual Site (No)
• Windows 95/98– Partition NTFS (No)– Index Server (No)– Multi Virtual Site (No)
• Windows 2000 Server– Partition NTFS (Yes)– Index Server (Yes)– Multi Virtual Site (Yes)
• Windows 2000 Pro– Partition NTFS (Yes)– Index Server (Yes)– Multi Virtual Site (No)
12/02/2004 Nicolas Paour 6
IIS Set up – 1/6
• Check that D drive is NTFS partition• Set
– administrators (Full) (Full)– system (Full) (Full) – remove Everyone
• Check if IIS3 does exist• Uninstall IIS3• Check that « Regional Settings » is US.• Copy in c:\install
– NT4_IIS4_serveur files (no space in folder name)– FP2k_4.0.2.4317-(SR1.2) server extensions– Metaedit files– MDAC (2.52.6019.2)– ADSI (2.5)
12/02/2004 Nicolas Paour 7
IIS Set up – 2/6
• Run NT4_IIS4_serveur\install.exe– Disabled “Certificate Server”
– Disabled “FrontPage 98 Server Extensions”
– Disabled “Internet Connection Services for RAS
– Internet Information Server (IIS)• Disabled “documentation”
• Enabled “FTP”
• Disabled “Internet NNTP Service”
• Enabled “Internet Service Manager”
• Disabled “Internet Service Manager (HTML)”
• Enabled “SMTP Service”
• Disabled “World Wide Web Sample Site”
• Enabled “World Wide Web Server”
– Enabled “Microsoft Data Access Components 1.5” (All)
12/02/2004 Nicolas Paour 8
IIS Set up – 3/6
– Enabled “Microsoft Index Server” (default)• Language Resources
– French Language– UK English Language– US English Language
– Enabled “Microsoft Management Console”– Disabled “Microsoft Message Queue”– Disabled “Microsoft Script Debugger” – Disabled “Microsoft Site Server Express 2.0”– Enabled “NT Option Pack Common Files– “Transaction Server” (Default)– Disabled “Visual Interdev RAD Remote Deployment Support” – Enabled “Windows Scripting Host”
• Select folders– D:\wwwroot\application_name.hp.com\_shareweb (_fpweb if frontpage used)– D:\ftproot\public– C:\program files
12/02/2004 Nicolas Paour 9
IIS Set up – 4/6
• MTS (default)• Index Server on on D:\wwwroot\application_name.hp.com\_catalog • Reboot• Remove “Administration Web Site ” • Delete all virtual directory
– IISsample– IISadmin– IIShelp– Scripts– IISadmPwd – msadc
• Remove folders: – D:\wwwroot\application_name.hp.com\iissample– D:\wwwroot\application_name.hp.com\scripts– D:\wwwroot\application_name.hp.com\_shareweb\phone book service
12/02/2004 Nicolas Paour 10
IIS Set up – 5/6
• Install Metaedit• Run metaedit and add
• Update MDAC and ADSI (Reboot)• Update SP6a + Hotfix (Reboot)
LM/W3SVC LM/MSFTPSVC
ID: 6013 (LogonMethod)
attributes: inherit
user type: file
data type: DWORD
value: 3 (for SP3 and SP5)
value: 2 (for SP4, SP5 and SP6)
ID: 6013 (LogonMethod)
attributes: inherit
user type: file
data type: DWORD
value: 3
12/02/2004 Nicolas Paour 11
IIS Set up – 6/6
• Open User Manager– Remove from “access this computer from network”
• IUSR account• IWAM account
– Add in “access this computer from network”• “authenticated Users ”
– Remove from “Logon Locally”• IUSR account• IWAM account
12/02/2004 Nicolas Paour 12
Web Set up
• It is a FrontPage server:– Install FP2K Server extensions – set with FP2K “browse access”
• It is not a FrontPage server, – set IUSR_ComputerName (RX)(R)
on d:\wwwroot\application_name\_shareweb folder
• Enabled “Basic Authentication” – Netscape access (to validate !)
• Setup IP, Port, Host for each website – (don’t use “All unassigned”)
• Create d:\weblog folder – set new virtual web Login in this folder
– Administrators (Full)(Full)– System (Full)(Full)
12/02/2004 Nicolas Paour 13
FTP Set up
• NTFS right for d:\ftproot\public:– administrators (full)(full)
– system (full)(full)
– Everyone (RWX)(R)
• Open mmc and select all options
12/02/2004 Nicolas Paour 14
SMTP Set up
• NTFS right for mailroot folder:– mailroot and all subfolder without
pickup:• administrators (full)(full)• system (full)(full)
– mailroot\pickup:• administrators (full)(full)• system (full)(full)• everyone (RWX)(RX)
• Add IWAM_ServerName account in iis->SMTP properties as operators
– If not, a website using CDONTS.NewMail object in isolated process return the following error
• "permission denied".
http://msdn.microsoft.com/library/periodic/period99/asp9951.htm
12/02/2004 Nicolas Paour 15
Security within IIS
• « Hardware » :o)– NTFS
• « Software » :o(– Fat and NTFS
Note: Any user who reaches a NT station by shared or Internet must be identified by
Login and Password (Local or Global)
12/02/2004 Nicolas Paour 16
Security within IIS – Anonymous 1/2
D: └─wwwroot
└──home.grenoble.hp.com├──_catalog│ └──catalog.wci├──_fpweb├──_report├──_sharetools│ ├──cgi│ ├──database│ └──upload├──_shareweb.null└──_ssl2
Adm+Sys Web-adm IUSR Everyone
(F)(F) - - -
(F)(F) - - -
(F)(F) - - -
(F)(F) - - -
(F)(F) - - -
(F)(F) (RWXD)(RWD) (RX)(R) -
(F)(F) (RX)(R) - -
(F)(F) (R)(R) - -
(F)(F) (RWXD)(RWD) - (RWX)(RW)
(F)(F) (RWXD)(RWD) - (RWX)(RW)
(F)(F) (RWXD)(RWD) - (RWX)(RWD)
(F)(F) (RWXD)(RWD) (RX)(R) -
(F)(F) (RWXD)(RWD) - -
12/02/2004 Nicolas Paour 17
Security within IIS – Anonymous 2/2
• Access to Data Web Server(IIS)
To acceded the data via Internet, WEB server give an anonymous login/password
Login : IUSR_ServeurPass : ******
NT’s authentication successful
IUSR_Serveur (RX) (R)
12/02/2004 Nicolas Paour 18
Security within IIS – Secure access 1/2
D: └─wwwroot
└──home.grenoble.hp.com├──_catalog│ └──catalog.wci├──_fpweb├──_report├──_sharetools│ ├──cgi│ ├──database│ └──upload├──_shareweb.null└──_ssl2
Adm+Sys Web-adm Web-Usr Everyone
(F)(F) - - -
(F)(F) - - -
(F)(F) - - -
(F)(F) - - -
(F)(F) - - -
(F)(F) (RWXD)(RWD) (RX)(R) -
(F)(F) (RX)(R) - -
(F)(F) (R)(R) - -
(F)(F) (RWXD)(RWD) - (RWX)(RW)
(F)(F) (RWXD)(RWD) - (RWX)(RW)
(F)(F) (RWXD)(RWD) - (RWX)(RWD)
(F)(F) (RWXD)(RWD) (RX)(R) -
(F)(F) (RWXD)(RWD) - -
12/02/2004 Nicolas Paour 19
Security within IIS – Secure access 2/2
• Basic security
To secure a web site, remove IUSR account from drive
Login : Login_NamePass : Password
Login : IUSR_ServeurPass : ******
NT’s authentication refused
Login_Name (RX) (R)
NT’s authentication successful
12/02/2004 Nicolas Paour 20
Security within IIS – SSL 1/2
12/02/2004 Nicolas Paour 21
Security within IIS – SSL 1/2
SSL Encryption « https: »Https://serveur_name Private Key
Public Key
Session Key
12/02/2004 Nicolas Paour 22
What are FrontPage extensions
FrontPage extensions allow :
to use specific components like– Hit Counter
– Scheduled Include Page
– Categories
– Search Form
to publish your site quickly SSL Filter FrontPage Filter
12/02/2004 Nicolas Paour 23
Using FrontPage with IIS
Frontpage interface is required for :
• Web site creation• Site management (child site, move folder,…)• Security setting• Site Publishing• Site deletion
12/02/2004 Nicolas Paour 24
Using FrontPage with IIS - Site creation -
• Web site creation
Yes No
12/02/2004 Nicolas Paour 25
Using FrontPage with IIS- Site management -
• Site creation (FrontPage child site)
• Move folder – Use drag & drop• Recalculate Hyperlinks
12/02/2004 Nicolas Paour 26
Using FrontPage with IIS- Security setting -
Use FrontPage Security Permissions• Don’t use Directory Permissions
12/02/2004 Nicolas Paour 27
Using FrontPage with IIS- Site Publishing -
Use FrontPage publishing tool• Don’t use Share Directory
12/02/2004 Nicolas Paour 28
Using FrontPage with IIS- Site deletion -
Use FrontPage delete option• Don’t use NT delete Directory
12/02/2004 Nicolas Paour 29
FrontPage extensions allow to use specific components:
• Insert menu, Component submenu– Hit Counter
– Confirmation Field
– Include Page
– Scheduled Include Page
– Categories
– Search Form
– Additional Components (not used)
Using FrontPage with IIS- Components (bis) -
12/02/2004 Nicolas Paour 30
Frequent TroubleShooting
http://membres.lycos.fr/paour/easy_doc/index.html
12/02/2004 Nicolas Paour 31
TroubleShootings
Trouble TroubleShootingSecurity access •Acces denied
•Data area passed to a system call is too small
Send mail with CDO •Access Is Denied
Use of specific DLL •Doesn’t work
Secure Site •Can’t test secure access …
•Missing key 6013
•Wrong value
Wrong NTFS rigth in Pickup folder
See aspupload example
Don’t use your NT account (logon with a test account).
Add these lines:TYPE <%=Request.ServerVariables("AUTH_TYPE")%>
<br>
PASSWORD <%=Request.ServerVariables("AUTH_PASSWORD")%>
<br>
USER <%=Request.ServerVariables("AUTH_USER")%>
<br>
12/02/2004 Nicolas Paour 32
Example 1• ASPUload use:
1. Create d:\components\aspuploadadmin (full)(full)system (full)(full)
2. Copy aspupload.dll in « aspupload » folder
3. Test script : http://sopra100.sopra-hp.net/upload/default.htm
4. Error :
IIS 4 IIS 5 TroubleShooting
Server.CreateObject Failed
Library not registered.
(Or invalide class ID)
Server object, ASP 0177 (0x800401F3)Invalid ProgID.
…Microsoft VBScript runtime error '800a01ad'
ActiveX component can't create object
Server object, ASP 0178 (0x80070005)The call to Server.CreateObject failed while checking permissions. Access is denied to this object.
Acces DeniedServer object, ASP 0178 (0x80070005)The call to Server.CreateObject failed while checking permissions. Access is denied to this object.
Persits.Upload.1 (0x800A0005)The system cannot find the file specified.
regsvr32 D:\component\aspupload\bin\AspUpload.dll
D:\component\aspupload\bin\ (RX)(RX)
Or
AspUpload.dll (RX)
Upload folder :
Everyone (RWX)(RX)
OR
12/02/2004 Nicolas Paour 33
Example 2• Find a dll if « Library not registered » or « ActiveX component can't
create object » error.
•Read object : Server.CreateObject("Persits.Upload")
•Open regedit
•Search in HKEY_CLASSES_ROOT\Persits.Upload\CLSID the data.
{B4E1B2EC-151B-11D2-926A-006008123235}
•Search {B4E1B2EC-151B-11D2-926A-006008123235} in HKEY_CLASSES_ROOT\CLSID keys
•Note the string data of HKEY_CLASSES_ROOT\CLSID\{…}\InprocServer32
Example : C:\wwwroot\SOPRA100\_dll\AspUpload.dll
12/02/2004 Nicolas Paour 34
Example 3• Secure access
Add these lines:
TYPE <%=Request.ServerVariables("AUTH_TYPE")%><br>
PASSWORD <%=Request.ServerVariables("AUTH_PASSWORD")%><br>
USER <%=Request.ServerVariables("AUTH_USER")%><br>
•Anonymous access :
..\Secure | IUSR_Computername (RX)(R)
TYPE
PASSWORD
USER
•Challenge/Response (remove IUSR account):
..\Secure | training (RX)(R)
Or for IIS5 Digest (NT2000) – Integrated
TYPE NTLM or Negotiate
PASSWORD
USER SOPRA-HP\training
•Basic (remove IUSR account):
..\Secure | training (RX)(R)
TYPE Basic
PASSWORD trai123ning
USER SOPRA-HP\training
12/02/2004 Nicolas Paour 35
Example 4• Secure access
•Challenge/Response (remove IUSR account):
..\Secure | training (RX)(R)
Change secure folder as IIS Application
Access Denied !!!
Remove global.asa
Allow Everyone (RX)(R) on global.asa folder
OR
OR