IIS7 - Configuration & Scripting

Re: Using MWA to remotely manage IIS on Server Core.

mvolo — Tue, 27 May 2008 14:48:42 GMT

Update on this:

In the absence of an official article, I describe the fixed port best practice here: http://mvolo.com/blogs/serverside/archive/2008/05/26/Accessing-IIS-7.0-configuration-remotely-and-on-server-core.aspx.

There is a batch file to configure fixed port access, and a tool you can use to check common connectivity issues.

Thanks,

Mike Volodarsky

http://www.mvolo.com

Re: Using MWA to remotely manage IIS on Server Core.

colinbo — Sat, 08 Mar 2008 06:07:46 GMT

mvolo:
I've asked our config guys to look into producing official guidance for opening up DCOM for the configuration COM objects

Mike - Did this guidance get published?

Re: Using MWA to remotely manage IIS on Server Core.

colinbo — Mon, 28 Jan 2008 04:38:38 GMT

Mike,

I agree that the dllhost.exe is a pretty nasty solution. The key though is the AHAdmin COM object. With that information I added an Endpoints entry to the registry per KB217351, rebooted the server, and now my server is happy with a locked down port. My new rule set is as follows:

NetSh AdvFirewall Firewall Add Rule Name="Remote Web Server Management (RPC)" Dir=In Action=Allow Program="C:\WINDOWS\SYSTEM32\dllhost.exe" Protocol=TCP LocalPort=49494

NetSh AdvFirewall Firewall Add Rule Name="Remote Web Server Management (RPC-EPMap)" Dir=In Action=Allow Program="C:\WINDOWS\SYSTEM32\SvcHost.exe" Service=RPCSS Protocol=TCP LocalPort=RPC-EPMap

That's a whole lot more secure. I would love to use the IIS Management Service but my understanding is that with Server Core that is not an option. Hopefully the Server Core guys will get the .NET Framework in for the next release. I can see a lot of advantages to having it as an option in Server Core.

Cheers,
Colin

Re: Using MWA to remotely manage IIS on Server Core.

mvolo — Mon, 28 Jan 2008 03:20:36 GMT

Dan, Colin,

I've asked our config guys to look into producing official guidance for opening up DCOM for the configuration COM objects.

IMHO, I wouldnt open RPC in general in a production system just to allow MWA remoting - I believe many enterprises already have policy against doing this. Opening RPC for dllhost.exe is no better (as Colin mentions), since most COM objects are hosted by dllhost.exe COM servers.

Given the current DCOM support, I would use the approach given by KB 312960 to publish the RPC endpoint used by the "Ahadmin" COM package to a specific port. Then, open that port in the firewall. This way, you would only open DCOM access to the IIS COM objects, which require authentication and demand administrative credentials.

Also, while this is not a substitute for programatic IIS administration, you can consider using IIS Manager's remote management capability which uses HTTP-based connectivity to the management service, and therefore doesnt require DCOM. Unfortunately, this currently requires you to perform your management within the context of the IIS Manager.

I've asked our config guys to come up with the official guidance for opening DCOM endpoints for Ahadmin that can be published on IIS.NET.

Thanks for raising this issue -

Mike Volodarsky

Program Manager
IIS Core Server
Visit mvolo.com for more on IIS 7.0 and ASP.NET

Re: Using MWA to remotely manage IIS on Server Core.

colinbo — Sun, 27 Jan 2008 18:16:07 GMT

DungKHoang:
Proto Local Address Foreign Address State
TCP 192.168.0.111:135 192.168.0.110:49228 ESTABLISHED
RpcSs
[Svchost.exe]

Netstat is a timing-based tool. You need to get it at the right time to see the connection to the end-point established. The excerpt above is probably too early in the process since the connection is being made to the RPC endpoint mapper. Windows Server 2008 has changed the RPC endpoint mapper behaviour from using all ports above 1024 for dynamic endpoints to locking it down to a specific range of 49152 through 65535 by default. This should eliminate the need for setting the RPC registry key you noted allowing you to focus on 49152 and above.

I mentioned the SvcHost earlier because it appears that Windows Firewall will automagically read into the RPC packet and look for the end point service that is being accessed to provide another level of filtering beyond a port number. This is pretty nifty in my opinion. The resulting Windows Firewall rules then say that "i'm going to allow dynamic RPC endpoint traffic, but it must be service X that is being access". This is certainly one step better than opening up an entire port range into the open. Too bad it doesn't support DLLHost-based processes which is why I suggested that SvcHost.exe is a better choice, and the best choice being a custom COM surrogate wrapper. Other approaches have been to lock services down to specific endpoints. NTDS, Netlogon, and FRS take this approach. I don't really have a preference either way from a development perspective, but I know the security folks do prefer a known ports rather than a range. I'm also going to suggest that it is unlikely that you'll have many happy security analysts who want to open 49152-65535 for servers because it relies on the server being properly configured as well. The trust factor will make this a nightmare scenario that could easily be solved by enabling adminsitrators to set a specific port. I don't know the underpinings well enough to comment on the best approach but I do know that DCOM does offer up the ability to lock down to a specific port through Component Services.

Thanks for the post too, it has been interesting to dig back into RPC and get up to speed on some of the smaller changes coming in Windows Server 2008. These changes make it exciting and worth to upgrade to the latest versions. I'm excited to get our hands on the advanced firewall for our production servers next month. I wrote up more of an explanation on how I understand RPC to work for others that come across this thread in the future.

Cheers,
Colin

Re: Using MWA to remotely manage IIS on Server Core.

DungKHoang — Sun, 27 Jan 2008 17:45:55 GMT

Colin

Thanks much!

I confirm that adding those two rules work for MWA! You rock!

The starnge thing is that MWA works right away agaisnt IIS7 installed on a full server ( without any modification for the firewall rules) while it's quite a challenge to find out rules for MWA on Server Core.

Again, thanks for looking at this problem,

/Dung

Re: Using MWA to remotely manage IIS on Server Core.

DungKHoang — Sun, 27 Jan 2008 17:37:32 GMT

Mike,

I did it on the IIS-CORE machine ( server side). After adding the registry entries and reboot the system, it still doesn't work.

Here is what I did:

Open the registry on IIS-CORE
Create a key under HKLM\Software\Microsoft\Rpc called Internet
Add the following entries: Ports Multi_SZ 3000-4000 ; PortsInternetAvailable Y ; UseInternetPorts Y
Reboot the server

After the server reboots,

Disable the firewall netsh firewall set opmode DISABLE ( to look at the ports used)
Run Netstat -B ( as suggested by ColinBo)
On IIS-FULL, run MWATEST.EXE IIS-CORE
On IIS-CORE, I notice the following connection:

Proto Local Address Foreign Address State
TCP 192.168.0.111:135 192.168.0.110:49228 ESTABLISHED
RpcSs
[Svchost.exe]

Note: 192.168.0.111 is IIS-CORE and 192.168.0.110 is IIS-FULL

Enable the firewall netsh firewall set opmode ENABLE

/Dung

Re: Using MWA to remotely manage IIS on Server Core.

colinbo — Sun, 27 Jan 2008 06:55:43 GMT

I have the following rule groups enabled:

Core Networking
File and Printer Sharing
Remote Administration
Windows Remote Management
Windows Management Instrumentation (WMI)
Secure World Wide Web Services (HTTPS)
World Wide Web Services (HTTP)

I think I found it after watching what is happening with NETSTAT -B. The RPC endpoint is going through dllhost.exe. Adding the following two rules seems to enable it:

NetSh AdvFirewall Firewall Add Rule Name="Remote Web Server Management (RPC)" Dir=In Action=Allow Program="C:\WINDOWS\SYSTEM32\dllhost.exe" Protocol=TCP LocalPort=RPC

NetSh AdvFirewall Firewall Add Rule Name="Remote Web Server Management (RPC-EPMap)" Dir=In Action=Allow Program="C:\Windows\system32\svchost.exe" Service=RPCSS Protocol=TCP LocalPort=RPC-EPMap

I can't really vouch for the security of it as it came about through trial-and-error.It's too bad that the IIS Administration doesn't flow through a custom COM surrogate so that we could lock it down to something other than DLLHost.exe. Even SvcHost.exe would be better because it appears that Windows Firewall allows us to specify a service (we could specify IISAdmin for example). It seems like we're opening a can of worms here, no? Any thoughts from the PMs lurking?

Cheers,
Colin

Re: Using MWA to remotely manage IIS on Server Core.

mvolo — Sun, 27 Jan 2008 01:21:34 GMT

Did you follow the KBs to restrict DCOM to specific ports? I didnt see you mention anything about doing this. See my previous post for information.

Thanks,

Mike Volodarsky

Program Manager
IIS Core Server
Visit mvolo.com for more IIS 7.0 posts, tools, and info

Re: Using MWA to remotely manage IIS on Server Core.

DungKHoang — Fri, 25 Jan 2008 22:38:09 GMT

Hi Mike,

That's exaclty what I did as expalined in my previous replies.

Create 2 rules to allow incoming access to port 135 on protocol TCP and UDP

netsh advfirewall firewall add rule name="COM+ Network Access (DCOM-In)" dir=in protocol=TCP localport=135

netsh advfirewall firewall add rule name="COM+ Network Access (DCOM-In)- UDP" dir=in protocol=UDP localport=135

Sorry for not being clear,

/Dung

Re: Using MWA to remotely manage IIS on Server Core.

mvolo — Fri, 25 Jan 2008 21:36:46 GMT

Hi Dung,

According to that document, you need to open port 135, but also need to open the port that the DCOM connection will use. There are two approaches:

By default, DCOM uses RPC dynamic port allocation, which randomly selects port numbers above 1024. In addition, port 135 is used by the RPC endpoint mapping service.Restrict the ports required to support DCOM on the internal firewall in two ways:

Define port ranges. This allows you to control the ports dynamically allocated by RPC. For more information about dynamic port restrictions, see Microsoft Knowledge Base article 300083, "How To: Restrict TCP/IP Ports on Windows 2000 and Windows XP."

Use static endpoint mapping. Microsoft Windows 2000 SP3 (or QFE 18.1 and later) or Windows Server 2003 allows you to configure Enterprise Services applications to use a static endpoint. Static endpoint mapping means that you only need to open two ports in the firewall: port 135 for RPC and a nominated port for your Enterprise Services application. For more information about static endpoint mapping, see Microsoft Knowledge Base article 312960, "Cannot Set Fixed Endpoint for a COM+ Application."

Thanks,

Mike Volodarsky

Program Manager
IIS Core Server
Visit mvolo.com for more on IIS 7.0 and ASP.NET

Re: Using MWA to remotely manage IIS on Server Core.

DungKHoang — Fri, 25 Jan 2008 12:58:05 GMT

Thanks for the pointer,

I have tried to add a rule for COM Accesss on UDP/ port 135 but it still does not work

/Dung

Re: Using MWA to remotely manage IIS on Server Core.

mvolo — Thu, 24 Jan 2008 23:02:05 GMT

Hi Dung,

Try this: http://msdn2.microsoft.com/en-us/library/ms809327.aspx. I am not 100% sure this is still valid, but you can try it as I have seen very recent references to it.

Let me know if it doesnt work for you.

Thanks,

Mike Volodarsky

Program Manager
IIS Core Server
Visit mvolo.com for more IIS 7.0 posts, tools, and info

Re: Using MWA to remotely manage IIS on Server Core.

DungKHoang — Thu, 24 Jan 2008 22:56:15 GMT

Hi Mike,

Here is what I observed:

On Full Server (IIS-FULL), the rule "COM+ Network Access (DCOM-In)" exists but is NOT enabled. MWA works!
On Server Core (IIS-CORE), the rule does not exist MWA does not work

Here is what I did on Server Core

Enable Remote admin on the firewall

netsh firewall set service remoteadmin

netsh advfirewall set currentprofile settings remote management enable

Result: MWA does not work

Create a rule:

netsh advfirewall firewall add rule name="COM+ Network Access (DCOM-In)" dir=in protocol=TCP localport=135

netsh advfirewall firewall set rule name="COM+ Network Access (DCOM-In)" new enable=Yes

Result: MWA does not work

Turn off firewall

netsh advfirewall set allprofiles state off

Result: MWA works!

I really don't want to use the 3rd option (turn the firewall off). There must be another rule to make it work. If you have an idea, I really appreciate your help on this

Thanks!

/Dung

Re: Using MWA to remotely manage IIS on Server Core.

mvolo — Wed, 23 Jan 2008 23:44:52 GMT

Hmm, can you first check the firewall to make sure it allows "COM+ Network Access (DCOM-In)"?

Thanks,

Mike Volodarsky

Program Manager
IIS Core Server
Visit mvolo.com for more IIS 7.0 posts, tools, and info