Search results matching tag 'security'

IIS7.5 / NTFS best practice

northcide — Fri, 27 Nov 2009 02:41:39 GMT

Sorry if this has been discussed to death but I can't seem to find a straight answer. I'm running Windows Server 2008 R2, IIS 7.5 on a non-domain machine.

I host several sites, some being classic asp some .net stuff, some static and I'm trying to setup some default standard user permissions for each site.

I create a new user on the machine for each site for that site's app pool to run under. My confusion ensues from here. From what I can tell the simple and secure thing to do at this point is to remove this user from the USERS group, and add the created user to the web root dir with modify access.

Should I by default add the IUSR and/or IIS_IUSRS to the NTFS permissions for the web directory?

In the past I havent really paid much attention to doing anything beyond adding the IUSR/WPG (IIS 6) users to have modify access on the folder - but i'd like to make things right.

thanks in advance!

Windows 7, IIS 7.5 and the Firewall... General Firewall Questions.

wil2 — Fri, 20 Nov 2009 11:20:13 GMT

I installed IIS 7.5 on my Windows 7 machine last night for development work.

Basically, I want to run a few sites on different ports - I do not want to have to mess around with hosts files or DNS entries, I simply want to have a few sites active just on localhost and switch between them by port numbers... Then change the home folder when I am done to another project.

Everything works fine locally. I then went from another machine and it did not work. I enabled the "World Wide Web Services (HTTP Traffic-In)" rule under Inbound Rules, and it works without problems for Port 80, however, none of the additional sites work.

I have created additional rules and that works, however I feel like I have left the machine open as it just doesn't feel right!

Why is the default rule targeted to port 80 and not the IIS process/service itself?

Why does it have "Apply to all programs and services" and not just the "World Wide Web Publishing Service / W3SVC"?

Is there a better way of doing this? - I don't want to have to create a new rule each time I want to enable/disable a site and I do not remember having to do this on XP which was the last time I used IIS on a development machine where I used multiple ports (but I could be wrong).

Urgent: Can not impersonate for MSutil with ASP.NET

tuantomy — Mon, 09 Nov 2009 08:46:10 GMT

I created a website using ASP.NET and imported MSUtil as a reference. MSUtil.Interop was installes into GAC.

Then I create a code like this:

LogQueryClassClass logQuery = new LogQueryClassClass();

COMEventLogInputContextClassClass evtLog = new COMEventLogInputContextClassClass();

ILogRecordset iLogRecordSet = logQuery.Execute("SELECT top 10 FROM \\abc\security", evtLog);

---------------

I publish this web application on IIS local, identity of this website is a domain account but this account did not belong to Local Admin Group.

I rewrite the code using:

using(Impersonate imp = new Impersonate("account_A","domain","pass"))

{

///My code here

}

account_A is a domain account with full rights on that computer and belongs to Local Admin Group.

But I still get an error, I mean I could not impersonate my code to admin account when I run the application with non-local admin account as identity.

Please help me fix that.

Thanks

Remote and automated IIS 7 management from build server - permissions issue

wimdows — Wed, 04 Nov 2009 10:21:15 GMT

I've posted the following question on StackOverflow:

Here's the scenario:

Win2003 Build Server (CCNET)
IIS7 target deployment server

The various MSBuild tasks (Sdc.Tasks, MSBuild Community, MSBuild Extension Pack) for doing this (creating VDirs, setting AppPool properties) are not suitable for at least one or more of the following reasons:

No support for IIS 7.
No possibility to pass domain username/password to perform the operation.
Microsoft.Web.Management.dll is not available on build server.
'Access Denied' error.

There are no issues creating Vdirs on IIS 6 - though we're actually shelling out to iisvdir.vbs, as using any of the MSBuild task as described above seem to either not support domain username/password auth when performing the operation or will simply throw a basic 'Access Denied' message (despite having the appropriate permissions on the IIS 6 metabase).

Also - bear in mind that the various methods work perfectly on IIS 7 if not specifying a specific domain user/pw as long as the current authentication context has the correct permissions, but for obvious reasons we don't want all of our CCNET build to run in that context.

I've even used psexec.exe to run appcmd.exe on the box remotely, which also works fine if the current security context has appropriate permission, but as soon as you specify username/password on psexec, you get an error message saying "Cannot read configuration file due to insufficient permissions." The user specified is a domain account, and is part of the local Administrators group on the 2008 server.

Also - I've ended up rolling my own RunAs MSBuild task, inheriting from the Exec task and using programmatic impersonation. I then use this to call psexec without specifying the username and password in psexec, but by impersonating when shelling to psexec, but I'm simply getting an exitcode of 1 - without any more details.

As you see, I've pretty much exhausted all options, or so I reckon.

If you can think of anything else, or have achieved managing IIS7 remotely, from an automated process on a non IIS7 box (using a specific non local admin user), please let me know.

Can not create directory with code Help ME!!

I_Hate_This_Name — Thu, 22 Oct 2009 15:20:35 GMT

Im have a web app being served up from my computer. Im running VB SSL. everything is just dandy:) The only issue Im having is that My code will not write to my File system or create a new directory from a client computer. the code will run just fine on my machine but when its called from an outside machine I get the 404 error message. I know it is a simple secerity issue, somthing to do with authentication. Now there is no log in going on here. The user simply clicks a button and the code behind writes some text to a file.Simple. the following type code will generate the error

My.Computer.FileSystem.CreateDirectory("DirName") or MkDir("DirName")

Basically The code will not write to my directory without some kind of permmision. How do I give this site the permision it needs.

If you could help me with this I could not thank you enough.

User Isolation in IIS 7

AJ Patankar — Wed, 21 Oct 2009 08:39:14 GMT

Hi guys Fairly new to IIS7 and was having a few issues setting up an FTP site. Have a web server using IIS 7 to host a web site and hoping to set up an FTP server on the same machine. Using IIS7, I've got the ftp site stable. Problem I have is we want to use our FTP for customers also. As a result, wanted to set up User Isolation within the FTP Directory. I know to create users I need the IIS 7 Manager Users applet to configure users but this option does not appear on my IIS. Its an option with Server 2008 but the machine is currently installed on a Vista host. Installing this on a server in our domain isn't really an option as ideally, we want this machine to be on an alternative subnet from our main network for security. If needs be, I have the option to upgrade to Win 7 if anyone is aware if the option is definitely there with Windows 7? One thing I noticed with a few sites is there appears to be an option in Windows Server within the "Control Panel > Programs and Features > Turn Windows Features On or Off" which caters for this with Win Server. Is there an option I'm missing within Vista or is this not possible without Win Server 2008? Any help, pointing in the right direction would be greatly appreciated Thanks

How do I configure IIS 5.1 to generate security events on configuration change

mimatas — Mon, 19 Oct 2009 22:29:30 GMT

Hello,

This may be a really stupid / simple question, but I've spent hours scouring google and bing to no avail.

I'm deploying a system in a multi-user environment with somewhat restrictive security requirements. As part of this deployment, I will be restricting access to the IIS Manager application (iis.msc) to only an administrators group (using windows file permissions, as that's currently the only way I know how). However, in addition to that, I would like to have a security event logged to the security event viewer whenever an administrator makes changes to the IIS configuration. In an ideal world, I'd like the event to be as specific as possible with respect to the settings modified... however, I'm willing to settle for just a record of the user that made the change.

I know I can audit read access to iis.msc using the generic windows file auditing, which will tell me whenever an admin tries to run iis.msc, but doesn't tell me whether or not something was changed. Is there a way to audit changes to IIS configurations (specifically, to directory security settings)?

If it helps, I'm using IIS 5.1 on XP, though this will likely be deployed on a 2003 machine, as well as possible deployments using IIS 6 or 7 (still TBD) on server 2008.

Thanks in advance for the help,

Mim

Two Factor Authentication

neildt — Fri, 16 Oct 2009 08:57:24 GMT

Can anyone recommend any good products for two factor authentication for our IIS7 webserver. Basically we require (for PCI compliance) two factor authenication for Remote Desktop and FTP access into our server. I've looked at a company called "phonefactor" which worked great for Remote Desktop - but doesn't support FTP.

Any help would be grateful.

Cheers,Neil

Re: Mixed Authentication: Windows OR Anonymous based on origin

bcdt — Tue, 29 Sep 2009 17:50:09 GMT

I've had a look at that website and it seems to be a way to enforce both Integrated Windows Authentication and Forms Based Authentication one after the other in order to authenticate.

Can that technique be modified to use only 1 kind of authentication either windows or forms based on the user's location? If they are internal intranet users and have already authenticated against AD we direct them to an int. windows auth. page; if they are external users they are directed to a forms login page? So only external users have to login, internal users navigate directly to the site.

This can be achieved in IIS6 easily enough based on the IP range check.

In IIS7 would you have to create a custom HTTPModule like Mike has done?

Re: Certificate button not present on the Access tab of the default SMTP Virtual Server

serverintellect_BM — Fri, 25 Sep 2009 19:44:52 GMT

When the IIS6 SMTP Server module looks for a certificate to use for TLS encryption, it seems checks the 'Local_Machine\my' store. I'm not sure where the OpenSSL certificate was placed by the system, but if it's not in the Personal certificates section, then the SMTP server won't be able to find it, and will therefore provide the error listed here.

If you have IIS7 installed on this server, the easiest way to go about securing this would be to select the 'Server' node in the IIS7 manager, select 'Certificates', and 'Create a self-signed certificate...' This will place a copy of the certificate in both the 'Local_Machine\my' store, as well as the Trusted Roots store.

I ran through a quick test of this: clearing out the Personal store provided the error mentioned above, but reloading the 'Properties' of the SMTP server after creating the self-signed certificate through IIS showed the certificate present, and allowed it to be secured.

Hope this helps!

Note: To check what's in a given certificate store, load up MMC (mmc.exe in the 'Run' box), under 'File', select 'Add/Remove Snap-in'. Under the snap-in list, select 'Certificates', and then choose Local Machine. Once back at the MMC listing, under certificates, you can check 'Personal\Certificates' to see its content.