IIS Insider - December 2004
By Brett Hill
Application Does Not Work with IIS Lockdown Installed
Q: We distribute executables from our IIS web server. After running the IIS Lockdown tool (ver 2.1) deployment, the executables stopped working and the server started generating 404 errors. The URL looks something like http://server.xx.com/apps/myapp.exe. Uninstalling the IIS Lockdown tool restored functionality. Why does the Lockdown tool do that interferes with our application?
A: The IIS Lockdown tool does several key operations to facilitate securing an IIS 5 server. All the steps are optional and understanding what occurs in each step is important to understanding the potential impacts on the server. You will find several questions on the tool in the IIS Insider archives that can help, but the most complete treatment can be found in the IIS Lockdown Walkthrough.
One of the optional steps when you run the tool is to install URLScan. URLScan is an ISAPI filter that inspects all incoming requests according to your specifications and rejects them based on certain criteria. URLScan is an optional and separate program from the IIS Lockdown tool, but is often confused with the IIS Lockdown tool since the tool installs URLScan as one of its options. In other words, you can install URLScan without running IIS Lockdown and you can run IIS Lockdown without installing URLScan.
As mentioned, with URLScan installed, URLs are inspected as they are received by IIS and accepted or rejected based on settings found in URLScan.ini. URLScan's "rules" for accepting or rejecting request are based on the contents of URLScan.ini which is found with URLScan.dll (By default the URLScan folder is located in winnt\system32\inetsrv). When you open URLScan.ini (in Notepad or another text editor), you will find a section at the top called [options] (as shown below):
[options] UseAllowVerbs=1 ; if 1, use [AllowVerbs] section, else use [DenyVerbs] section UseAllowExtensions=0 ; if 1, use [AllowExtensions] section, else use [DenyExtensions] section NormalizeUrlBeforeScan=1 ; if 1, canonicalize URL before processing VerifyNormalization=1 ; if 1, canonicalize URL twice and reject request if a change occurs AllowHighBitCharacters=0 ; if 1, allow high bit (ie. UTF8 or MBCS) characters in URL AllowDotInPath=0 ; if 1, allow dots that are not file extensions RemoveServerHeader=0 ; if 1, remove "Server" header from response EnableLogging=1 ; if 1, log UrlScan activity PerProcessLogging=0 ; if 1, the UrlScan.log filename will contain a PID (ie. UrlScan.123.log) AllowLateScanning=0 ; if 1, then UrlScan will load as a low priority filter. PerDayLogging=1 ; if 1, UrlScan will produce a new log each day with activity in the form UrlScan.010101.log RejectResponseUrl= ; UrlScan will send rejected requests to the URL specified here. Default is /<Rejected-by- UrlScan> UseFastPathReject=0 ; If 1, then UrlScan will not use the RejectResponseUrl or allow IIS to log the request
Note the option named
UseAllowExtensions, which is set to 0. The comment to the right explains that when set to 0, the [DenyExtensions] section of URLScan is used to determine which file extensions to block. The following is a typical [DenyExtensions] section from the URLScan.ini file (used by IIS Lockdown tool):
[DenyExtensions] ; ; Extensions listed here either run code directly on the server, ; are processed as scripts, or are static files that are ; generally not intended to be served out. ; ; Note that these entries are effective if "UseAllowExtensions=0" ; is set in the [Options] section above. ; ; Also note that ASP scripts are denied with the below ; settings. If you wish to enable ASP, remove the ; following extensions from this list: ; .asp ; .cer ; .cdx ; .asa ; ; Deny ASP requests .asp .cer .cdx .asa ; Deny executables that could run on the server .exe .bat .cmd .com ; Deny infrequently used scripts .htw ; Maps to webhits.dll, part of Index Server .ida ; Maps to idq.dll, part of Index Server .idq ; Maps to idq.dll, part of Index Server .htr ; Maps to ism.dll, a legacy administrative tool .idc ; Maps to httpodbc.dll, a legacy database access tool .shtm ; Maps to ssinc.dll, for Server Side Includes .shtml ; Maps to ssinc.dll, for Server Side Includes .stm ; Maps to ssinc.dll, for Server Side Includes .printer ; Maps to msw3prt.dll, for Internet Printing Services ; Deny various static files .ini ; Configuration files .log ; Log files .pol ; Policy files .dat ; Configuration files
You can see that this list includes .EXE. As a result, you are getting a 404, File Not Found message from your IIS server -- not because the file is absent, but because URLScan is blocking it. You can simply remove the entry in the URLScan.ini file to start delivering your application.
Can You Customize Display of Files When Browsing Directories?
Q: When directory browsing in enabled on a web site and there isn't a default document available, IIS will display the contents of the directory much like an FTP site. We find this very useful for distributing files, but I was wondering if there was a way to customize the display of files.
A: You can make limited modifications to how much information is displayed, but not how it is formatted. In other words, there is no template you can use to create a custom page that allows you to display your organization's logo, contact information, etc. For that, I recommend writing a script that reads the directory information and provides links to the underlying content.
However, you can modify the file attributes for them, which are displayed through the Metabase key
DirBrowseFlags. You can't make these modifications in the IIS Manager. You will have to add them using a script, MBExplorer, or other Metabase editing tools. Edit the value for the
DirBrowseFlags Metabase property to be a value that represents the sum of the following values (see: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ref_mb_dirbrowseflags.asp) that you wish to enable. If the property is not present in the Metabase at the level you are configuring, you will need to create it and assign the sum of values (below) as the value.
|Description||When set to true, directory browsing is enabled.|
|Metabase Bitmask Identifier||MD_DIRBROW_ENABLED|
|Description||When set to true, date information is displayed when browsing directories.|
|Metabase Bitmask Identifier||MD_DIRBROW_SHOW_DATE|
|Description||When set to true, file time information is displayed when displaying directories.|
|Metabase Bitmask Identifier||MD_DIRBROW_SHOW_TIME|
|Description||When set to true, file size information is displayed when browsing directories.|
|Metabase Bitmask Identifier||MD_DIRBROW_SHOW_SIZE|
|Description||When set to true, file name extensions are displayed when browsing directories.|
|Metabase Bitmask Identifier||MD_DIRBROW_SHOW_EXTENSION|
|Description||When set to true, date information is displayed in extended format when displaying directories.|
|Metabase Bitmask Identifier||MD_DIRBROW_LONG_DATE|
|Description||When set to true, the default document (specified by the DefaultDoc property) for a directory is loaded when the directory is browsed.|
|Metabase Bitmask Identifier||MD_DIRBROW_LOADDEFAULT|
How To Set NTFS Permissions on Windows XP Professional Web Sites
Q: We are using IIS 5.1 on Windows XP Professional to develop and test our web applications. The problem is that we cannot set any NTFS permissions on the web sites. This is not a problem on our Windows 2000 Servers. The partitions are NTFS, so what do we need to do?
A: In Windows XP Professional, simple file sharing is enabled by default. When set, the Security tab for file or folder properties is not displayed. You can disable simple file sharing as follows:
- Open any folder and select Tools, Folder Options and the View tab to show Advanced settings options (as shown below).
- Scroll all the way down to the bottom and clear the check named Use simple file sharing.
- Click the Apply to All Folders button.
- Click OK and close the folder.
- Then right click on any folder and select Properties.
Now you can view the Security tab that allows you set NTFS permissions.
You will find lots of advice on NTFS permissions for your web applications, but it boils down to this:
Scripts and Static Content require Read
- Executables require Read and Execute
- Assign the Write permission only where required
- Place additional auditing in place anywhere you have Write and Execute permissions
- Remember that with the IUSR anonymous user, members such as Everyone, Users, Authenticated Users, Guests, and Network are built in by default.
Submit your questions to the IIS Insider. Selected questions along with the answers will be posted in a future IIS Insider column.
For a list of previous months' questions and answers on IIS Insider columns, click here.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.