IIS Insider - May 2002

By Brett Hill

Can We Install IIS or PWS with Windows XP Home Edition?

Q: I have read that you cannot run/develop ASP.Net apps on a computer running Windows XP Home Edition. Is there any way of installing either IIS or PWS on a computer running the home edition of XP? I own the VS.Net Professional version and have yet to find a way to develop in ASP.Net.

A: Windows XP Home Edition does not support any version of IIS. To my knowledge, it cannot be made to run IIS by any reliable method. The Windows XP Home Edition was not designed to be a development platform for web based applications. Upgrading to Windows XP Professional will allow you to install IIS 5.1 on your system so you can develop with ASP.Net. IIS 5.1 on Windows XP Professional is a full featured and capable web server, but is limited to 10 simultaneous connections since it is a workstation operating system and not a server platform. There are also a few other limitations consistent with Windows XP Professional being used as a client operating system and not a server operating system. By in large, these are the same differences you find in IIS 5.0 on Windows 2000 Professional, and Windows 2000 Server/Advanced Server. Nevertheless, Windows XP Professional is an excellent environment for developing web based applications with the .NET framework.

Can ISAPI Filters Run in Separate Process Space?

Q: IIS 5.0 allows ISAPI extensions to be run in separate process space. Can this be done with ISAPI filters as well? We have a customer whose IIS server re-starts every 2-3 days after we installed our software which includes an ISAPI filter. The last crash dump shows that inetinfo.exe crashed because of "divide by 0 error", it did not crash in the ISAPI filter. I would be nice if we could run ISAPI filter in separate process space so it won't clash with inetinfo.exe.

A: Just to review, programs written to work with a web server have specific requirements. You can't, for example, invoke an instance of Notepad.exe from a URL and expect to see a Notepad window on the client system. In order for an executable (that is not CGI) to interact with requests from IIS, it needs to be written using ISAPI. ISAPI stands for Internet Server Application Programming Interface. ISAPI executables come in two flavors – extensions and filters.

ISAPI extensions are directly invokable from a URL such as http://localhost/myisapi.dll. Presuming you have IIS configured to permit Scripts and Executables on the directory and the user has the Execute NTFS permission, the dll will run. IIS allows you to specify if the application will run in process (as part of inetinfo) or out of process (as part of MTX on IIS 4 or dllhost as part of IIS 5.x). When an application is run out of process, inetinfo is insulated from problems such as the one you described. If the application fails, so does the web server.

ISAPI filters are another animal altogether. ISAPI filters are able to modify the incoming and outgoing data stream to and from IIS. As a result they have a great deal of power and can be used to implement custom logging, authentication, or modify the data stream. Features implemented in ISAPI filters for IIS 5 include data compression, digest authentication, and URLScan.

Because filters play such a central role with IIS, they are, by design, always run in process as part of inetinfo. Consequently, as you have discovered, proper ISAPI filter construction is essential to server health. My suggestion would be that you work with Microsoft Product Support Services to identify the problem as troubleshooting exceptions of this sort can be quite a challenge.

There are a couple of new technologies that may make life a bit easier for you in this regard. One is to look ahead to IIS 6. Due to it's new architecture, all ISAPI filter run out of process. This will achieve your goal of insulating the web server from a wayward ISAPI filter, but does not actually solve the problem. Toward that end, examine the capabilities of the .NET languages in regards to ISAPI filters. I think you will find that implementing equivalent functionality with .NET is simplified significantly over standard ISAPI Filter design with C++.

Code Examples for Editing Documents from ASP using WebDAV

Q: Where can I get code examples of how to edit documents from an asp using WebDAV?

A: You're best bet of using WebDAV from scripts on IIS would be to use the WebClient class of ASP.Net.. If you are using Windows XP or Windows Server 2003, WebDAV functionality is part of the operating system. This permits you to reference a file on a web server using HTTP in the same way you would use a UNC pathname. For example, you could map a drive with NET USE * http://servername/directory and then access that location using the drive letter. Alternately, you can create a COM object that is a WebDAV client. You can use the object to issue WebDAV verbs to IIS 5.x or IIS 6.0.

Additionally, if you search MSDN for WebDAV, you will find quite a few examples of how to use XML to craft WebDAV queries for Exchange and other Microsoft servers. There is a WebDAV sample application in the Microsoft Exchange 2000 Server SDK.

"Access Denied" Trying to Access a Database with ASP

Q: We are trying to access a database with ASP but it continually gives the result "access denied" when we write new content to the database. The ASP page worked fine when running windows NT 4.0 workstation and peer web server but after upgrading to Windows XP Professional with IIS 5.1, it no longer works. It looks like it is a problem with access rights to specific directories, but how can we determine where the exact problem is?

A: There is an excellent, free utility called Filemon from http://www.sysinternals.com. When I teach IIS, I tell students to keep this utility on a floppy disk and carry it around with them everywhere you go. I am only half joking. You can quickly diagnose most permissions issues with Filemon as it will display in real time all files accessed on the server, the name of the calling process, and result of the access. Consequently, any "Access Denied" messages, regardless of how buried in nested includes or how obscure the temporary index, are easily identified.

It can be frustrating when an application that worked on one operating system has problems after upgrading. However, problems of this sort are often instructive as well. One of the differences in IIS 4 and IIS 5 has to do with the differences in COM and COM+. In IIS 5, when a COM+ object touches files on behalf of the user, it's default behavior is to do so using the security context of the user. This was not so in IIS 4. Consequently, when moving applications from IIS 4 to IIS 5 that involve COM, you may need to provide users permissions to files that were not required in IIS 4. While this is inconvenient in cases such as yours, it is certainly an improvement in the security design of the application. Even though you may not be using custom COM objects to access databases, COM is in widespread use in native IIS components.

One place where this requirement shows itself is in the need to grant permissions to temporary folders used by Access, rights to the users who are creating database requests. For more information see the Microsoft Knowledge Base articles Q210457 and Q271071.

How to Run IIS Lockdown Tool Without Restoring Original Settings

Q: We ran the IIS Lockdown tool on our server which seems to have worked well in performing some basic security modifications to the system. However, after we ran the tool, we added some capabilities and content to the server and wish to run the tool again. However, when we launch the IIS Lockdown wizard, it says:

If your browser does not support inline frames, click here to view on a separate page.

In this case, we do not wish to restore the previous settings as we will lose the changes to the IIS configurations stored in the metabase. How can we run the IIS Lockdown tool again without having to first do a restore?

A: In my opinion, the IIS Lockdown tool is one of Microsoft's bona fide home run hits. As you say, this tool allows you to easily and significantly increase the security on your server. Once you run the tool, it stores the history of it's actions on a file located on <systemdrive>\<systemdir>\system32\inetsrv. You will find this information in the files named:

- Oblt-rep.log
- Oblt-once.md0
- Oblt-mb.md0

There may also be a file Oblt-undone.log if you have run the "undo" task shown above.

If you remove these files, the wizard will start as if the IIS Lockdown tool has not been run. To my knowledge, there is no risk in repeating this process. Before you do so, be certain to make a copy of metabase.bin.

Because this procedure will allow you to run the Lockdown tool as if it had not been run but does not "unlock" or reverse the settings the Lockdown tool implemented when it was first run, this procedure should work fine in your situation.

Submit your questions to the IIS Insider. Selected questions along with the answers will be posted in a future IIS Insider column.

For a list of previous months questions and answers on IIS Insider columns, click here.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.