IIS Insider - December 2001
By Brett Hill
How To Send Mail from Your IIS Application
Q: How can I send mail from my IIS Application?
A: There are several ways to achieve the ability to send an e-mail from your IIS server. Perhaps the easiest way is to install the SMTP service on your IIS and then use CDONTS or CDOSYS objects to send mail.
To install the SMTP service you use the Option Pack CD for IIS 4/Windows NT 4, or Add Remove Windows Components-Internet Information Services-SMTP Service. This will add the SMTP server snap-in to your Internet Information Services console which allows you to configure your SMTP service.
Be advised, that like any service you add to your server, you need to properly configure and secure the SMTP service. This includes adding any relevant hotfixes such as MS01-037: Authentication Error in SMTP Service Could Allow Mail Relaying (as of this writing), configuring authentication and controlling relaying. One of the best resources in print on learning to administer the SMTP server is from Running Microsoft Internet Information Server 4.0from Microsoft Press. There is an SMTP chapter from the book which explains the setup very well.
Once you've installed and configured the service, you can easily write an ASP page to send mail as using CDONTS as follows:
Set objMail = Server.CreateObject("CDONTS.NewMail")
objMail.From = "email@example.com"
objMail.Subject = "A Sample mail sent with CDONTS"
objMail.To = "firstname.lastname@example.org"
objMail.Body = "Here is the message."
set objMail = nothing
In Windows 2000, it is recommended that you use CDOSYS instead of CDONTS. While CDONTS does work on Windows 2000, CDOSYS provides a greater feature set. See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncdsys/html/cdo_roadmap.asp for more information. Additionally, CDONTS is not supported in Windows Server 2003 or Windows XP. Therefore, modify your code before you upgrade.
Finally, if you do not want to install SMTP, you can still send mail from your application using third-party objects that provide SMTP services to an ASP application. A good place to start is http://www.aspemail.com.
What Do the IIS Error Codes Mean?
Q: IIS includes error code response for many of the standard errors issued by a web server. Is there some documentation that states what the error codes mean?
A: Yes. Since the errors are part of the RFC for HTTP, they can be found at http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html. In addition to these, IIS provides some "sub error codes" to reveal additional information that can be helpful in troubleshooting. For example, the error code 403 is "Forbidden" according to the specification. IIS provides errors for 403.1 "Execute Access Forbidden" through 403.17 "Client Certificate is expired or is not yet valid."
To access each the meaning of each of the codes, look on the Custom Error tab of the properties for a Web site and double click any listed error code. The Error Mapping Properties dialog box shows the name of an error code (see Figure 1 below).
Figure 1 Error Mapping Properties
Which Version of IIS Can Be Used in Windows 2000?
Q: On my Windows XP system, I see that IIS can be installed and is IIS 5.1. Where can I get IIS 5.1 for Windows 2000?
A: There are quite a few versions of IIS these days and myths about what versions can be used where. Here's the list of versions and operating systems related to IIS that is current as of the writing of this column:
|Windows Operating System ||Version of IIS |
|Windows NT 4 Server ||IIS 4.0 |
|Windows NT 4 Workstation ||Personal Web Server |
|Windows 2000 Professional ||IIS 5.0 (limited version) |
|Windows 2000 Server (all versions) ||IIS 5.0 |
|Windows XP Professional ||IIS 5.1 |
|Windows Server 2003 ||IIS 6.0 |
As you can see, versions of IIS are tied to versions of operating systems (OS). This is due in large part to the fact that IIS is deeply integrated with the operating system and consequently versions of IIS cannot be installed on any OS other than the version for which it was designed.
How To Secure the IUSR_account
Q: It is my understanding that the IUSR_<servername> account is a member of the Guests group by default. Consequently, how do I secure the IUSR_account, by applying NTFS permissions for Guests group?
A: Securing the IUSR account is essential, so it is important to understand how the IUSR account is used and to what groups the IUSR account belongs. To help in this, you can use the W3Who.dll program provided in the Windows 2000 Resource Kit. This little jewel will report the username, rights, and the group membership of the user that calls it. To implement this utility, simply call it from a web browser. For example, create a folder in a web site, check that is has anonymous access enabled and that NTFS permissions allow the IUSR account the NTFS execute permission. In addition, mark the folder for Scripts and Executables in the IIS snap-in. Then browse the file in Internet Explorer (http://servername/foldername/w3who.dll).
The resulting page will reveal a wealth of information about the IUSR account, as follows:
- 'IISANSWERS\IUSR_IISANSWERS' S-1-5-21-790525478-1993962763-xxxxxxxxxxxxxxx
- 'IISANSWERS\None' S-1-5-21-790525478-1993962763-xxxxxxxxxxxxxx
- '\Everyone' S-1-1-0
- 'BUILTIN\Guests' S-1-5-32-546
- 'BUILTIN\Users' S-1-5-32-545
- '\LOCAL' S-1-2-0
- 'NT AUTHORITY\NETWORK' S-1-5-2
- 'NT AUTHORITY\Authenticated Users' S-1-5-11
- SeUndockPrivilege - Remove computer from docking station
Here, you can clearly see that the IUSR account is a member of Guests, Users, Authenticated Users, the Network Group, and Everyone. Consequently, anonymous users may have access to any resource these groups are permitted to access.
Perhaps the best means of securing access for the IUSR account is the method employed by the IIS Lockdown tool. When you use the IIS Lockdown tool to secure your server, the IUSR account is made a member of the Web Anonymous Users group which is assigned the Deny Write or the Deny Execute permission as appropriate. In this way, regardless of other group membership, the resource is secured from inappropriate access from the IUSR account. This method has the added benefit that you can limit other users and groups to the permissions assigned to the Web Anonymous Users group by simply making them members of the group.
How Does IIS Enforce NTFS Permissions?
Q: Can you explain how IIS enforces permissions in relations to NTFS?
A: IIS has several layers of security that are sequentially enforced in order to permit access.
Layer 1 IP address and domain name restrictions
The first check performed validates that the IP address in use by the client is permitted. A good use of this setting is to configure IIS to allow access only from a designated firewall. This setting is found on the Security tab of a Web site, directory, or file.
Layer 2 Authentication
The user must be able to be authenticated to a valid user account. If anonymous access is enabled in the IIS snap-in and NTFS permissions allow access for the IUSR_<computername> (or the account designated as the anonymous user), then that anonymous account will be used. Otherwise, the user must authenticate to a valid user account. In this event, another authentication method be enabled other than Anonymous. By default, Anonymous and Integrated Windows methods are enabled in IIS 5 and in IIS 4 its Anonymous and Windows NT Challenge Response.
Layer 3 Web Based permissions
The type of access requested must be permitted by the Web server. These are the Read, Write, Script Source Access permissions coupled with the Application permissions of None, Scripts, or Scripts and Executables. In addition, if an application is invoked by the use of a file extension that is mapped to an executable, such as an .asp file and the asp.dll executable, then the HTTP verb used with the application must be permitted.
Layer 4 NTFS Permissions
Finally, NTFS permissions are checked and enforced.
So, as you can see, different kinds of security are enforced at each stage. You can see that if a user requests to Read a HTML file, even if they had NTFS permissions of Full Control, they would be denied. Alternately, if the user had an IP address that was not permitted, they would have no access at all to the server, even if they were an Administrator. In effect, permissions combine to provide the most restrictive privilege.
Submit your questions to the IIS Insider. Selected questions along with the answers will be posted in a future IIS Insider column.
For a list of previous months questions and answers on IIS Insider columns, click here.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.