IIS Insider - March 2002
By Brett Hill
Setting Up and Routing Sub-domains in IIS
Q: How can I create sub-domains with IIS 5.0 on a W2K server? If I have BerAult.Com going to the root website and I want Technical.Bertault.com to take me to a new folder or sub-web, how do I set it up? All I can find is information on how to configure Berault.com/technical as a URL.
A: Your web site architecture and its integration with DNS is of course a key component to your IIS installation. It's easy, as you say, to configure a site for Berault.com/technical as it would simply refer to a folder or virtual directory located in the Beralut.com website.
Configuring technical.bertault.com to be a "subweb" is another matter, as you have discovered. By design, a URL is constructed such that https://domainname.com should be the parent of https://hostname.domainname.com. This is so because of the design of DNS, which requires this kind of namespace architecture in URL's. However, as far as a web server is concerned, these are two completely different references. IIS does not regard them to be related in any way.
Consequently, you deal with the technical.berault.com as if it was a completely different web site. In DNS, you can add an A record for technical.berault.com that assigns it the same IP address as berault.com. Then you could create an ASP page that inspects the incoming URL and route the request accordingly. This would be useful if you want the "sub-domain" to route to a folder with your main web site. Alternately, you can create an entirely new web site identified by either a new IP address (which would have to be configured in DNS) or by using host headers in IIS.
You can create a new web site for your "sub-domain" that has as its home folder a location within the parent domain. While this is possible, I advise against it as you find you have two administrative interfaces for the same content with no method for keeping them synchronized. This can lead to difficulty in troubleshooting configuration and security issues.
Masking the IP Address in the HTTP Header (Content-Location)
Q: When our IIS 5 server is portscanned, it returns the following information:
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Content-Location: https://192.168.0.44/Default.htm Date: Tue, 19 Feb 2002 20:19:20 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Tue, 19 Feb 2002 20:04:10 GMT Content-Length: 16
The problem is that the Content-Location header reveals the internal IP address of the web server. This could be quite useful to a hacker. Is there any way to prevent IIS from returning the IP address of the server in the scan?
A: Yes, you can configure both IIS 4 and IIS 5 such that the Content-Location field returns the URL instead of the IP address as shown below:
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Content-Location: https://homer.test.bh.tm/Default.htm Date: Tue, 19 Feb 2002 20:27:20 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Tue, 19 Feb 2002 20:04:10 GMT Content-Length: 16
To do this, you must add the value UseHostName to the W3SVC key in the Metabase. The easiest way to do this is to use the ADSUTIL program installed by default in Inetpub\Adminscripts as follows:
adsutil set w3svc/UseHostName True
You must then stop and start the web service. For more information, see the Microsoft Knowledge Base article Q218180.
Changing the CGI Script Timeout Period
Q: We have a CGI script that runs daily. When the process starts, it runs for a while and then we receive the message that it "exceeds the CGI time limit". How long is the CGI time limit and is there a way to change it?
A: IIS does have a timeout associated with CGI processes that is set by default to 300 seconds (5 minutes). This setting can be changed from the user interface. This setting is only available in the Master properties of the WWW service and so it's easy to miss. Open the IIS Snap-in and right click on your server and select properties. Then with the WWW Service Master Properties selected, click Edit. Click on the Home Directory tab, then the Configuration tab followed by the Process Options tab (as shown in Figure 1). There you will find the CGI script timeout setting.
If your browser does not support inline frames, click here to view on a separate page.
.gif){kind=link}
Figure 1 Process Options tab in Application Configuration
Extracting URLScan from the IIS Lockdown Tool
Q: We would like to install URLscan on our server, but don't want to run the IISLockdown tool. Initially, Microsoft provided these tools separately, but they are now part of the same installation. How can we install URLScan without running IISLockdown?
A: As you noted, Microsoft initially released the IIS Lockdown tool and URLScan separately. Version 2.1 of the IIS Lockdown tool was updated to contain URLScan 2.0. In the vast majority of cases, IIS Lockdown wizard should be run on IIS servers. This performs several important steps to secure your server, and configures and installs the URLScan ISAPI filter.
It is possible to extract the URLScan components from IIS Lockdown installation package and install it without running IIS Lockdown. This will provide you with the 2.0 version of URLScan, and not the 1.0 version which is still available (at the time of this writing) as a separate download on Microsoft's download page and through various Microsoft Knowledge Base articles.
To extract URLScan from the IISLockdown 2.1, first download IISLockdown 2.1. Then open a command prompt window at the location of the tool and type:
iislockd.exe /q /c /t:c:\lockdown_files
This will extract the files from the installation package. Then you can install the URLScan.dll as an ISAPI filter at the WWW Master properties level. Be sure to place the URLScan.ini file in the same location as you place the URLScan.dll
You will most likely need to manually configure the URLScan.ini file for your server. Be advised that only experienced administrators should edit the URLscan.ini file. Review the URLScan.doc file extracted from the IIS Lockdown utilities for instructions. One of the advantages of running the IISLockdown tool wizard to install URLScan is that it configures the URLScan.ini file for you.
Using Parameters in URL to Redirect Requests
Q: Is there a way to use the parameters in a URL as part of a redirection without having to use ASP? In other words, when people access our site as www.oursite.com?A=1 we would like to forward the request to www.theirsite.com?A=1.
A: In the properties for a website, directory, virtual directory or file, you can specify the location of the file as local, on another system with a UNC pathname, or redirect the request. If you select to redirect the request, you have the possibility of using the little known, but very powerful redirection variables. In your case, you would enter https://www.theirsite.com$P in the Redirect To text box. The $Q substitution variable appends all the question mark and following parameters to the redirected request.
There are quite a few other redirect variables that allow you to do substitutions and other manipulations without coding. You can find out more about the redirection parameters in the online help file for IIS in the Redirect Reference.
Submit your questions to the IIS Insider. Selected questions along with the answers will be posted in a future IIS Insider column.
For a list of previous months questions and answers on IIS Insider columns, click here.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.