360 likes | 583 Vues
Internet Information Server 4.0 (and 5.0). By Nicolas PAOUR 12 January 2004. Introduction Required configuration to setup IIS IIS Setup (HowTo) Web Setup FTP Setup SMTP Setup. Security within IIS What are FrontPage extensions Using FrontPage with IIS Frequent TroubleShooting. Contents.
E N D
Internet Information Server4.0 (and 5.0) By Nicolas PAOUR 12 January 2004 Nicolas Paour
Introduction Required configuration to setup IIS IIS Setup (HowTo) Web Setup FTP Setup SMTP Setup Security within IIS What are FrontPage extensions Using FrontPage with IIS Frequent TroubleShooting Contents Nicolas Paour
Overview • What is IIS • Questions/Answers • Aim • Product overview • Getting information • Understanding security • Managing IIS & FrontPage Nicolas Paour
Basic concepts under NT Overview Fat : No Valid Security NTFS : Security Possible Any user who reaches a NT station by shared or Internet must be identified by Login and Password (Local or Global) Nicolas Paour
Windows NT4 Server Partition NTFS (Yes) Index Server (Yes) Multi Virtual Site (Yes) Windows Workstation Partition NTFS (Yes) Index Server (No) Multi Virtual Site (No) Windows 95/98 Partition NTFS (No) Index Server (No) Multi Virtual Site (No) Required configuration to setup IIS • Windows 2000 Server • Partition NTFS (Yes) • Index Server (Yes) • Multi Virtual Site (Yes) • Windows 2000 Pro • Partition NTFS (Yes) • Index Server (Yes) • Multi Virtual Site (No) Nicolas Paour
Check that D drive is NTFS partition Set administrators (Full) (Full) system (Full) (Full) remove Everyone Check if IIS3 does exist Uninstall IIS3 Check that « Regional Settings » is US. Copy in c:\install NT4_IIS4_serveur files (no space in folder name) FP2k_4.0.2.4317-(SR1.2) server extensions Metaedit files MDAC (2.52.6019.2) ADSI (2.5) IIS Setup – 1/6 Nicolas Paour
Run NT4_IIS4_serveur\install.exe Disabled “Certificate Server” Disabled “FrontPage 98 Server Extensions” Disabled “Internet Connection Services for RAS Internet Information Server (IIS) Disabled “documentation” Enabled “FTP” Disabled “Internet NNTP Service” Enabled “Internet Service Manager” Disabled “Internet Service Manager (HTML)” Enabled “SMTP Service” Disabled “World Wide Web Sample Site” Enabled “World Wide Web Server” Enabled “Microsoft Data Access Components 1.5” (All) IIS Setup – 2/6 Nicolas Paour
Enabled “Microsoft Index Server” (default) Language Resources French Language UK English Language US English Language Enabled “Microsoft Management Console” Disabled “Microsoft Message Queue” Disabled “Microsoft Script Debugger” Disabled “Microsoft Site Server Express 2.0” Enabled “NT Option Pack Common Files “Transaction Server” (Default) Disabled “Visual Interdev RAD Remote Deployment Support” Enabled “Windows Scripting Host” Select folders D:\wwwroot\application_name.hp.com\_shareweb (_fpweb if frontpage used) D:\ftproot\public C:\program files IIS Setup – 3/6 Nicolas Paour
MTS (default) Index Server on on D:\wwwroot\application_name.hp.com\_catalog Reboot Remove “Administration Web Site ” Delete all virtual directory IISsample IISadmin IIShelp Scripts IISadmPwd msadc Remove folders: D:\wwwroot\application_name.hp.com\iissample D:\wwwroot\application_name.hp.com\scripts D:\wwwroot\application_name.hp.com\_shareweb\phone book service IIS Setup – 4/6 Nicolas Paour
Install Metaedit Run metaedit and add Update MDAC and ADSI (Reboot) Update SP6a + Hotfix (Reboot) IIS Setup – 5/6 Nicolas Paour
Open User Manager Remove from “access this computer from network” IUSR account IWAM account Add in “access this computer from network” “authenticated Users ” Remove from “Logon Locally” IUSR account IWAM account IIS Setup – 6/6 Nicolas Paour
It is a FrontPage server: Install FP2K Server extensions set with FP2K “browse access” It is not a FrontPage server, set IUSR_ComputerName (RX)(R) on d:\wwwroot\application_name\_shareweb folder Enabled “Basic Authentication” Netscape access (to validate !) Setup IP, Port, Host for each website (don’t use “All unassigned”) Create d:\weblog folder set new virtual web Login in this folder Administrators (Full)(Full) System (Full)(Full) Web Setup Nicolas Paour
NTFS right for d:\ftproot\public: administrators (full)(full) system (full)(full) Everyone (RWX)(R) Open mmc and select all options FTP Setup Nicolas Paour
NTFS right for mailroot folder: mailroot and all subfolder without pickup: administrators (full)(full) system (full)(full) mailroot\pickup: administrators (full)(full) system (full)(full) everyone (RWX)(RX) Add IWAM_ServerName account in iis->SMTP properties as operators If not, a website using CDONTS.NewMail object in isolated process return the following error "permission denied". http://msdn.microsoft.com/library/periodic/period99/asp9951.htm SMTP Setup Nicolas Paour
« Hardware » :o) NTFS « Software » :o( Fat and NTFS Security within IIS Note: Any user who reaches a NT station by shared or Internet must be identified by Login and Password (Local or Global) Nicolas Paour
D: └─wwwroot └──home.grenoble.hp.com ├──_catalog │ └──catalog.wci ├──_fpweb ├──_report ├──_sharetools │ ├──cgi │ ├──database │ └──upload ├──_shareweb.null └──_ssl2 Security within IIS – Anonymous 1/2 Nicolas Paour
Security within IIS – Anonymous 2/2 • Access to Data Web Server(IIS) To acceded the data via Internet, WEB server give an anonymous login/password Login : IUSR_Serveur Pass : ****** IUSR_Serveur (RX) (R) NT’s authentication successful Nicolas Paour
D: └─wwwroot └──home.grenoble.hp.com ├──_catalog │ └──catalog.wci ├──_fpweb ├──_report ├──_sharetools │ ├──cgi │ ├──database │ └──upload ├──_shareweb.null └──_ssl2 Security within IIS – Secure access 1/2 Nicolas Paour
Security within IIS – Secure access 2/2 • Basic security To secure a web site, remove IUSR account from drive Login : IUSR_Serveur Pass : ****** NT’s authentication refused Login_Name (RX) (R) Login : Login_Name Pass : Password NT’s authentication successful Nicolas Paour
Security within IIS – SSL 1/2 Nicolas Paour
Security within IIS – SSL 1/2 • SSL Encryption « https: » Https://serveur_name Private Key Public Key Session Key Nicolas Paour
FrontPage extensions allow : to use specific components like Hit Counter Scheduled Include Page Categories Search Form to publish your site quickly What are FrontPage extensions SSL Filter FrontPage Filter Nicolas Paour
Web site creation Site management (child site, move folder,…) Security setting Site Publishing Site deletion Using FrontPage with IIS Frontpage interface is required for : Nicolas Paour
Web site creation Using FrontPage with IIS - Site creation - Yes No Nicolas Paour
Site creation (FrontPage child site) Move folder – Use drag & drop Recalculate Hyperlinks Using FrontPage with IIS- Site management - Nicolas Paour
Don’t use Directory Permissions Using FrontPage with IIS- Security setting - Use FrontPage Security Permissions Nicolas Paour
Don’t use Share Directory Using FrontPage with IIS- Site Publishing - Use FrontPage publishing tool Nicolas Paour
Don’t use NT delete Directory Using FrontPage with IIS- Site deletion - Use FrontPage delete option Nicolas Paour
FrontPage extensions allow to use specific components: Insert menu, Component submenu Hit Counter Confirmation Field Include Page Scheduled Include Page Categories Search Form Additional Components (not used) Using FrontPage with IIS- Components(bis) - Nicolas Paour
Frequent TroubleShooting http://membres.lycos.fr/paour/easy_doc/index.html Nicolas Paour
TroubleShootings • Missing key 6013 • Wrong value Wrong NTFS rigth in Pickup folder See aspupload example Don’t use your NT account (logon with a test account). Add these lines: TYPE <%=Request.ServerVariables("AUTH_TYPE")%> <br> PASSWORD <%=Request.ServerVariables("AUTH_PASSWORD")%> <br> USER <%=Request.ServerVariables("AUTH_USER")%> <br> Nicolas Paour
ASPUload use: Create d:\components\aspupload admin (full)(full) system (full)(full) Copy aspupload.dll in « aspupload » folder Test script : http://sopra100.sopra-hp.net/upload/default.htm Error : Example 1 regsvr32 D:\component\aspupload\bin\AspUpload.dll D:\component\aspupload\bin\ (RX)(RX) Or AspUpload.dll (RX) Upload folder : Everyone (RWX)(RX) OR Nicolas Paour
Find a dll if « Library not registered » or « ActiveX component can't create object » error. Example 2 • Read object : Server.CreateObject("Persits.Upload") • Open regedit • Search in HKEY_CLASSES_ROOT\Persits.Upload\CLSID the data. • {B4E1B2EC-151B-11D2-926A-006008123235} • Search {B4E1B2EC-151B-11D2-926A-006008123235} in HKEY_CLASSES_ROOT\CLSID keys • Note the string data of HKEY_CLASSES_ROOT\CLSID\{…}\InprocServer32 • Example : C:\wwwroot\SOPRA100\_dll\AspUpload.dll Nicolas Paour
Secure access Example 3 Add these lines: TYPE <%=Request.ServerVariables("AUTH_TYPE")%><br> PASSWORD <%=Request.ServerVariables("AUTH_PASSWORD")%><br> USER <%=Request.ServerVariables("AUTH_USER")%><br> TYPE PASSWORD USER • Anonymous access : • ..\Secure | IUSR_Computername (RX)(R) • Challenge/Response (remove IUSR account): • ..\Secure | training (RX)(R) • Or for IIS5 Digest (NT2000) – Integrated TYPE NTLM or Negotiate PASSWORD USERSOPRA-HP\training • Basic (remove IUSR account): • ..\Secure | training (RX)(R) TYPE Basic PASSWORD trai123ning USERSOPRA-HP\training Nicolas Paour
Secure access Example 4 • Challenge/Response (remove IUSR account): • ..\Secure | training (RX)(R) Access Denied !!! Change secure folder as IIS Application OR Remove global.asa OR Allow Everyone (RX)(R) on global.asa folder Nicolas Paour