Docstoc

IIS Training

Document Sample
IIS Training Powered By Docstoc
					        Internet Information Server
               4.0 (and 5.0)

                By Nicolas PAOUR
                 12 January 2004




12/02/2004          Nicolas Paour     1
                         Contents
• Introduction                       • Security within IIS
• Required configuration to setup
  IIS                                • What are FrontPage extensions
• IIS Setup (HowTo)                  • Using FrontPage with IIS

• Web Setup                          • Frequent TroubleShooting
• FTP Setup
• SMTP Setup




12/02/2004                   Nicolas Paour                             2
                          Overview

• What is IIS
      – Questions/Answers
• Aim
      –   Product overview
      –   Getting information
      –   Understanding security
      –   Managing IIS & FrontPage




12/02/2004                     Nicolas Paour   3
                          Overview
• Basic concepts under NT




      Fat : No Valid Security                   NTFS : Security Possible
 Any user who reaches a NT station by shared or Internet must be
 identified by Login and Password (Local or Global)


12/02/2004                      Nicolas Paour                              4
     Required configuration to set up IIS

• Windows NT4 Server                        • Windows 2000 Server
      – Partition NTFS (Yes)                       – Partition NTFS (Yes)
      – Index Server (Yes)                         – Index Server (Yes)
      – Multi Virtual Site (Yes)                   – Multi Virtual Site (Yes)
• Windows Workstation                       • Windows 2000 Pro
      – Partition NTFS (Yes)                       – Partition NTFS (Yes)
      – Index Server (No)                          – Index Server (Yes)
      – Multi Virtual Site (No)                    – Multi Virtual Site (No)
• Windows 95/98
      – Partition NTFS (No)
      – Index Server (No)
      – Multi Virtual Site (No)
12/02/2004                         Nicolas Paour                                5
                            IIS Set up – 1/6

•   Check that D drive is NTFS partition
•   Set
      – administrators (Full) (Full)
      – system (Full) (Full)
      – remove Everyone
•   Check if IIS3 does exist
•   Uninstall IIS3
•   Check that « Regional Settings » is US.
•   Copy in c:\install
      –   NT4_IIS4_serveur files (no space in folder name)
      –   FP2k_4.0.2.4317-(SR1.2) server extensions
      –   Metaedit files
      –   MDAC (2.52.6019.2)
      –   ADSI (2.5)


12/02/2004                             Nicolas Paour         6
                               IIS Set up – 2/6

•   Run NT4_IIS4_serveur\install.exe
      –   Disabled “Certificate Server”
      –   Disabled “FrontPage 98 Server Extensions”
      –   Disabled “Internet Connection Services for RAS
      –   Internet Information Server (IIS)
             •   Disabled “documentation”
             •   Enabled “FTP”
             •   Disabled “Internet NNTP Service”
             •   Enabled “Internet Service Manager”
             •   Disabled “Internet Service Manager (HTML)”
             •   Enabled “SMTP Service”
             •   Disabled “World Wide Web Sample Site”
             •   Enabled “World Wide Web Server”
      – Enabled “Microsoft Data Access Components 1.5” (All)


12/02/2004                                 Nicolas Paour       7
                               IIS Set up – 3/6

      – Enabled “Microsoft Index Server” (default)
             • Language Resources
                  –   French Language
                  –   UK English Language
                  –   US English Language
      –   Enabled “Microsoft Management Console”
      –   Disabled “Microsoft Message Queue”
      –   Disabled “Microsoft Script Debugger”
      –   Disabled “Microsoft Site Server Express 2.0”
      –   Enabled “NT Option Pack Common Files
      –   “Transaction Server” (Default)
      –   Disabled “Visual Interdev RAD Remote Deployment Support”
      –   Enabled “Windows Scripting Host”
•   Select folders
      –   D:\wwwroot\application_name.hp.com\_shareweb (_fpweb if frontpage used)
      –   D:\ftproot\public
      –   C:\program files
12/02/2004                                  Nicolas Paour                           8
                             IIS Set up – 4/6

•   MTS (default)
•   Index Server on on D:\wwwroot\application_name.hp.com\_catalog
•   Reboot
•   Remove “Administration Web Site ”
•   Delete all virtual directory
      –   IISsample
      –   IISadmin
      –   IIShelp
      –   Scripts
      –   IISadmPwd
      –   msadc
• Remove folders:
      –   D:\wwwroot\application_name.hp.com\iissample
      –   D:\wwwroot\application_name.hp.com\scripts
      –   D:\wwwroot\application_name.hp.com\_shareweb\phone book service

12/02/2004                               Nicolas Paour                      9
                                 IIS Set up – 5/6

• Install Metaedit
• Run metaedit and add
     LM/W3SVC                                          LM/MSFTPSVC

     ID:           6013 (LogonMethod)                  ID:           6013 (LogonMethod)
     attributes:   inherit                             attributes:   inherit
     user type:    file                                user type:    file
     data type:    DWORD                               data type:    DWORD
     value:        3 (for SP3 and SP5)                 value:        3
     value:        2 (for SP4, SP5 and SP6)

•   Update MDAC and ADSI (Reboot)
•   Update SP6a + Hotfix (Reboot)




12/02/2004                                    Nicolas Paour                               10
                             IIS Set up – 6/6

• Open User Manager
      – Remove from “access this computer from network”
             • IUSR account
             • IWAM account
      – Add in “access this computer from network”
             • “authenticated Users ”
      – Remove from “Logon Locally”
             • IUSR account
             • IWAM account




12/02/2004                              Nicolas Paour     11
                                      Web Set up

•   It is a FrontPage server:
      – Install FP2K Server extensions
      – set with FP2K “browse access”
•   It is not a FrontPage server,
      – set IUSR_ComputerName (RX)(R)
        on d:\wwwroot\application_name\_shareweb folder
•   Enabled “Basic Authentication”
      – Netscape access (to validate !)
•   Setup IP, Port, Host for each website
      – (don’t use “All unassigned”)
•   Create d:\weblog folder
      – set new virtual web Login in this folder
                 – Administrators (Full)(Full)
                 – System (Full)(Full)




12/02/2004                                       Nicolas Paour   12
                                 FTP Set up

•   NTFS right for d:\ftproot\public:
      – administrators (full)(full)
      – system (full)(full)
      – Everyone (RWX)(R)
•   Open mmc and select all options




12/02/2004                            Nicolas Paour   13
                                   SMTP Set up

•   NTFS right for mailroot folder:
      – mailroot and all subfolder without
        pickup:
             • administrators (full)(full)
             • system (full)(full)


      – mailroot\pickup:
             • administrators (full)(full)
             • system (full)(full)
             • everyone (RWX)(RX)
•   Add IWAM_ServerName account in
    iis->SMTP properties as operators
      – If not, a website using
        CDONTS.NewMail object in                             http://msdn.microsoft.com/library/pe
        isolated process return the following                      riodic/period99/asp9951.htm
        error
             • "permission denied".

12/02/2004                                   Nicolas Paour                                  14
                      Security within IIS
 Note: Any user who reaches a NT station by shared or Internet must be identified by
 Login and Password (Local or Global)


• « Hardware » :o)                         • « Software » :o(
      – NTFS                                       – Fat and NTFS




12/02/2004                         Nicolas Paour                                 15
      Security within IIS – Anonymous 1/2
                             Adm+Sys           Web-adm    IUSR      Everyone
D:                            (F)(F)              -         -          -
└─wwwroot                     (F)(F)              -         -          -
   └──home.grenoble.hp.com    (F)(F)              -         -          -
       ├──_catalog            (F)(F)              -         -          -
       │ └──catalog.wci       (F)(F)              -         -          -
       ├──_fpweb              (F)(F)     (RWXD)(RWD)     (RX)(R)       -
       ├──_report             (F)(F)           (RX)(R)      -          -
       ├──_sharetools         (F)(F)            (R)(R)      -          -
       │ ├──cgi               (F)(F)     (RWXD)(RWD)        -      (RWX)(RW)
       │ ├──database          (F)(F)     (RWXD)(RWD)        -      (RWX)(RW)
       │ └──upload            (F)(F)     (RWXD)(RWD)        -      (RWX)(RWD)
       ├──_shareweb.null      (F)(F)     (RWXD)(RWD)     (RX)(R)       -
       └──_ssl2               (F)(F)     (RWXD)(RWD)        -          -


12/02/2004                     Nicolas Paour                                   16
      Security within IIS – Anonymous 2/2

• Access to Data Web Server(IIS)
  To acceded the data via Internet, WEB server give an
  anonymous login/password


                                              Login : IUSR_Serveur
                                              Pass : ******

                                                                     IUSR_Serveur (RX) (R)

                    NT’s authentication successful




12/02/2004                    Nicolas Paour                                            17
    Security within IIS – Secure access 1/2
                             Adm+Sys           Web-adm   Web-Usr    Everyone
D:                            (F)(F)              -         -          -
└─wwwroot                     (F)(F)              -         -          -
   └──home.grenoble.hp.com    (F)(F)              -         -          -
       ├──_catalog            (F)(F)              -         -          -
       │ └──catalog.wci       (F)(F)              -         -          -
       ├──_fpweb              (F)(F)     (RWXD)(RWD)     (RX)(R)       -
       ├──_report             (F)(F)           (RX)(R)      -          -
       ├──_sharetools         (F)(F)            (R)(R)      -          -
       │ ├──cgi               (F)(F)     (RWXD)(RWD)        -      (RWX)(RW)
       │ ├──database          (F)(F)     (RWXD)(RWD)        -      (RWX)(RW)
       │ └──upload            (F)(F)     (RWXD)(RWD)        -      (RWX)(RWD)
       ├──_shareweb.null      (F)(F)     (RWXD)(RWD)     (RX)(R)       -
       └──_ssl2               (F)(F)     (RWXD)(RWD)        -          -


12/02/2004                     Nicolas Paour                                   18
    Security within IIS – Secure access 2/2

• Basic security
  To secure a web site, remove IUSR account from drive

                                            Login : IUSR_Serveur
                                            Pass : ******

                                                                   NT’s authentication
                                                                   refused

                                                                             Login_Name (RX) (R)




             Login : Login_Name             NT’s authentication successful
             Pass : Password




12/02/2004                        Nicolas Paour                                              19
             Security within IIS – SSL 1/2




12/02/2004              Nicolas Paour        20
              Security within IIS – SSL 1/2

   SSL Encryption                           « https: »
                             Https://serveur_name         Private Key


                       Public Key
Session Key




12/02/2004                   Nicolas Paour                       21
             What are FrontPage extensions

FrontPage extensions allow :
  to use specific components like
    –   Hit Counter
    –   Scheduled Include Page
    –   Categories
    –   Search Form

                                       SSL Filter   FrontPage Filter
  to publish your site quickly




12/02/2004                       Nicolas Paour                         22
               Using FrontPage with IIS


        Frontpage interface is required for :

    •    Web site creation
    •    Site management (child site, move folder,…)
    •    Security setting
    •    Site Publishing
    •    Site deletion

12/02/2004                     Nicolas Paour           23
             Using FrontPage with IIS
                 - Site creation -
    • Web site creation




                Yes                       No
12/02/2004                Nicolas Paour        24
             Using FrontPage with IIS
               - Site management -
    • Site creation (FrontPage child site)




    • Move folder – Use drag & drop
    • Recalculate Hyperlinks
12/02/2004               Nicolas Paour       25
              Using FrontPage with IIS
                 - Security setting -
•   Don’t use Directory Permissions        Use FrontPage Security Permissions




12/02/2004                      Nicolas Paour                               26
              Using FrontPage with IIS
                 - Site Publishing -
•   Don’t use Share Directory              Use FrontPage publishing tool




12/02/2004                      Nicolas Paour                              27
              Using FrontPage with IIS
                  - Site deletion -
•   Don’t use NT delete Directory          Use FrontPage delete option




12/02/2004                      Nicolas Paour                            28
                 Using FrontPage with IIS
                   - Components (bis) -
  FrontPage extensions allow to use specific components:
  • Insert menu, Component submenu
       –     Hit Counter
       –     Confirmation Field
       –     Include Page
       –     Scheduled Include Page
       –     Categories
       –     Search Form
       –     Additional Components (not used)



12/02/2004                       Nicolas Paour             29
             Frequent TroubleShooting




             http://membres.lycos.fr/paour/easy_doc/index.html

12/02/2004                     Nicolas Paour                     30
                              TroubleShootings
                       Trouble                                     TroubleShooting
 Security access       •Acces denied                               •Missing key 6013
                       •Data area passed to a system call is too   •Wrong value
                       small
 Send mail with CDO    •Access Is Denied                           Wrong NTFS rigth in Pickup folder


 Use of specific DLL   •Doesn’t work                               See aspupload example

 Secure Site           •Can’t test secure access …                 Don’t use your NT account (logon with a test
                                                                   account).
                                                                   Add these lines:
                                                                   TYPE <%=Request.ServerVariables("AUTH_TYPE")%>
                                                                   <br>
                                                                   PASSWORD
                                                                   <%=Request.ServerVariables("AUTH_PASSWORD")%>
                                                                   <br>
                                                                   USER <%=Request.ServerVariables("AUTH_USER")%>
                                                                   <br>




12/02/2004                                       Nicolas Paour                                                    31
                                      Example 1
•      ASPUload use:
      1.     Create d:\components\aspupload
                           admin (full)(full)
                           system (full)(full)
      2.     Copy aspupload.dll in « aspupload » folder
      3.     Test script : http://sopra100.sopra-hp.net/upload/default.htm
      4.     Error :
                 IIS 4                                 IIS 5                       TroubleShooting
 Server.CreateObject Failed               Server object, ASP 0177            regsvr32
 Library not registered.                  (0x800401F3)                       D:\component\aspupload\bin
                                          Invalid ProgID.                    \AspUpload.dll
 (Or invalide class ID)
 …Microsoft VBScript runtime error        Server object, ASP 0178            D:\component\aspupload\bin\
        '800a01ad'                        (0x80070005)                       (RX)(RX)
 ActiveX component can't create           The call to                        Or
        object                            Server.CreateObject failed         AspUpload.dll (RX)
                                          while checking permissions.
                                          Access is denied to this
                                          object.
 Acces DeniedServer object, ASP 0178   Persits.Upload.1 (0x800A0005)         Upload folder :
        (0x80070005)                   The system cannot find the            Everyone (RWX)(RX)
        The call to                 OR file specified.
        Server.CreateObject failed
        while checking permissions.
        Access is denied to this
        object.

12/02/2004                                   Nicolas Paour                                           32
                               Example 2
•     Find a dll if « Library not registered » or « ActiveX component can't
      create object » error.
             •Read object : Server.CreateObject("Persits.Upload")
             •Open regedit
             •Search in HKEY_CLASSES_ROOT\Persits.Upload\CLSID the data.
                 {B4E1B2EC-151B-11D2-926A-006008123235}
             •Search {B4E1B2EC-151B-11D2-926A-006008123235} in
             HKEY_CLASSES_ROOT\CLSID keys

             •Note the string data of
             HKEY_CLASSES_ROOT\CLSID\{…}\InprocServer32
             Example : C:\wwwroot\SOPRA100\_dll\AspUpload.dll



12/02/2004                          Nicolas Paour                             33
                                 Example 3
•     Secure access
      Add these lines:
      TYPE <%=Request.ServerVariables("AUTH_TYPE")%><br>
      PASSWORD <%=Request.ServerVariables("AUTH_PASSWORD")%><br>
      USER <%=Request.ServerVariables("AUTH_USER")%><br>

                                                        TYPE
      •Anonymous access :
                                                        PASSWORD
             ..\Secure | IUSR_Computername (RX)(R)      USER

      •Challenge/Response (remove IUSR account):        TYPE NTLM or Negotiate
                                                        PASSWORD
             ..\Secure | training (RX)(R)
                                                        USER SOPRA-HP\training
      Or for IIS5 Digest (NT2000) – Integrated

      •Basic (remove IUSR account):                     TYPE Basic
                                                        PASSWORD trai123ning
             ..\Secure | training (RX)(R)               USER SOPRA-HP\training


12/02/2004                             Nicolas Paour                             34
                                     Example 4
•      Secure access


    •Challenge/Response (remove IUSR account):
         ..\Secure | training (RX)(R)


                                   Access Denied !!!

       Change secure folder as IIS Application

              OR

       Remove global.asa

              OR

       Allow Everyone (RX)(R) on global.asa folder



12/02/2004                                 Nicolas Paour   35

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:26
posted:10/1/2011
language:English
pages:35