Page
1
Integrating IIS Lo
ckdown and URL Scan with NS
Altiris Notification Server
Integrating IIS LockDown and URLScan with
Notification Server
Last update: 01/20/04
Page
2
Integrating IIS Lockdown and URL Scan with NS
Page
3
Integrating IIS Lo
ckdown and URL Scan with NS
This document discusses the requirements for integrating Notification Server with the Microsoft
IIS Lockdown Utility a
nd URLScan. It is NOT an inclusive document. It provides a baseline for
core Notification Server functionality with IIS security. The installation of additional
Notification Server point solutions may require that some of the IIS security settings be relax
ed.
The core Notification Server features require that Web Service (HTTP) must be enabled and
Active Server Pages (.asp) must be supported.
Installing IIS Lockdown
When the IIS lockdown utility is launched, you are prompted to select the “Server Templ
ate”
that best matches the servers role. Dynamic Web server (ASP enabled) best describes the role of
the Notification Server.
If some other template is selected, then the services that will be modified will differ and may
require additional tweaking.
Page
4
Integrating IIS Lockdown and URL Scan with NS
The Internet Services that are associated with the Dynamic Web server template are:
Web service (HTTP)
–
must be enabled to respond to Web client requests
File Transfer service (FTP)
–
necessary if using FTP to transfer NSEs from the
clients to the NS Se
rver and for the installation of the NS 5.5 Unix Agent.
E
-
mail service (SMTP)
–
If the NS Server is also to be an SMTP server than this
option must be enabled.
News service (NNTP)
–
not used by NS.
Web Service (HTTP) is the only service required for
basic NS functions.
Page
5
Integrating IIS Lo
ckdown and URL Scan with NS
The IIS lockdown utility provides the ability to disable these Script Maps:
Active Server Pages (asp)
–
NS requires the use or Active Server Pages.
Index Server Web Interface (.idq, .htw, .ida)
Server side includes (.shtml, .shtm, .
stm)
Internet Data Connector (.idc)
.HTR scripting (.htr)
Internet printing (.printer)
Active Server Pages (.asp) is the only entry that must NOT be disabled.
Page
6
Integrating IIS Lockdown and URL Scan with NS
The Internet Information Services Lockdown Wizard allows for these additional security set
tings:
Remove IIS Samples virtual directory
Remove MSADC virtual directory
Remove IISHelp virtual directory
Remove Scripts virtual directory
Remove IISAdmin virtual directory
Set file permissions to prevent anonymous IIS from running system utilities.
Set
file permissions to prevent anonymous IIS from writing to content directories
Disable Web Distributed Authoring and Versioning
NS doesn’t require any of these settings to be enabled.
Page
7
Integrating IIS Lo
ckdown and URL Scan with NS
Installing URLScan
The Internet Information Services Lockdown Wiz
ard provides the capability of installing the Microsoft
URLScan utility or it can be installed manually.
When URLScan installs it creates a WINNT
\
SYSTEM32
\
INETSRV
\
URLSCAN
\
URLSCAN.INI file. This file
can be tuned to meet specific needs. Installing the U
RLScan utility as part of the IIS Lockdown wizard
with the Dynamic Web server (ASP enabled) template configures the URLSCAN.INI file with these
settings.
[options]
UseAllowVerbs=1 ; if 1, use [AllowVerbs] section, else use [DenyVerbs] secti
on
UseAllowExtensions=0 ; if 1, use [AllowExtensions] section, else use [DenyExtensions] section
NormalizeUrlBeforeScan=1 ; if 1, canonicalize URL before processing
VerifyNormalization=1 ; if 1, canonicalize URL twice and reject re
quest if a change occurs
AllowHighBitCharacters=0 ; if 1, allow high bit (ie. UTF8 or MBCS) characters in URL
AllowDotInPath=0 ; if 1, allow dots that are not file extensions
RemoveServerHeader=0 ; if 1, remove "Server" header
from response
EnableLogging=1 ; if 1, log UrlScan activity
PerProcessLogging=0 ; if 1, the UrlScan.log filename will contain a PID (ie. UrlScan.123.log)
AllowLateScanning=0 ; if 1, then UrlScan will load as a low prior
ity filter.
PerDayLogging=1 ; if 1, UrlScan will produce a new log each day with activity in the form
UrlScan.010101.log
RejectResponseUrl= ; UrlScan will send rejected requests to the URL specified here. Default is /<Rejected
-
by
-
UrlScan>
UseFastPathReject=0 ; If 1, then UrlScan will not use the RejectResponseUrl or allow IIS to log the request
; If RemoveServerHeader is 0, then AlternateServerName can be
Page
8
Integrating IIS Lockdown and URL Scan with NS
; used to specify a replacement for IIS's built in 'Server' head
er
AlternateServerName=
LogLongUrls=0 ; If 1, then up to 128K per request can be logged.
; If 0, then only 1k is allowed.
;
; LoggingDirectory can be used to specify the directory where the
; log file will
be created. This value should be the absolute path
; (ie. c:
\
some
\
path). If not specified, then UrlScan will create
; the log in the same directory where the UrlScan.dll file is located.
;
LoggingDirectory=
[AllowVerbs]
;
; The verbs (aka HTTP methods
) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;
GET
HEAD
POST
[DenyVerbs]
;
; The verbs (aka HTTP methods) listed here are us
ed for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;
PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH
[DenyHeaders]
;
;
The following request headers alter processing of a
; request by causing the server to process the request
; as if it were intended to be a WebDAV request, instead
; of a request to retrieve a resource.
;
Translate:
If:
Page
9
Integrating IIS Lo
ckdown and URL Scan with NS
Lock
-
Token:
Transfer
-
Encoding:
[A
llowExtensions]
;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;
.asp
.cer
.cdx
.asa
.htm
.html
.txt
.jpg
.jpeg
.gif
;.id
q
;.htw
;.ida
;.idc
;.shtm
;.shtml
;.stm
;.htr
;.printer
[DenyExtensions]
;
; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
;
; Note that
these entries are effective if "UseAllowExtensions=0"
; is set in the [Options] section above.
;
; Deny executables that could run on the server
.exe
.bat
.cmd
.com
; Deny infrequently used scripts
.htw ; Maps to webhits.dll, part of Index Server
.id
a ; Maps to idq.dll, part of Index Server
.idq ; Maps to idq.dll, part of Index Server
.htr ; Maps to ism.dll, a legacy administrative tool
.idc ; Maps to httpodbc.dll, a legacy database access tool
.shtm ; Maps to ssinc.dll, for Server
Side Includes
.shtml ; Maps to ssinc.dll, for Server Side Includes
.stm ; Maps to ssinc.dll, for Server Side Includes
.printer ; Maps to msw3prt.dll, for Internet Printing Services
; Deny various static files
.ini ; Configuration files
Page
10
Integrating IIS Lockdown and URL Scan with NS
.log
; Log files
.pol ; Policy files
.dat ; Configuration files
;.asp
;.cer
;.cdx
;.asa
[DenyUrlSequences]
.. ; Don't allow directory traversals
./ ; Don't allow trailing dot on a directory name
\
; Don't allow backslashes in URL
: ; Don't allow
alternate stream access
% ; Don't allow escaping after normalization
& ; Don't allow multiple CGI processes to run on a single request
[RequestLimits]
;
; The entries in this section impose limits on the length
; of allowed parts of requests reaching
the server.
;
; It is possible to impose a limit on the length of the
; value of a specific request header by prepending "Max
-
" to the
; name of the header. For example, the following entry would
; impose a limit of 100 bytes to the value of the
; 'Conten
t
-
Type' header:
;
; Max
-
Content
-
Type=100
;
; To list a header and not specify a maximum value, use 0
; (ie. 'Max
-
User
-
Agent=0'). Also, any headers not listed
; in this section will not be checked for length limits.
;
; There are 3 special case limits:
;
;
-
MaxAllowedContentLength specifies the maximum allowed
; numeric value of the Content
-
Length request header. For
; example, setting this to 1000 would cause any request
; with a content length that exceeds 1000 to be rejected.
; The
default is 30000000.
;
;
-
MaxUrl specifies the maximum length of the request URL,
; not including the query string. The default is 260 (which
; is equivalent to MAX_PATH).
;
;
-
MaxQueryString specifies the maximum length of the query
; st
ring. The default is 4096.
;
MaxAllowedContentLength=30000000
MaxUrl=16384
MaxQueryString=4096
These settings don’t appear to affect core NS functionality. Software Delivery will be affected
however if the Notification Server needs to map HTTP virtual d
irectories to package source
directories that contain files with these extensions. It may be more effective to set the
UseAllowExtensions setting to 1 and move any undesirable extensions from the
AllowExtensions section into the DenyExtensions section.
Page
11
Integrating IIS Lo
ckdown and URL Scan with NS
I
f UseAllowExtensions is set to 1, the following extensions must be added to allow for core NS
functionality.
.vbe
–
used in the creation of the various web pages within the console. Data is pulled from a
SQL database to create Dynamic web pages.
.jse
-
u
sed in the creation of the various web pages within the console. Data is pulled from a
SQL database to create Dynamic web pages.
.aspx
.xsl
.bmp
.xml
.exe
-
Only needed to install the NS client to the server or to push the client to remote machines
.lpk
.c
ss
.cab
-
Needed for the loading of cab files during the initial load of the web console and
installing of additional solutions through the Solution Center. Remote Administrator
Consoles and Web Reports will also install cab files during the initial openi
ng of the
console.
.ico
If other NS processes fail to function, refer to the
WINNT
\
SYSTEM32
\
INETSRV
\
URLSCAN
\
URLSCAN.LOG file. It will describe which files
have failed because the extensions are not specifically allowed.
MaxUrl=16384
–
Settings were tes
ted at 2048 without any issues with core functionality
MaxQueryString=4096
–
Settings were tested at 2048 without any issues with core functionality
These extensions can then be added to the list. The World Wide Web publishing service must be
restarted f
or the changes to take affect.
(Refer to Technet for specifics on the URLScan.ini file)
When the
Internet Information Services Lockdown
wizard runs, modifications are written to the
C:
\
WINNT
\
System32
\
Obit
-
log.log file and to the screen
:
Created local gr
oup: Web Anonymous users
Added User ‘IUSER_<server>’ to local group ‘Web Anonymous Users’
Created local group: Web Applications
Added user ‘IWAM_<server>’ to local group ‘Web Applications’
Changes service smtpsvc startup type from Automatic to Disabled
Cha
nges service msftpsvc startup type from Automatic to Disabled.
Changes service nntpsvc startup type from Automatic to Disabled.
Backed up metabase
Locked httpext.dll
Locked idq.dll
Disabled internet printing
Omsta;;ed URLSCAN
Removed script map: .htw, C:
\
W
INNT
\
SYSTEM32
\
webhits.dll
Page
12
Integrating IIS Lockdown and URL Scan with NS
Removed script map: .ida, C:
\
WINNT
\
SYSTEM32
\
idq.dll
Removed script map: .idq, C:
\
WINNT
\
SYSTEM32
\
idq.dll
Removed script map: .idc, C:
\
WINNT
\
SYSTEM32
\
inetsrv
\
httpodbc.dll
Removed script map: .shtm, C:
\
WINNT
\
SYSTEM32
\
inetsrv
\
ssinc.dl
l
Removed script map: .shtml, C:
\
WINNT
\
SYSTEM32
\
inetsrv
\
ssinc.dll
Removed script map: .stm, C:
\
WINNT
\
SYSTEM32
\
inetsrv
\
ssinc.dll
Removed script map: .printer, C:
\
WINNT
\
SYSTEM32
\
msw3prt.dll
Installed 404.dll to system32
\
inetsrv
Removed printer virtual dir (/
LM/W3SVC/1/ROOT/Printers)
Removed samples ((/LM/W3SVC/1/ROOT/IISamples)
Removed MSADC virtual dir (/LM/W3SVC/1/ROOT/MSADC)
Removed scripts virtual dir (/LM/W3SVC/1/ROOT/Scripts)
Removed IISAdmin virtual dir (/LM/W3SVC/1/ROOT/IISADMIN)
Removed IISAdmin web
site (/LM/W3SVC/2)
Removed IISAdmin virtual dir (/LM/W3SVC/1/ROOT/IISHelp)
Set Deny ALL ACE for anonymous web users on system utilities under C:
\
WINNT
Set Deny write ACE for anonymous web users under c:
\
inetpub
\
wwwroot
Set Deny write ACE for anonymous web
users under C:
\
Program Files
\
Common Files
\
Microsoft Shared
\
Web Server
Extensions
Set Deny write ACE for anonymous web users under C:
\
Program Files
\
Common Files
\
Phone Book Service
\
Bin
Set Deny write ACE for anonymous web users under C:
\
Program Files
\
Common
Files
\
Phone Book Service
\
Data
Lockdown finished.
Details have been written to the log that is used for undoing the changes (obit
-
log.log).
Page
13
Integrating IIS Lo
ckdown and URL Scan with NS
Registry and File Changes made to the System
The following items contain the list of changes that are made to th
e registry and file system as a result of
the IIS Lockdown tool and Urlscan utility:
HKLM/SOFTWARE/Policies/Microsoft/Windows NT/Printers DWORD = DisableWebPrinting Value = 1
HKLM/SYSTEM/CurrentControlSet/Services/MSFTPSVC
DWORD = Start
Value = 4
HKLM
/SYSTEM/CurrentControlSet/Services/NntpSvc
DWORD = Start
Value = 4
HKLM/SYSTEM/CurrentControlSet/Services/SMTPSVC
DWORD = Start
Value = 4
HKLM/SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots
String = /IISADMIN
Value = $Windows$
\
Syste
m21
\
insetsrv
\
iisadmin_201
–
REMOVED
HKLM/SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots
String = /IISHelp
Value = $Windows$
\
help
\
iishelp_201
-
REMOVED
HKLM/SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots
String = /IISSa
mples
Value = $System Drive$
\
inetpub
\
iissamples_201
–
REMOVED
HKLM/SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots
String = /MSADC
Value = $Program Files$
\
common files
\
system
\
msadc_205
–
REMOVED
HKLM/SYSTEM/CurrentControlSet/Services/W3S
VC/Parameters/Virtual Roots
String = /Printer
Value = $Windows$
\
web
\
printers_201
-
REMOVED
HKLM/SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots
String = /Scripts
Value = $System Druve$
\
inetpub
\
scripts_204
-
REMOVED
C:
\
Inetpub
\
nntpfile
has the following files modified/added to it:
Article.hdr
Group.lst.ord
Groupvar.lst
Groupvar.lst.bak
History.hdr
Xover.hdr
C:
\
WINNT
\
System32
\
has the following files modified/added to it:
ASVAPI32.dll
COMCTL32.DLL
GDI32.DLL
KERNEL32.DLL
M
svcrt.dll
NTDLL.DLL
Ole32.dll
RPCRT4.DLL
SHELL32.dll
SHLWAPI.DLL
USER32.dll
Page
14
Integrating IIS Lockdown and URL Scan with NS
C:
\
WINNT
\
System32
\
inetsrv has the following files modified/added to it:
404.dll
Metabase.bin
Obit
-
log.log
Obit
-
rep.log
C:
\
WINNT
\
System32
\
inetsrv
\
MetaBase has the fol
lowing files modified/added to it:
Obit
-
mb.MD0
Obit
-
once.MD0
C:
\
WINNT
\
System32
\
inetsrv
\
urlscan has the following files modified/added to it:
Urlscan.<data>.log
Urlscan.dll
Urlscan.inf
Urlscan.ini
Urlscanr.dll
Other Security Settings
For NS Clie
nt to be able to communicate to the server the client must have rights to read and
execute from the AeXNS virtual directory (we leave anonymous access to this directory by
default.
If anonymous access is removed then they have to make sure that all the us
ers have
rights to the Notification Server directory).
The Anonymous Access account must have full control of the following file directories:
install path
\
Altiris
\
eXpress
\
Notification Server
\
NSCap
\
EvtInbox
install path
\
Altiris
\
eXpress
\
Notification Serv
er
\
NSCap
\
EvtQFast
install path
\
Altiris
\
eXpress
\
Notification Server
\
NSCap
\
EvtQueue
In addition to the above, read and execute permissions must always be permitted on the
Postevent.asp, GetClientPolicies.asp, and the CreateResource.asp files for the Anonym
ous
Access account
(Refer to the Network Security white paper for full details on NS permissions.)
Under the Default Web Site properties the TCP Port should be 80 and IP Address should be (All
Unassigned)
In order to access the remote web console the us
er must have rights to the 'Notification
Server
\
Admin' directory.
In order to access the webreports page the user must have rights to the 'Notification
Server
\
Reports' directory.
Page
15
Integrating IIS Lo
ckdown and URL Scan with NS
Under IE security settings, the following need to be enabled:
Download si
gned ActiveX controls (can be set to prompt)
Run ActiveX controls and plug
-
ins
Script ActiveX controls marked safe for scripting
Active scripting
AspEnableParentPaths IIS MetaBase Property should be set to True.
(This is set to True by
default)
Relocati
ng the wwwroot, mailroot and the IIS admin scripts should not impact the Altiris
Notification Server.
WWWroot is simply a default location for web content, however IIS will
allow you to keep web content wherever you want through the use of virtual direct
ories.
The
Virtual Directory employed by the Notification Server is the %Program
Files%
\
altiris
\
eXpress
\
Notification Server path.
When NS is installed on a 2003 server, the IIS settings prevent NS pages from being accessed
IIS is installed in locked do
wn mode in 2003 server
-
the AeXNS virtual directory has its settings
configured so that files with dynamic content cannot be accessed.
When the NS is installed it will now enable the ASP, and the server side includes web service
extensions.
Additionally
, it sets the MIME setting of the AeXNS virtual directory so that IIS will allow any
file to be downloaded from the NS, namely the following mapping is added: application/octet
-
stream.
The "Enable Parent Path" option found in the IIS Manager
–
AeXNS prope
rties
–
Virtual
Directory
-
Configuration Button
-
App Options tab is set for the AeXNS and Reports virtual
directories. This setting is enabled by default. If this is disabled, the running of reports will fail
with an HTTP 500
–
Internal server error of “
The page cannot be displayed”.
As a rule of thumb, these customizations should be made to the server before installing the
Notification Server software.
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Comments 0
Log in to post a comment