Integrating IIS LockDown and URLScan with Notification Server

snortfearServers

Dec 4, 2013 (3 years and 8 months ago)

132 views

Page
1

Integrating IIS Lo
ckdown and URL Scan with NS













Altiris Notification Server






Integrating IIS LockDown and URLScan with
Notification Server


Last update: 01/20/04






Page
2

Integrating IIS Lockdown and URL Scan with NS


Page
3

Integrating IIS Lo
ckdown and URL Scan with NS

This document discusses the requirements for integrating Notification Server with the Microsoft
IIS Lockdown Utility a
nd URLScan. It is NOT an inclusive document. It provides a baseline for
core Notification Server functionality with IIS security. The installation of additional
Notification Server point solutions may require that some of the IIS security settings be relax
ed.


The core Notification Server features require that Web Service (HTTP) must be enabled and
Active Server Pages (.asp) must be supported.


Installing IIS Lockdown


When the IIS lockdown utility is launched, you are prompted to select the “Server Templ
ate”
that best matches the servers role. Dynamic Web server (ASP enabled) best describes the role of
the Notification Server.




If some other template is selected, then the services that will be modified will differ and may
require additional tweaking.


Page
4

Integrating IIS Lockdown and URL Scan with NS


The Internet Services that are associated with the Dynamic Web server template are:




Web service (HTTP)


must be enabled to respond to Web client requests



File Transfer service (FTP)


necessary if using FTP to transfer NSEs from the
clients to the NS Se
rver and for the installation of the NS 5.5 Unix Agent.



E
-
mail service (SMTP)


If the NS Server is also to be an SMTP server than this
option must be enabled.



News service (NNTP)


not used by NS.





Web Service (HTTP) is the only service required for
basic NS functions.


Page
5

Integrating IIS Lo
ckdown and URL Scan with NS

The IIS lockdown utility provides the ability to disable these Script Maps:




Active Server Pages (asp)


NS requires the use or Active Server Pages.



Index Server Web Interface (.idq, .htw, .ida)



Server side includes (.shtml, .shtm, .
stm)



Internet Data Connector (.idc)



.HTR scripting (.htr)



Internet printing (.printer)





Active Server Pages (.asp) is the only entry that must NOT be disabled.


Page
6

Integrating IIS Lockdown and URL Scan with NS


The Internet Information Services Lockdown Wizard allows for these additional security set
tings:




Remove IIS Samples virtual directory



Remove MSADC virtual directory



Remove IISHelp virtual directory



Remove Scripts virtual directory



Remove IISAdmin virtual directory



Set file permissions to prevent anonymous IIS from running system utilities.



Set

file permissions to prevent anonymous IIS from writing to content directories



Disable Web Distributed Authoring and Versioning




NS doesn’t require any of these settings to be enabled.


Page
7

Integrating IIS Lo
ckdown and URL Scan with NS

Installing URLScan


The Internet Information Services Lockdown Wiz
ard provides the capability of installing the Microsoft
URLScan utility or it can be installed manually.




When URLScan installs it creates a WINNT
\
SYSTEM32
\
INETSRV
\
URLSCAN
\
URLSCAN.INI file. This file
can be tuned to meet specific needs. Installing the U
RLScan utility as part of the IIS Lockdown wizard
with the Dynamic Web server (ASP enabled) template configures the URLSCAN.INI file with these
settings.


[options]

UseAllowVerbs=1 ; if 1, use [AllowVerbs] section, else use [DenyVerbs] secti
on

UseAllowExtensions=0 ; if 1, use [AllowExtensions] section, else use [DenyExtensions] section

NormalizeUrlBeforeScan=1 ; if 1, canonicalize URL before processing

VerifyNormalization=1 ; if 1, canonicalize URL twice and reject re
quest if a change occurs

AllowHighBitCharacters=0 ; if 1, allow high bit (ie. UTF8 or MBCS) characters in URL

AllowDotInPath=0 ; if 1, allow dots that are not file extensions

RemoveServerHeader=0 ; if 1, remove "Server" header

from response

EnableLogging=1 ; if 1, log UrlScan activity

PerProcessLogging=0 ; if 1, the UrlScan.log filename will contain a PID (ie. UrlScan.123.log)

AllowLateScanning=0 ; if 1, then UrlScan will load as a low prior
ity filter.

PerDayLogging=1 ; if 1, UrlScan will produce a new log each day with activity in the form
UrlScan.010101.log

RejectResponseUrl= ; UrlScan will send rejected requests to the URL specified here. Default is /<Rejected
-
by
-
UrlScan>

UseFastPathReject=0 ; If 1, then UrlScan will not use the RejectResponseUrl or allow IIS to log the request


; If RemoveServerHeader is 0, then AlternateServerName can be

Page
8

Integrating IIS Lockdown and URL Scan with NS


; used to specify a replacement for IIS's built in 'Server' head
er

AlternateServerName=


LogLongUrls=0 ; If 1, then up to 128K per request can be logged.


; If 0, then only 1k is allowed.


;

; LoggingDirectory can be used to specify the directory where the

; log file will
be created. This value should be the absolute path

; (ie. c:
\
some
\
path). If not specified, then UrlScan will create

; the log in the same directory where the UrlScan.dll file is located.

;


LoggingDirectory=


[AllowVerbs]


;

; The verbs (aka HTTP methods
) listed here are those commonly

; processed by a typical IIS server.

;

; Note that these entries are effective if "UseAllowVerbs=1"

; is set in the [Options] section above.

;


GET

HEAD

POST


[DenyVerbs]


;

; The verbs (aka HTTP methods) listed here are us
ed for publishing

; content to an IIS server via WebDAV.

;

; Note that these entries are effective if "UseAllowVerbs=0"

; is set in the [Options] section above.

;


PROPFIND

PROPPATCH

MKCOL

DELETE

PUT

COPY

MOVE

LOCK

UNLOCK

OPTIONS

SEARCH


[DenyHeaders]


;

;

The following request headers alter processing of a

; request by causing the server to process the request

; as if it were intended to be a WebDAV request, instead

; of a request to retrieve a resource.

;


Translate:

If:

Page
9

Integrating IIS Lo
ckdown and URL Scan with NS

Lock
-
Token:


Transfer
-
Encoding:

[A
llowExtensions]


;

; Extensions listed here are commonly used on a typical IIS server.

;

; Note that these entries are effective if "UseAllowExtensions=1"

; is set in the [Options] section above.

;


.asp

.cer

.cdx

.asa

.htm

.html

.txt

.jpg

.jpeg

.gif


;.id
q

;.htw

;.ida

;.idc

;.shtm

;.shtml

;.stm

;.htr

;.printer

[DenyExtensions]


;

; Extensions listed here either run code directly on the server,

; are processed as scripts, or are static files that are

; generally not intended to be served out.

;

; Note that
these entries are effective if "UseAllowExtensions=0"

; is set in the [Options] section above.

;


; Deny executables that could run on the server

.exe

.bat

.cmd

.com


; Deny infrequently used scripts

.htw ; Maps to webhits.dll, part of Index Server

.id
a ; Maps to idq.dll, part of Index Server

.idq ; Maps to idq.dll, part of Index Server

.htr ; Maps to ism.dll, a legacy administrative tool

.idc ; Maps to httpodbc.dll, a legacy database access tool

.shtm ; Maps to ssinc.dll, for Server
Side Includes

.shtml ; Maps to ssinc.dll, for Server Side Includes

.stm ; Maps to ssinc.dll, for Server Side Includes

.printer ; Maps to msw3prt.dll, for Internet Printing Services


; Deny various static files

.ini ; Configuration files

Page
10

Integrating IIS Lockdown and URL Scan with NS


.log
; Log files

.pol ; Policy files

.dat ; Configuration files


;.asp

;.cer

;.cdx

;.asa

[DenyUrlSequences]

.. ; Don't allow directory traversals

./ ; Don't allow trailing dot on a directory name

\

; Don't allow backslashes in URL

: ; Don't allow
alternate stream access

% ; Don't allow escaping after normalization

& ; Don't allow multiple CGI processes to run on a single request

[RequestLimits]


;

; The entries in this section impose limits on the length

; of allowed parts of requests reaching
the server.

;

; It is possible to impose a limit on the length of the

; value of a specific request header by prepending "Max
-
" to the

; name of the header. For example, the following entry would

; impose a limit of 100 bytes to the value of the

; 'Conten
t
-
Type' header:

;

; Max
-
Content
-
Type=100

;

; To list a header and not specify a maximum value, use 0

; (ie. 'Max
-
User
-
Agent=0'). Also, any headers not listed

; in this section will not be checked for length limits.

;

; There are 3 special case limits:

;

;
-

MaxAllowedContentLength specifies the maximum allowed

; numeric value of the Content
-
Length request header. For

; example, setting this to 1000 would cause any request

; with a content length that exceeds 1000 to be rejected.

; The
default is 30000000.

;

;
-

MaxUrl specifies the maximum length of the request URL,

; not including the query string. The default is 260 (which

; is equivalent to MAX_PATH).

;

;
-

MaxQueryString specifies the maximum length of the query

; st
ring. The default is 4096.

;


MaxAllowedContentLength=30000000

MaxUrl=16384

MaxQueryString=4096


These settings don’t appear to affect core NS functionality. Software Delivery will be affected
however if the Notification Server needs to map HTTP virtual d
irectories to package source
directories that contain files with these extensions. It may be more effective to set the
UseAllowExtensions setting to 1 and move any undesirable extensions from the
AllowExtensions section into the DenyExtensions section.


Page
11

Integrating IIS Lo
ckdown and URL Scan with NS

I
f UseAllowExtensions is set to 1, the following extensions must be added to allow for core NS
functionality.


.vbe



used in the creation of the various web pages within the console. Data is pulled from a
SQL database to create Dynamic web pages.

.jse
-

u
sed in the creation of the various web pages within the console. Data is pulled from a
SQL database to create Dynamic web pages.

.aspx

.xsl

.bmp

.xml

.exe
-

Only needed to install the NS client to the server or to push the client to remote machines

.lpk

.c
ss

.cab
-


Needed for the loading of cab files during the initial load of the web console and
installing of additional solutions through the Solution Center. Remote Administrator
Consoles and Web Reports will also install cab files during the initial openi
ng of the
console.

.ico



If other NS processes fail to function, refer to the
WINNT
\
SYSTEM32
\
INETSRV
\
URLSCAN
\
URLSCAN.LOG file. It will describe which files
have failed because the extensions are not specifically allowed.


MaxUrl=16384


Settings were tes
ted at 2048 without any issues with core functionality

MaxQueryString=4096


Settings were tested at 2048 without any issues with core functionality



These extensions can then be added to the list. The World Wide Web publishing service must be
restarted f
or the changes to take affect.


(Refer to Technet for specifics on the URLScan.ini file)


When the
Internet Information Services Lockdown
wizard runs, modifications are written to the

C:
\
WINNT
\
System32
\
Obit
-
log.log file and to the screen
:


Created local gr
oup: Web Anonymous users

Added User ‘IUSER_<server>’ to local group ‘Web Anonymous Users’

Created local group: Web Applications

Added user ‘IWAM_<server>’ to local group ‘Web Applications’

Changes service smtpsvc startup type from Automatic to Disabled

Cha
nges service msftpsvc startup type from Automatic to Disabled.

Changes service nntpsvc startup type from Automatic to Disabled.

Backed up metabase

Locked httpext.dll

Locked idq.dll

Disabled internet printing

Omsta;;ed URLSCAN

Removed script map: .htw, C:
\
W
INNT
\
SYSTEM32
\
webhits.dll

Page
12

Integrating IIS Lockdown and URL Scan with NS


Removed script map: .ida, C:
\
WINNT
\
SYSTEM32
\
idq.dll

Removed script map: .idq, C:
\
WINNT
\
SYSTEM32
\
idq.dll

Removed script map: .idc, C:
\
WINNT
\
SYSTEM32
\
inetsrv
\
httpodbc.dll

Removed script map: .shtm, C:
\
WINNT
\
SYSTEM32
\
inetsrv
\
ssinc.dl
l

Removed script map: .shtml, C:
\
WINNT
\
SYSTEM32
\
inetsrv
\
ssinc.dll

Removed script map: .stm, C:
\
WINNT
\
SYSTEM32
\
inetsrv
\
ssinc.dll

Removed script map: .printer, C:
\
WINNT
\
SYSTEM32
\
msw3prt.dll

Installed 404.dll to system32
\
inetsrv

Removed printer virtual dir (/
LM/W3SVC/1/ROOT/Printers)

Removed samples ((/LM/W3SVC/1/ROOT/IISamples)

Removed MSADC virtual dir (/LM/W3SVC/1/ROOT/MSADC)

Removed scripts virtual dir (/LM/W3SVC/1/ROOT/Scripts)

Removed IISAdmin virtual dir (/LM/W3SVC/1/ROOT/IISADMIN)

Removed IISAdmin web
site (/LM/W3SVC/2)

Removed IISAdmin virtual dir (/LM/W3SVC/1/ROOT/IISHelp)

Set Deny ALL ACE for anonymous web users on system utilities under C:
\
WINNT

Set Deny write ACE for anonymous web users under c:
\
inetpub
\
wwwroot

Set Deny write ACE for anonymous web
users under C:
\
Program Files
\
Common Files
\
Microsoft Shared
\
Web Server
Extensions

Set Deny write ACE for anonymous web users under C:
\
Program Files
\
Common Files
\
Phone Book Service
\
Bin

Set Deny write ACE for anonymous web users under C:
\
Program Files
\
Common
Files
\
Phone Book Service
\
Data

Lockdown finished.

Details have been written to the log that is used for undoing the changes (obit
-
log.log).




Page
13

Integrating IIS Lo
ckdown and URL Scan with NS

Registry and File Changes made to the System


The following items contain the list of changes that are made to th
e registry and file system as a result of
the IIS Lockdown tool and Urlscan utility:


HKLM/SOFTWARE/Policies/Microsoft/Windows NT/Printers DWORD = DisableWebPrinting Value = 1


HKLM/SYSTEM/CurrentControlSet/Services/MSFTPSVC

DWORD = Start


Value = 4

HKLM
/SYSTEM/CurrentControlSet/Services/NntpSvc


DWORD = Start


Value = 4

HKLM/SYSTEM/CurrentControlSet/Services/SMTPSVC


DWORD = Start


Value = 4



HKLM/SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots

String = /IISADMIN

Value = $Windows$
\
Syste
m21
\
insetsrv
\
iisadmin_201


REMOVED


HKLM/SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots

String = /IISHelp

Value = $Windows$
\
help
\
iishelp_201
-

REMOVED


HKLM/SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots

String = /IISSa
mples

Value = $System Drive$
\
inetpub
\
iissamples_201


REMOVED


HKLM/SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots

String = /MSADC

Value = $Program Files$
\
common files
\
system
\
msadc_205


REMOVED


HKLM/SYSTEM/CurrentControlSet/Services/W3S
VC/Parameters/Virtual Roots

String = /Printer

Value = $Windows$
\
web
\
printers_201
-

REMOVED


HKLM/SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots

String = /Scripts

Value = $System Druve$
\
inetpub
\
scripts_204
-

REMOVED



C:
\
Inetpub
\
nntpfile

has the following files modified/added to it:




Article.hdr


Group.lst.ord


Groupvar.lst


Groupvar.lst.bak


History.hdr


Xover.hdr



C:
\
WINNT
\
System32
\

has the following files modified/added to it:



ASVAPI32.dll


COMCTL32.DLL


GDI32.DLL


KERNEL32.DLL


M
svcrt.dll


NTDLL.DLL


Ole32.dll


RPCRT4.DLL


SHELL32.dll


SHLWAPI.DLL


USER32.dll

Page
14

Integrating IIS Lockdown and URL Scan with NS




C:
\
WINNT
\
System32
\
inetsrv has the following files modified/added to it:




404.dll


Metabase.bin


Obit
-
log.log


Obit
-
rep.log


C:
\
WINNT
\
System32
\
inetsrv
\
MetaBase has the fol
lowing files modified/added to it:



Obit
-
mb.MD0


Obit
-
once.MD0


C:
\
WINNT
\
System32
\
inetsrv
\
urlscan has the following files modified/added to it:



Urlscan.<data>.log


Urlscan.dll


Urlscan.inf


Urlscan.ini


Urlscanr.dll


Other Security Settings


For NS Clie
nt to be able to communicate to the server the client must have rights to read and
execute from the AeXNS virtual directory (we leave anonymous access to this directory by
default.

If anonymous access is removed then they have to make sure that all the us
ers have
rights to the Notification Server directory).


The Anonymous Access account must have full control of the following file directories:



install path
\
Altiris
\
eXpress
\
Notification Server
\
NSCap
\
EvtInbox


install path
\
Altiris
\
eXpress
\
Notification Serv
er
\
NSCap
\
EvtQFast


install path
\
Altiris
\
eXpress
\
Notification Server
\
NSCap
\
EvtQueue


In addition to the above, read and execute permissions must always be permitted on the
Postevent.asp, GetClientPolicies.asp, and the CreateResource.asp files for the Anonym
ous
Access account


(Refer to the Network Security white paper for full details on NS permissions.)



Under the Default Web Site properties the TCP Port should be 80 and IP Address should be (All
Unassigned)

In order to access the remote web console the us
er must have rights to the 'Notification
Server
\
Admin' directory.

In order to access the webreports page the user must have rights to the 'Notification
Server
\
Reports' directory.



Page
15

Integrating IIS Lo
ckdown and URL Scan with NS

Under IE security settings, the following need to be enabled:


Download si
gned ActiveX controls (can be set to prompt)

Run ActiveX controls and plug
-
ins

Script ActiveX controls marked safe for scripting

Active scripting


AspEnableParentPaths IIS MetaBase Property should be set to True.

(This is set to True by
default)


Relocati
ng the wwwroot, mailroot and the IIS admin scripts should not impact the Altiris
Notification Server.


WWWroot is simply a default location for web content, however IIS will
allow you to keep web content wherever you want through the use of virtual direct
ories.

The
Virtual Directory employed by the Notification Server is the %Program
Files%
\
altiris
\
eXpress
\
Notification Server path.



When NS is installed on a 2003 server, the IIS settings prevent NS pages from being accessed

IIS is installed in locked do
wn mode in 2003 server
-

the AeXNS virtual directory has its settings

configured so that files with dynamic content cannot be accessed.


When the NS is installed it will now enable the ASP, and the server side includes web service

extensions.


Additionally
, it sets the MIME setting of the AeXNS virtual directory so that IIS will allow any
file to be downloaded from the NS, namely the following mapping is added: application/octet
-
stream.


The "Enable Parent Path" option found in the IIS Manager


AeXNS prope
rties


Virtual
Directory
-

Configuration Button
-

App Options tab is set for the AeXNS and Reports virtual
directories. This setting is enabled by default. If this is disabled, the running of reports will fail
with an HTTP 500


Internal server error of “
The page cannot be displayed”.


As a rule of thumb, these customizations should be made to the server before installing the
Notification Server software.