Thursday, March 20, 2008

Configuring Virtual Directories with Directory Browsing in IIS7

A website that uses directory browsing is a convenient way to display the files and folders in a directory using a web browser. An example of this is demonstrated here.

To configure directory browsing in IIS6, you simply enable the Directory Browsing checkbox on Home Directory tab of the virtual directory. If you want to configure it so that users are required to authenticate to access the virtual directory, you disable anonymous access, enable Basic Authentication and configure the appropriate NTFS permissions on the target folder.

It's slightly different in IIS7 since IIS7 introduces the concept of delegated administration. This means that you can have the IIS configuration in web.config files which reside in the virtual directory. IIS has to read these config files very early in the connection attempt, i.e. when there is no authenticated user available yet. For this reason IIS has to use the process identity (usually Network Service) to read the web.config file.

To configure a virtual directory for directory browsing in IIS7:

  • Create or select the virtual directory in Internet Information Services (IIS) Manager
  • Double-click Authentication and select the appropriate authentication methods for the Vdir (default is Anonymous)
  • Select the Vdir again and double-click Directory Browsing. Click the Enable action
  • Right-click the Vdir and select Edit Permissions. Configure the NTFS permissions for the target folder and ensure that Network Service has read access to the folder

If you don't grant the Network Service account read rights on the Vdir, you'll get the following error when accessing it:

500 - Internal server error.

There is a problem with the resource you are looking for, and it cannot be displayed.

Labels: , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 9:18 AM   10 Comments Links to this post

Monday, March 3, 2008

Automatically Reset the FTP Service in Windows Server 2008


One of the more popular tips I've posted is, "How to automatically reset the FTP service," in Windows Server 2003. This tip is useful for public FTP sites where bad guys are trying to hack in, usually using a dictionary attack.

Doing the same thing in Windows Server 2008 is slightly different and has an important caveat - It will not work with the Microsoft FTP Publishing Service for IIS 7.0 yet. It will work fine if you use the standard FTP Publishing Service, included on the Windows Server 2008 DVD.

As in my original post, create a batch file named C:\Scripts\ResetFTPService.bat, as follows:
net stop msftpsvc
ping -n 10 127.0.0.1
net start msftpsvc
The batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.

To make the script run automatically on the correct event, use the Windows Server 2008 Task Manager:

  • Right-click Task Manager (under Configuration in Server Manager) and select Create a Basic Task

  • Name the task, "Reset FTP Service" and click Next

  • Choose When a specific event is logged as the Task Trigger, click Next

  • Select Log: System, Source: IIS-FTP, and Event ID: 100. Click Next

  • Select Start a program and click Next

  • Enter C:\Scripts\ResetFTPService.bat for the Program/script and click Next

  • Click the checkbox for Open the Properties dialog for this task when I click Finish and then click Finish

  • In the Properties window select Run whether user is logged on or not and Run with highest privileges

  • Click OK

  • Enter the User name and Password for running this task

This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source IIS-FTP is logged in the System event log.

Remember, this will not work with the Microsoft FTP Publishing Service for IIS 7.0 because this service strangely does not log failed logon attempts to the event log. I've posted a request to the IIS7 team for this functionality.

Labels: , , , , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 10:05 AM   2 Comments Links to this post

Monday, January 21, 2008

EXPTA Server Upgrade

I ordered a new server this weekend to replace my existing Windows Server 2003 infrastructure. This new server will run the same roles as my existing server, but will have twice as much RAM and will be "green." It will utilize the new AMD Athlon X2 BE-2400 Brisbane 2.3GHz 45W Dual-Core CPU, less cooling (due to the low wattage CPU), and a smaller power supply. Should be fun. I haven't built my own hardware since the 90's. :)

I'll be building it with x64 Windows Server 2008 Enterprise edition and utilize Hyper-V for my virtual DC and Exchange 2007 servers, instead of VMware. The host server will function as my Exchange 2007 Edge server and host the www.expta.com blog on IIS 7.

The plan is to bring up the the new W2K8 server, build new virtual DC and Exchange servers, move the mailboxes to the new Exchange server, install the Exchange Edge role, and move the blog to the new server. Once I know everything is working properly I'll decommission the old Windows 2003 and Exchange 2007 servers.

Hopefully, there will be very little downtime. I only expect brief outages as I update my router configuration. As usual I'll post my experiences with the upgrade, as will as any troubleshooting tips and gotchas I discover along the way.

Labels: , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 8:53 AM   0 Comments Links to this post

Monday, November 5, 2007

Installing or switching ASP.NET versions on x64 platforms

When installing SQL 2005 on an x64 server, I came across the following warning:


32-bit ASP.Net is Registered. Required 64-bit ASP.Net to install Microsoft Reporting Services 2005(64-bit).
This article explains how to install and enable the correct version of ASP.NET for x64 platforms to fix this error.

After you install the ASP.NET redistributable packages, you can switch between the different versions of ASP.NET. To do this, follow these steps for each ASP.NET version:




ASP.NET 1.1, 32-bit version
To run the 32-bit version of ASP.NET 1.1, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command to enable the 32-bit mode:


cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1
3. Type the following command to install the version of ASP.NET 1.1 and to install the script maps at the IIS root and under:


%SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe -i
4. Make sure that the status of ASP.NET version 1.1.4322 is set to Allowed in the Web service extension list in Internet Information Services Manager.




ASP.NET 2.0, 32-bit version
To run the 32-bit version of ASP.NET 2.0, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command to enable the 32-bit mode:


cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1
3. Type the following command to install the version of ASP.NET 2.0 (32-bit) and to install the script maps at the IIS root and under:


%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -i
4. Make sure that the status of ASP.NET version 2.0.50727 (32-bit) is set to Allowed in the Web service extension list in Internet Information Services Manager.




ASP.NET 2.0, 64-bit version
To run the 64-bit version of ASP.NET 2.0, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command to disable the 32-bit mode:


cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0
3. Type the following command to install the version of ASP.NET 2.0 and to install the script maps at the IIS root and under:


%SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe -i
4. Make sure that the status of ASP.NET version 2.0.50727 is set to Allowed in the Web service extension list in Internet Information Services Manager.




ASP.NET on Windows Server 2008
The bits for the correct platform of ASP.NET on Windows Server 2008 are included in the OS cache. To install ASP.NET on Windows Server 2008 (x86 or x64) follow these steps:

1. Run Server Manager
2. Select Roles and click Add Roles
3. Select Web Server (IIS). Click Add Required Features if prompted
4. Select ASP.NET in Role Services and run through the rest of the wizard to complete the installation

If the Web Server (IIS) role has already been installed on your server, do the following to add ASP.NET:

1. Run Server Manager
2. Expand Roles and select Web Server (IIS)
3. Click Add Role Services in the right-hand pane
4. Add the ASP.NET role service and run through the wizard to complete the installation

Labels: , , ,

Subscribe to my feed   StumbleUpon Toolbar

Subscribe to The EXPTA {blog} by Email

posted by Jeff @ 8:24 AM   6 Comments Links to this post