Les
Wed Apr 14 11:27:44 CDT 2004
Hi Peter,
I'm not tired at the moment, but I hear you on the lazy part ;-). That is
heavy reading.
I'm not suggesting anything, I'm like you - don't know.
I had some issues on an in-place upgrade, that I blamed on urlscan and IIS
lockdown. They were installed on sbs2k as part of the SUS installation.
These issues were not present on a migration uprade, where URLscan and IIS
lockdown existed on the source server, but the destination server was clean
install.
I was an early adopter, and at the time couldn't get a definitive answer on
what to do with them prior to the upgrade. It seems that was an untested
upgrade scenario.
I eventually uninstalled them, after a couple of troublesome trial runs -
and those particular issues largely disappeared on upgrade.
For now, I'm putting some faith in the statements made about IIS 6.0 being
secure. There are plenty of complications to deal with without adding these
to the mix.
p.s. only telemarketers call me Mr. Connor ;-).
--
Les Connor [SBS MVP]
-------------------------------------
SBS Rocks !
"Peter Scott" <me@privacy.net.au> wrote in message
news:eFGGSrjIEHA.3968@TK2MSFTNGP12.phx.gbl...
> Thanks Mr Connor.
>
> I should of stated that I read those articles - but am tired and lazy
(2am)
>
> Would you suggest I unistall URLSCAN from SBS2003 as I would be using
> URLSCAN on my ISA server (SP1 FP1) which would prevent internet users from
> executing forbidden extensions as it uses its own urlscan.ini file?
>
> Good question you ask? I think it might be best to leave it on for now -
> adjust "C:\WINNT\System32\inetsrv\urlscan\urlscan.ini" if required as the
> ISA urlscan will prevent most attacks from the outside.
>
> Im sure others will encounter this problem in due course - at least it's
> documented.
>
>
>
> "Les Connor [SBS MVP]" <les.connor@DEL.cfive.ca> wrote in message
> news:uHJL4cjIEHA.2480@tk2msftngp13.phx.gbl...
> > Here's a bit more, with links to more than you probably wanted to deal
> with.
> >
> > INFO: Using URLScan on IIS
> >
http://support.microsoft.com/default.aspx?scid=kb;[ln];307608
> >
> > --
> > Les Connor [SBS MVP]
> > -------------------------------------
> > SBS Rocks !
> >
> >
> >
> > "Peter Scott" <me@privacy.net.au> wrote in message
> > news:#FArwuiIEHA.3556@TK2MSFTNGP10.phx.gbl...
> > > Fixed - problem caused by UrlScan.ini (preventing CGI script from
> running)
> > >
> > > As my SBS2003 was an upgrade from SBS2000, I had previously ran
> > IISLockdown
> > > Tool and installed UrlScan 2.5.
> > >
> > > My UrlScan file had the following settings:
> > >
> > > UseAllowExtensions=0 ; if 1, use [AllowExtensions] section,
> else
> > > use [DenyExtensions] section
> > >
> > > [DenyExtensions]
> > > ; Deny executables that could run on the server
> > > .exe
> > > .bat
> > > .cmd
> > > .com
> > >
> > > Since Trend Micro uses .exe to execute CGI, the UrlScan was preventing
> the
> > > executable from loading the CGI script.
> > >
> > > I made the following changes to UrlScan.ini (located in:
> > > C:\WINNT\System32\inetsrv\urlscan\) - which places a ";" in front of
the
> > > extension '.exe.' to allow it to be executed
> > >
> > > [DenyExtensions]
> > > ;.exe
> > >
> > > For the changes to take affect, IIS needed to be restarted. From a
> command
> > > prompt, I typed:
> > >
> > > NET STOP IISADMIN (I was prompted to confirm the stopping of
services) -
> > be
> > > sure to note which services are stopped as you will to restart them
> > >
> > > then restart IIS Web Services
> > > NET START W3SVC (and net start other services that were stopped like
> SMTP
> > > service and so on..)
> > >
> > > I then proceeded to connect to my OfficeScan URL - which was
successful.
> > >
> > > My Comments
> > > I don't like the idea of allowing the extension ".exe" to run on my
web
> > > server as no other sites require this. I did try Configure URLScan to
> > Allow
> > > Requests with a Null Extension in IIS as per article 312376 - but was
> not
> > > successful.
> > >
> > > I don't understand why Trend Micro still rely on this method (after
> > several
> > > OfficeScan versions) rather then using a ISAPI filter which would be
> more
> > > secure. As I have been a user of Trend Micro InterScan Messaging
> Security
> > > Suite on SBS2003 - which configs IIS6 with an ISAPI filter called
> > > CCGIRedirect 'isapi_redirect.dll' for CGI scripting to be executed for
> the
> > > virtual site or virtual folder.
> > >
> > > I guess this would not be a problem on a new install of SBS2003 as it
> > would
> > > not have URLSCAN by default as IIS uses alternative methods to allow
> > > extensions to run.
> > >
> > > I hope other users will benefit from this as I found no help on
Trend's
> > web
> > > site or the SBS newsgroup.
> > >
> > > If any other users have advice on how the UrlScan should be configured
> on
> > > SBS2003 - please let me know - because I'm feeling pretty worried
about
> > > allowing the ".exe" extension to be available on my web server (which
> > > currently hosts external web sites).
> > >
> > > Peter
> > >
> > >
> > > "Peter Scott" <me@privacy.net.au> wrote in message
> > > news:eHOBIMhIEHA.3356@TK2MSFTNGP11.phx.gbl...
> > > > I have installed Trend Micro C/S/M SMB on SBS2003 but can not
> > connect
> > > > to the console - receive page not found error 404
> > > >
> > > > 1. I used port 8085 - which was not used by any other service
> (by
> > > > doing netstat -an)
> > > > 2. Web service extension lockdown is authorising service
> > > > 3. Correct path exists
> > > >
> > > > Here are the steps I used with Installing Trend Micro
> > > > Client/Server/Messaging SMB
> > > >
> > > > 1. (I use the Administrator account.)
> > > > 2. Run setup
> > > > 3. Enter the FQDN server.domain.local OR the IP of the SBS. I
> used
> > > > internal IP
> > > > 4. Install into IIS Virtual Web Site (NOT the default web
site).
> > > > 5. Used port 8085 for communication.
> > > > 6. Deselected SSL.
> > > > 7. Used Administrator account - using ISA so I entered proxy
> info
> > > and
> > > > port
> > > > 8. Entered activation code
> > > > 9. Accept the server/client port.
> > > > 10. Accept the client installation for the SBS (installs the
> > > > Officescan client on the server)
> > > > 11. The install proceeds, then open the admin console - then
> fails
> > > to
> > > > open
> > > >
> > > > I checked web service extensions - which are allowing the
files
> in
> > > the
> > > > correct folder.
> > > > I checked the persmissions on the OfficeScan directory - no
> > problems
> > > > with access
> > > > Internet Explorer is set to bypass local domain and addresses
to
> > > > bypass proxy
> > > > The services are started.
> > > >
> > > > Arrhhh!!! - I'm off to advanced hair for extreme hair
> replacement
> > > > therapy!
> > > >
> > > >
> > >
> > >
> >
> >
>
>