IISLogs.com - iis

Windows Server 2012, IIS8, ASP.NET 3.5 and issue installing behind firewall (without internet)

Sat, 28 Apr 2012 03:35:23 GMT

I’ve been starting to become familiar with Windows Server 2012 (aka Win8). I’ve been a server “guy” for several years and when new versions come out, especially with another version of IIS. My interest is peaked to evaluate new features.

This blog post is about a recent issue that alters a bit how we install the .NET 3.5 framework. A little history, when .NET 1.0 came out, it was a stand-alone runtime that would install on Windows 2000. When Windows Server 2003, .NET 1.1 was part of the OS and you needed to install the .NET 1.0 runtime (to get have apps that supported 1.0). When Windows 2008 came out, the .NET 2.0 framework was part of the OS and you needed to install .NET 1.1 on Server 2008 to get the functionality. (.NET 1.0 didn’t run on Win 2008).

Now comes along Windows Server 2012, it has .NET 4.x as part of the OS, so based on previous patterns, you’d be able to install the .NET 3.5 using the runtime, *cough* wrong. Here is the error you’ll get.

One would wonder “How do I get .NET 3.5 (2.0) on my Windows Server 2012?” I came across this article on MSDN, you need to specify a source. (when behind a firewall)

http://msdn.microsoft.com/en-us/library/hh848079%28v=vs.85%29.aspx

I tried putting the .NET 3.5 runtime on a local drive, a network share, both failed. Here is the error I got in the UI. Note the /source parameter.

To install IIS8, I use a command line install using Add-WindowsFeature.

Open Powershell

Paste this line

$IISFeatures = @("Web-Static-Content", "Web-Default-Doc", "Web-Http-Errors", "Web-Asp-Net", "Web-Asp-Net45", "Web-Net-Ext", "Web-ISAPI-Ext", "Web-ISAPI-Filter", "Web-Http-Logging", "Web-Log-Libraries", "Web-Request-Monitor", "Web-Http-Tracing", "Web-Windows-Auth", "Web-Filtering", "Web-IP-Security", "Web-Stat-Compression", "Web-Dyn-Compression", "Web-Mgmt-Console", "Web-Scripting-Tools", "Web-Metabase", "Web-WMI", "Web-Lgcy-Scripting","NET-Framework-Core")

Run this command

Add-WindowsFeature -Name $IISfeatures -logPath "$Env:ComputerName.log" –Source \\Server\Share\sources

Let me point out the highlighted text in the MSDN article. You’ll need to mount the Windows Server 2012 and extract the source files (anyone remember extracting the i386 folder for windows 2003/2000, time to put back on the network again )

Assuming you mounted the ISO to the E: drive on your computer.

xcopy e:\sources\sxs\*.* c:\dotnet35 /s

xcopy e:\sources\sxs\*.* \\Server\Share\sources /s

After this little adventure, which took a couple hours to figure out, life was good and I could proceed with my Windows Server 2012 testing. I had ASP.NET 2.0/3.5/4.x on my test server. I’ve tested on the full GUI Server 2012 and Minimal Install GUI Server Core. I haven’t went full out for server core without a GUI.

Happy Testing

Steve Schofield
Microsoft MVP ASP.NET/IIS
http://www.iislogs.com/steveschofield

App Warm-up Module released for Windows Server 2008 R2

Tue, 03 Apr 2012 09:28:42 GMT

I’ve been a little busy and catching up on Windows 8/IIS8. Here is some good news from the IIS/ASP.NET team. A couple useful module released for IIS 7.5. For those running SharePoint farms and the app pool warm-up takes ‘forever’. Here is a way to help. This is definitely great news for IIS web server administrators. Thanks Shawn and MS for releasing this much needed module. Enjoy!!

“We are pleased to announce that Release Candidate builds for the following IIS extensions are now available for download:

· Application Initialization for IIS 7.5 (replacement for the previous “Application Warmup” beta extension)

· Dynamic IP Restrictions for IIS 7/7.5

See below for details and download links.

Application Initialization for IIS 7.5 (Release Candidate)

Application Initialization 1.0 for IIS 7.5 enables website administrators to configure IIS to proactively perform initialization tasks for one or more web applications. While an application is being initialized, IIS can also be configured to return an alternate response such as static content as a placeholder or "splash page" until an application has completed its initialization tasks. The module includes the following features:

· Introduces the concept of a "warmup period" to the server.

· Enables developers to control the behavior of their applications during the warmup period.

· Enables server administrators to "pre-load" important applications by initializing them as soon as the worker process starts.

· Allows seamless recycling of pre-loaded application pools with no user-perceptible impact.

x64 download: http://go.microsoft.com/fwlink/?LinkId=247817

x86 download: http://go.microsoft.com/fwlink/?LinkId=247816

Support forum: http://forums.iis.net/1165.aspx

Documentation:

IIS 8.0 Application Initialization (this was written for IIS 8, but this extension provides the same functionality for IIS 7.5)

Dynamic IP Restrictions for IIS 7/7.5 (Release Candidate)

The Dynamic IP Restrictions Extension for IIS provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level. The module includes the following features:

· Seamless integration into IIS 7.0 Manager.

· Dynamically blocking of requests from IP address based on either of the following criteria:

o The number of concurrent requests.

o The number of requests over a period of time.

· Blocking of requests can be configured at either site or server level.

· Configurable deny actions allows IT Administrators to specify what response would be returned to the client. The module support return status codes 401, 403, 404 or blocking the requests entirely.

· Support for IPv6 addresses.

· Support for web servers behind a proxy or firewall.

x64 download: http://go.microsoft.com/fwlink/?LinkId=247814

x86 download: http://go.microsoft.com/fwlink/?LinkId=247815

Support forum: http://forums.iis.net/1043.aspx

Documentation:

Using Dynamic IP Restrictions”

Getting AWStats installed and configured on IIS 7.5

Tue, 10 Jan 2012 04:31:24 GMT

One of things I’ve wanted to evaluate is AWStats for doing analytics on a variety of sites I run. AWStats (www.awstats.org) is a free Open Source (Perl based) package. One of the things I couldn't find that covered the steps to get IIS 7.5 up and running. I’m still working on a few config items within AWStats, which if you have suggestions, please let me know.

Here is the order of what I did to get my server up and running. I’ll assume you have a Windows Server 2008 or 2008 R2 server with IIS Installed. If you have any further questions, comments please feel free to add to the article.

Steps

Download, Install ActivePerl
Download AWStats
Setup DNS (Optional)
Setup IIS Site
Configure App Pool as 32 bit
Setup Perl Handler, approve isapi
Setup AWStats conf files.
Enable frequent updates
Misc things

Download, Install ActivePerl

http://www.activestate.com/activeperl

The first thing you'll need is a method to run PERL on Windows. Thankfully, ActiveState provides an x86 and x64 Perl implementation. From my testing, I can only get the x86 edition running within IIS. For purposes of this article, download and install the x86 (32 bit) edition of ActiveState. Later in the article, we'll configure IIS.

I installed ActiveState (32 bit ) to C:\Perl If IIS is installed, you’ll want to confirm if the HTTP Handler is already setup. If not, I’ve included a command later in the article how to setup.

Download AWStats

The next step, download and extract Awstats. The current version available is AWStats 7.0. Go to http://www.awstats.org , download and extract somewhere on your system.

Setup DNS (Optional)

For my purposes, I setup a single separate websites to access my stats. The link I used is in the format below to access various domains. I setup an A record called Stats in DNS.

http://stats.example.com/cgi-bin/awstats.pl?config=<DomainName1>

http://stats.example.com/cgi-bin/awstats.pl?config=<DomainName2>

Setup IIS Site

I'm going to take assumptions on folder names for this article, you can adjust them to fit your environment.

1) Create a folder in c:\inetpub\stats.example.com ‘mkdir c:\inetpub\stats.example.com’

2) In the AWStats extracted files, copy all folders in the 'wwwroot' to c:\inetpub\stats.example.com.

These folders will store the various domains stats.

a) create a folder called c:\inetpub\stats.example.com\stats\Domain1
‘mkdir c:\inetpub\stats.example.com\stats\domain1’

b) create a folder called c:\inetpub\stats.example.com\stats\Domain2
‘mkdir c:\inetpub\stats.example.com\stats\domain2’

Create a IIS site with Internet Manager or AppCMD, for this article, I've provided AppCMD commands

'Create app pool

C:\Windows\System32\inetsrv\appcmd add apppool /name:Stats.Example.com

'Set App Pool to integrated mode. This can be v2.0 or v4.0

C:\Windows\System32\inetsrv\appcmd set config /section:applicationPools /[name='stats.Example.com'].managedPipelineMode:Integrated

'Add site

C:\Windows\System32\inetsrv\appcmd add site /id:12345 /name:Stats.Example.com /bindings:http/*:80: /physicalPath:c:\inetpub\stats.example.com

'Assign app pool to the site.

C:\Windows\System32\inetsrv\appcmd set app /app.name:stats.example.com/ /applicationPool:stats.Example.com"

'Set to 32 bit mode

C:\Windows\System32\inetsrv\appcmd set config -section:system.applicationHost/applicationPools /[name='Stats.Example.com'].enable32BitAppOnWin64:"True" /commit:apphost

‘Setup Perl Handler, approve isapi

Through IIS Manager, go to Internet Manager

Click on Website
IIS Section
Handler Mappings
Add Script Map
Request Path - *.pl
Executable - C:\Perl\bin\PerlEx30.dll
Name - Perl
Click OK

When prompted for this, go ahead and click Yes. This attribute sets at a server level.

Configure Perl Handler

c:\windows\system32\inetsrv\appcmd.exe set config "Stats.Example.com" -section:system.webServer/handlers /[name='PERL'].name:"PERL" /[name='PERL'].path:"*.pl" /[name='PERL'].modules:"IsapiModule" /[name='PERL'].scriptProcessor:"C:\Perl\bin\PerlEx30.dll" /[name='PERL'].resourceType:"Unspecified" /[name='PERL'].requireAccess:"Script" /[name='PERL'].preCondition:"bitness32"

Setup AWStats conf files.

I’m going to defer to the AWStats FAQ section configuring the conf files. A couple things I did

0) Make a copy of the awstat.module.conf to (awstats.StatsExampleCom.conf)

1) make sure to set the DirData attribute is “DirData="c:/inetpub/stats.example.com/stats/DomainName1"”

2) Follow the AWStats FAQ, check out the Demo / ScreenShots section. They set a few attributes.

3) I learned NOT to do Reverse DNS lookup, that really slows down.

4) You might need to adjust permissions on the IIS Logs folders you are reading, it’ll depend on which account you run the application Pool run as. By default, the IIS Log folders only grant permissions to Administrators and SYSTEM. You could either setup the stats.example.com app pool to run as a specific account, or use ApplicationHostIdentity. What I did was use the default account, ApplicationHostIdentity. I’d suggest using Process Monitor (by sysinternals)

Here are the attributes I updated so far, this could change as I learn more about AWStats

LogFile="c:/inetpub/logs/logfiles/w3svc1/u_ex%YY-0%MM-0%DD-0.log" (You might need to tweak this setting)
LogFormat=2
SiteDomain="stats.example.com"
HostAliases="localhost 127.0.0.1 REGEX[stats.example\.com$]"
DirData="c:/inetpub/stats.example.com/stats/DomainName1"”

Enable frequent updates

I setup a batch file and put the following commands, then I scheduled to run frequently as an account (Administrator) to access the IIS Logs. You could also run the scheduled task as SYSTEM.

Here is the command, it assumes the file is named awstats.DomainName1.conf and will reside in c:\inetpub\stats.example.com\cgi-bin folder

perl C:\inetpub\s.iislogs.com\cgi-bin\awstats.pl -config=<DomainName1> –update

Misc Things - Here are a few lessons learned.

Use the LogResolveMerge.pl script to create a single file or several files to import to AWStats. I found if you have very large (many MB or GB), you’ll need to take an approach of having smaller files. I didn’t find an automated way when importing existing files. So in my example, I created a few files, would import into AWStats, this require you update the awstats.example.conf file, run the perl awstats.pl –config=Example –update over and over. It was a little clunky, but seemed to work.

Here is the command I ran

C:\inetpub\stats.example.com\tools>perl logresolvemerge.pl c:\inetpub\logs\LogFiles\W3SVC5\*.log > StatsExampleCom.log

When LogResolveMerge.pl creates an import file, it doesn’t have the IIS Headers created in the log files, you’ll need to add the IIS headers like your website and awstats.example.conf is setup. What seems to work for me is 1) Create a blank file with just the headers, then run the command below, notice the two arrows. “>>” This forces the command prompt to append, then you can run the import.

C:\inetpub\stats.example.com\tools>perl logresolvemerge.pl c:\inetpub\logs\LogFiles\W3SVC5\*.log > StatsExampleCom.log

Doing one-time imports files

Add IIS Logs headers to the new one time import files

Create a file, add headers

#Software: Microsoft Internet Information Services 7.0

#Version: 1.0

#Date: 2011-05-18 00:01:55
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

HTTP Error 502.2 - Bad Gateway

I got this error below when I tried using the x64 bit version of ActiveState. I found a few errors posted on the website with no resolution. I’m not sure if the posts were trying x86 or x64.

HTTP Error 502.2 - Bad Gateway

The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are "".

IIS Community Newsletter - December 2011 edition released

Tue, 27 Dec 2011 04:49:48 GMT

IIS Community Newsletter - December 2011 edition released
http://www.iisnewsletter.com/archive/december2011.html

Enjoy

Steve

IIS Community Newsletter - November 2011 edition

Wed, 30 Nov 2011 19:15:17 GMT

#IIS Community Newsletter - November 2011 edition has been released. Lots of interesting and original content available on the web!

http://www.iisnewsletter.com/archive/november2011.html

Take care,

Steve Schofield
Microsoft MVP – IIS

http://www.iislogs.com/steveschofield

Great SEO article

Sat, 03 Dec 2011 00:20:48 GMT

I ran across a great SEO article via Twitter, the link is here

http://www.seomoz.org/blog/what-every-seo-should-know-about-iis

There was a comment I wanted to add a few ideas, I tried to format the comment, however it didn’t format to cleanly so I thought I’d add here. Review the comments in the article too, there are some additional items mentioned worth checking out. I hope he picks up this post and adds the couple links for reference.

Couple other things to reference to this great article. Here are three commands I run on all servers. I use the compression level 9 on a very high volume with no impact, Here is another article on other properties and http://learn.iis.net/page.aspx/206/dynamic-compression/

Scott Forsyth wrote an article on compress level and performance which is a good read. http://weblogs.asp.net/owscott/archive/2009/02/22/iis-7-compression-good-bad-how-much.aspx

Enables

c:\windows\system32\inetsrv\appcmd set config /section:urlCompression /doDynamicCompression:true

Sets the compression level
c:\windows\system32\inetsrv\appcmd set config /section:system.webServer/httpCompression -[name="'gzip'"].dynamicCompressionLevel:9"Mkdir D:\Data\IISTemporaryCompressedFiles"

Sets the directory path
c:\windows\system32\inetsrv\appcmd set config /section:httpCompression /directory:D:\Data\IISTemporaryCompressedFiles /maxDiskSpaceUsage:100 /minFileSizeForComp:256"

Hope this helps

Steve Schofield

Microsoft MVP – IIS

October 2011 IIS community newsletter available

Mon, 14 Nov 2011 03:54:27 GMT

After a few issues trying to send the October 2011 IIS community newsletter, we have got it published!

http://www.iisnewsletter.com/archive/october2011.html is

btw – if you need excellent windows hosting, visit www.orcsweb.com (ORCS Web) it’s awesome!

Steve

July/August/September 2011 IIS Community Newsletter is available

Fri, 16 Sep 2011 02:31:09 GMT

Here is the July/August/September 2011 IIS Community Newsletter

http://www.iisnewsletter.com/archive/JulyAugustSept.html

Thank you,

Steve Schofield
Windows Server MVP - IIS
http://www.iislogs.com/steveschofield

http://www.IISLogs.com
Log archival solution
Install, Configure, Forget

Questions on Microsoft SMTP Service - visit http://www.smtp.ws
IIS Community Newsletter - visit http://www.iisnewsletter.com

Win8 / IIS 8 are available!

Thu, 15 Sep 2011 06:20:49 GMT

Microsoft has released the latest Windows OS preview. Nice new shiny logo.

Download here

http://msdn.microsoft.com/en-us/windows/apps/br229516

Server edition is available on MSDN.

Enjoy!

Steve

Interesting post to solve 500.19 Network BIOS Command Limit Reached

Sun, 11 Sep 2011 01:31:59 GMT

ran across this post browsing the forums @ http://forums.iis.net It’s a real problem dealing with UNC content. Thread: New Solution to 500.19 Network BIOS Command Limit Reached

http://forums.iis.net/p/1181293/1994882.aspx#1994882

Thought I’d pass along.

Steve Schofield

UNC post on http://forums.iis.net

Sat, 23 Jul 2011 17:44:10 GMT

I try to keep track of UNC based posts in my “UNC” tag if it’s something that would help the community. http://forums.iis.net/p/1180183/1990052.aspx If you can provide assistance, that would be great. My intention is to setup some Linux and FreeBSD boxes locally using NFS, Samba and connecting to IIS. It’s on the geek list!

UNC tag

http://www.iislogs.com/tags/unc

Enjoy,

Steve

Hosting PERL on IIS 7.x thread

Thu, 14 Jul 2011 11:36:13 GMT

Every now and then, a thread will get my interest doing something different with IIS on http://forums.iis.net. I’ve never setup PERL within IIS even though I knew it was possible to host PERL. I figured what the heck, lets see if I can get it working even though I don’t really know how to program in PERL. The post is asking how to secure PERL in a shared hosting model.

Forum thread on securing PERL. As of this post, no one has responded who has secured PERL for shared hosting. I’ve asked a couple questions for my own interest. If you know, feel free to respond with more information. I’d be interested.

http://forums.iis.net/p/1179875/1988997.aspx

Helpful post getting PERL setup.
http://forums.iis.net/p/1178679/1984038.aspx

ActivePERL by ActiveState
http://www.activestate.com/activeperl

PERL information
http://www.perl.org/

Tips

Have to run app pool in 32 bit mode. I found many reports of issues with 64 bit version
Run process monitor to determine exactly which folders are being blocked
i.e the PERL folder, %TEMP% variable etc..
Make sure to install the CGI role service (otherwise you’ll get errors, I did)

Cheers,

Steve Schofield
Windows Server MVP - IIS
http://www.iislogs.com/steveschofield

http://www.IISLogs.com
Log archival solution
Install, Configure, Forget

Questions on Microsoft SMTP Service - visit http://www.smtp.ws
IIS Community Newsletter - visit http://www.iisnewsletter.com

Web Stress testing tools thread

Tue, 12 Jul 2011 21:50:57 GMT

Here is a thread on http://forums.iis.net that discusses Stress testing tools. There is a wide variety tools available. I personally use a powershell script to create a single log file, then load test with Web Application Stress tool (retired by Microsoft). For my personal needs this has been sufficient. I thought I would pass along as an FYI.

http://forums.iis.net/p/1179857/1988763.aspx

If you have tools that you’ve found successful, feel free to add to the comments section

PS – And a great tool to help analyze the data is using PAL (performance analysis of logs)

http://pal.codeplex.com/

Thank you,

Steve Schofield
Windows Server MVP - IIS
http://www.iislogs.com/steveschofield

http://www.IISLogs.com
Enterprise Log Management solution
Install, Configure, Forget

Questions on Microsoft SMTP Service - visit http://www.smtp.ws
IIS Community Newsletter - visit http://www.iisnewsletter.com

IIS 7 / IUSR account, SCCM 2007 client, Status messages not working

Sun, 10 Jul 2011 12:24:59 GMT

Background

This is one of those posts that has been “years in the making”. I’ve been working with SMS / ConfigMgr 2007 since version 2.0. In my IT career, I’ve used SMS / ConfigMgr 2007 on the server side exclusively. Traditionally SMS / ConfigMgr has been mainly a desktop software deployment, management tool. I’ve never talked with anyone who has used ConfigMgr strictly “ in a Server environment” for other things besides patching, OSD. Using ConfigMgr for DCM, Software Distribution, Querying, reporting etc.

Problem

I recently came across a situation where I was getting inconsistent status messages being sent back to the site server. Here is the message Failed to submit event to the Status Agent. Attempting to create pending event. For those familiar with ConfigMgr, all components send their status messages through the StatusAgent component. Advertisements, task sequences would work. the status messages would not be updated however.

Side Bar
Introduced in IIS 7 was the ability to set the Anonymous Authentication module to inherit from the application pool identity automatically. Here is a screenshot of the setting.

\

In previous IIS versions, the IUSR account was a local account with it’s own SID (Security Identifier). The administrator had to be aware of this account along with the application pool account (App pools started in Windows 2003/IIS 6). The IUSR account was introduced in Windows Server 2008 as a ‘machine’ account with the same SID across all boxes. In IIS 6, I would set the IUSR_MachineName and application pool identity accounts the same. Although I was administering two locations, it made troubleshooting a lot easier only dealing with one account. When Windows Server 2008 came out and provided the ability to inherit the application pool identity automatically, from an IIS Administrators perspective, I quickly adopted this architecture. PS – I’m not 100% sure why inheriting Application Pool Identity isn’t the default setting, I once heard it was to support Classic ASP applications. Not sure.

Back to ConfigMgr 2007

From an IIS perspective, administrators may implement this type of architecture (I did!). What I discovered, the IUSR setting at server level is required if a machine has IIS installed. What I did to prove the ConfigMgr client was checking for the existing of the IUSR account.

I enabled more logging on the ConfigMgr client. Here is article showing How to enable DebugLogging & Verbose logging on ConfigMgr client.
I set the IUSR account at server level to the picture above. All sites would inherit the application pool identity
Execute an advertisement (task sequence or advertisement)

Here is the status messages that appeared in the logs. Notice the highlighted sections, and the function being called.

ccmperf.log:<![LOG[Security::LookupIUSRAccountSid(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1484)]LOG]!><time="00:14:21.853+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="14748" file="perfobject.cpp:1484">
ccmperf.log:<![LOG[GetIISAccounts(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1559)]LOG]!><time="00:14:21.853+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="14748" file="perfobject.cpp:1559">
ccmperf.log:<![LOG[Security::LookupIUSRAccountSid(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1484)]LOG]!><time="00:14:21.862+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="14748" file="perfobject.cpp:1484">
ccmperf.log:<![LOG[GetIISAccounts(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1559)]LOG]!><time="00:14:21.862+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="14748" file="perfobject.cpp:1559">
ccmperf.log:<![LOG[Security::LookupIUSRAccountSid(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1484)]LOG]!><time="00:14:22.678+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="13344" file="perfobject.cpp:1484">
ccmperf.log:<![LOG[GetIISAccounts(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1559)]LOG]!><time="00:14:22.680+240" date="01-09-2011" component="ccmperf" context="" type="0" thread="13344" file="perfobject.cpp:1559">
StatusAgent.log:<![LOG[Security::LookupIUSRAccountSid(sAccount), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\core\ccmcore\comobjectsecurity.cpp,58)]LOG]!><time="00:14:58.883+240" date="01-09-2011" component="StatusAgent" context="" type="0" thread="11300" file="comobjectsecurity.cpp:58">

As I mentioned earlier, I work strictly in a server environment, which many boxes have IIS installed (Mostly Windows Server 2008 / R2 boxes). For some reason Microsoft has logic in SCCM to check for the existence of the IUSR account. Here is a post I did “IUSR Account and ConfigMgr 2007 R3 agent”. This explains I temporarily had to set the IUSR account enabled at server level so the ConfigMgr agent would install.

A configuration workaround

The ConfigMgr agent doesn’t seem to check for IUSR at site level. This means an administrator who has ConfigMgr installed on a server OS with IIS can enable the IUSR setting at server level, and set the inherit application pool identity at site level. From my testing, this configuration works. I did a PowerShell script to:

Backup current applicationHost.config with appcmd
Enable IUSR at server level
Disable IUSR and inherit application pool identity.
Stop / Start SMS Agent Host
Watch the SCCM logs

A little precaution before running the script. The logic assumes you are using the application pool identity for securing resources. I’d recommend you review your IIS architecture to ensure this setup would work in your environment. I ALWAYS encourage people to try scripts in a non-production environment first. The script does make a backup copy of the applicationHost.config before making changes. If something happens, just restore the applicationHost.config.

After years of not quite understanding how IUSR was used. I thank God for helping me finally understand what is happening! I hope you find this post useful. Hope this workaround isn’t needed in CM2012. Time will tell.

Thank you,

Steve Schofield
Windows Server MVP - IIS
http://www.iislogs.com/steveschofield

http://www.IISLogs.com
Log archival solution
Install, Configure, Forget

Questions on Microsoft SMTP Service - visit http://www.smtp.ws
IIS Community Newsletter - visit http://www.iisnewsletter.com

Here is the script.

$ExitCode = 0
try
{
function EnableIUSRServerLevel
{
$Command = "$Env:SystemRoot\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/authentication/anonymousAuthentication /userName:`"IUSR`" /commit:apphost"
Write-Host $Command
Invoke-Expression -Command $Command
}

function DisableIUSRSiteLevel([string]$SiteName)
{
$Command = "$Env:SystemRoot\system32\inetsrv\appcmd.exe set config `"$SiteName`" /section:system.webServer/security/authentication/anonymousAuthentication /userName:`"`" /commit:apphost"
Write-Host $Command
Invoke-Expression -Command $Command
}

#Use Powershell provider to get a list of sites, one of these will error
#windows Server 2008 needs powershell provider installed before using
#Windows Server 2008 R2 has powershll provider already
#There is some better logic that could be implemented on this option

Import-Module -Name "WebAdministration"
Add-PSSnapin -Name "WebAdministration"
#Backup ApplicationHostConfig
$FileDate = (Get-Date).tostring('dd-mm-yyyy-mm-hh')
$Command = "$Env:SystemRoot\system32\inetsrv\appcmd.exe add backup `"BeforeSettingIUSRData$FileDate`""

Write-Host $Command
Write-Host "applicationHost.config backed up"
Invoke-Expression -Command $Command

#Set IUSR at server level
Write-Host "Set IUSR at server level enabled"
EnableIUSRServerLevel

#Get List of Sites using get-childitem
$sites = gci IIS:\Sites

#Set Each site on the box with IUSR disabled
foreach($site in $sites)
{
Write-Host $site.name
Write-Host ""
DisableIUSRSiteLevel -SiteName $site.name
}

Write-Host "Done"
}
catch
{
$ExitCode = 1
Write-Host "error"
}

Security best practices using Active Directory for server, process identity in a public facing web application

Sat, 04 Jun 2011 18:20:09 GMT

I received a post on the forums that I was suggested to make a blog post. Here is the original post : http://forums.iis.net/t/1178739.aspx

Question:
We have an asp.net public facing web solution. The solution users SqlMembershipProvider to authenticate users and includes the following servers:

· Two Load balanced web servers in the DMZ

· Sql Server Database Server with many SSIS packages transfer files between the web server and database server

Traditionally, the web servers stay standalone servers and not part of any domain. We are thinking to use active directory.

We are thinking to have an AD server dedicated to this solution only (it is different than the company’s operational AD). The AD server in the server environment helps us to have webserver’s application pool be authenticated against the SQL server to prevent the requirement of having SQL server UID/PWD in the web.config files.

From the security bets practices approach, which one of the following options is recommended?

· Option 1) Public facing web servers stay standalone, SQL server authentication is used

· Option 2) Public facing web servers are part of an AD domain (different than company operational domain) and database server authenticates the web servers against their application pool identity.

The AD server won't be used to authenticate web application users.

Response:

I can make an argument for both solutions.

1) For stand-alone boxes, you could encrypt the connections strings to protect creds. Having AD introduces more expertise and administration. If you AD locally and some expertise, then it's not too bad. Having DC's costs more, administration more, more hardware to support. More licensing. The downside of stand-alone you have to manage each box as a stand-alone entity, depending on how many boxes, this is a BIG drawback. Yes, you can have the same user id and password if you have scripting.

2) For an AD environment, you get group policy, centralized administration, both are HUGE wins IMO. With group policy you can manage all kinds of settings including folder, registry security, auditing, distribute certificates along with 100's of other settings. Preferences is my favorite. Most of the negative for #2 is mentioned in #1. AD helps with administration / management however has overhead. I like using windows accounts vs. sql because of the integrated security, no passwords stored and needed to be managed in config files.

Over my years of experience, I tend to have a blend of security with administration. I've implemented AD in my environment and haven't looked back. The benefits out way the risks and additional administration. Once AD is setup, it kind of runs itself if not tinkered with. You need a very stable DNS infrastructure to support AD. Your applications would need to blend with the AD DNS (or BIND DNS that supports SRV records). If you have some type of solution like Altiris that is agent based and can go across forest (last I knew), management of apps, packages might be easier. I hope there is some advice and things to think about. PS - AD is really a core technology a lot of other MS solutions integrate with, it's worth having IMO.

Here is an article published by the AD team at MS

http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=c1d0fd00-bf31-4b20-95c6-279a4ce7c2b4

"Old school" is right, I've been using AD since w2k in a public facing environment. AD is the foundation of which many things can help provide a consistent, secure and stable environment. I use group policy extensively to lockdown servers with windows firewall. The only real opening is a few management / utility servers that are trusted. You can honestly lockdown them down hard but you still have to manage, monitor and deploy code to them. I've managed stand-alone machines (not since w2k3 / w2k) so my perspective is a bit aged on that front, however AD provides more benefit than hassle I probably could write a really long article on the topic of how I used, why and such. This is one of those topics near to my heart. :)

Here is a post I did on ActiveDir regarding w2k8 r2 firewall management and GPO's that relates to this post.

I've used GPO's to manage windows firewall on w2k8 and above. I hear Forefront enhancements management and functionality. This requires SCCM.

Here is how a description of what I've found effective.

1) Have a base settings policy, this applies at a higher and applies to ALL servers (No firewall polices, things like dns suffix search order, auditing, other base settings that apply to ALL boxes)
2) Have a base firewall policy storing all firewall polices that apply to all servers. Exceptions like backup servers, monitoring servers,AV etc..
3) Lastly, have your servers in different OU's based on Server Roles, each server role has their own GPO and rules. If you have rules specific to these servers, open the rules at this GPO level.
4) What I have found is to have a separate policy for WMI and File and Print sharing that are applied separately from the 'base' firewall policy mentioned in #2.

Base OU
   ServersOU
      AppRole1
      AppRole2
      AppRole3

Based on the example above, #1 and #2 would be linked at the ServersOU. The Base WMI and File and Print Sharing GPO's are linked at AppRole1, AppRole2, AppRole3. There would be a GPO for each AppRole1,AppRole2,AppRole3. If a particular role has unique File And Print Sharing or WMI, you create another GPO for File And Print Sharing for that role and link at the AppRole level. You remove the original File And Print Sharing GPO link. This is the architecture I've found the most manageable and running Windows Firewall. Personally, I like having the extra layer, it can depend on your environment.

This example would have the following polices

BaseSettingsPolicy
BaseFirewallPolicy (doesn't contain WMI or File and Print sharing rules) BaseFilePrintSharing BaseWMI
AppRole1
AppRole2
AppRole3

Enjoy,

Steve Schofield
Windows Server MVP - IIS
http://www.iislogs.com/steveschofield

http://www.IISLogs.com
Log archival solution
Install, Configure, Forget

Allow local and domain users to access FTP 7.5

Sat, 04 Jun 2011 13:48:20 GMT

Had an interesting question on http://forums.iis.net regarding FTP 7.5. There was a requirement to allow both local and domain users on the same FTP site. Here is the posting with the details http://forums.iis.net/t/1178738.aspx

Enjoy,

Steve Schofield
Microsoft MVP - IIS

April 2011 IIS Community Newsletter has been published

Sat, 30 Apr 2011 00:53:00 GMT

IIS Community Newsletter - April 2011 Edition has been published
http://www.iisnewsletter.com/archive/April2011.html

Cheers,

Steve

March 2011 IIS Community Newsletter is published

Wed, 30 Mar 2011 01:40:00 GMT

I'm excited to announce our March 2011 IIS Community Newsletter is published

Here is the link to the March 2011 edition -
http://www.iisnewsletter.com/archive/march2011.html

Sign-up for IIS Community Newsletter
http://www.iisnewsletter.com

Cheers,

Steve Schofield
Microsoft MVP - IIS

February 2011 IIS Community Newsletter published

Sat, 26 Feb 2011 04:12:00 GMT

I'm excited to announce our February 2011 IIS Community Newsletter is published

Here is the link to the February 2011 edition -
http://www.iisnewsletter.com/archive/february2011.html

Sign-up for IIS Community Newsletter
http://www.iisnewsletter.com

Cheers,

Steve Schofield
Microsoft MVP - IIS

www.IISJobs.com has been launched.

Sun, 20 Feb 2011 11:21:00 GMT

Looking for a job related to Microsoft (Internet Information Server)? Or do you have a job opening which requires IIS experience. Look no further, subscribe to the discussion forum today at http://www.iisjobs.com and be notified as soon as a job is posted or someone responds.

Why start IISJobs.com? I'm not looking to replace Monster, Careers.com. I've seen in various places where jobs involving Microsoft IIS (Internet Information Server) have been posted. I thought it would be a good idea to centralize under a easy to remember domain name. :) My goal is to help the IIS community.

Cheers,

Steve Schofield
Windows Server MVP - IIS
http://weblogs.asp.net/steveschofield

http://www.IISLogs.com
Log archival solution
Install, Configure, Forget