Brendan Tompkins [MVP]

Sponsors

The Lounge

Syndication

Recent Posts

Tags

View more

News

Archives

Advertisement

Brendan Tompkins [MVP] » Adventures with IIS Lockdown
Images in this post missing? We recently lost them in a site migration. We're working to restore these as you read this. Should you need an image in an emergency, please contact us at imagehelp@codebetter.com
Adventures with IIS Lockdown

Recently, I installed and ran the Microsoft Baseline Security Analyzer (for IT Professionals) (I hope that includes me) on my development machine here at work.  It had a couple of recommendations for securing IIS... 1) Deleting Parent Paths and 2) Running the IIS Lockdown Tool

Deleting Parent Paths was painless, but running IIS Lockdown caused a bit more of a headache for me. When I loaded my solution, I was unable to load the Web project (project unavailable in visual studio).  This was no biggie, I thought I'd just re-create the project from SourceSafe. Well when I tried to create a new Web project called “www.vit.org,“ I kept getting this message:

Unable to create Web project 'www.vit.org'. The file path 'c:\inetpub\wwwroot\www.vit.org' does not correspond to the URL 'http://localhost/www.vit.org'. The two need to map to the same server location.

To make a long morning short, it turned out that after running IIS Lockdown, I could no longer create a Web project with periods (.'s) in the name.  So, I created the project as “publicweb“ and it worked fine. 

I haven't figured out why this happened yet, and I'm sure there's a good reason for this,  but wanted to report this behavior.

 

Posted 07-13-2004 7:24 AM by Brendan Tompkins

[Advertisement]

Comments

Richard Dudley wrote re: Adventures with IIS Lockdown
on 07-13-2004 4:57 AM
Possibly because IIS Lockdown Tool installs URL Scan, which can limit all sorts of things until you configure it properly. It's a real guess, but might have to do a little searching on URL Scan. The best place I've seen to ask URL Scan questions is the IIS 5 list from iisanswers.com.
Scott Galloway wrote re: Adventures with IIS Lockdown
on 07-13-2004 5:18 AM
Brendan Tompkins wrote re: Adventures with IIS Lockdown
on 07-13-2004 5:21 AM
Scott,

Yep.. It was right there in the docs!

AllowDotInPath=0

By default, this option is set to 0. If this option is set to 0, URLScan rejects any request that contains multiple periods (.). This prevents attempts to disguise requests for dangerous file name extensions by putting a safe file name extension in the path information or query string portion of the URL. For example, if this option is set to 1, URLScan might permit a request for http://servername/BadFile.exe/SafeFile.htm because it thinks that it is a request for an HTML page, when it is actually a request for an executable (.exe) file with the name of an HTML page in the PATH_INFO area. When this option is set 0, URLScan may also deny requests for directories that contain periods.
Darrell wrote re: Adventures with IIS Lockdown
on 07-13-2004 5:54 AM
Brendan - there are also some ini files you can take a look at for .NET dev and prod in the .NET operations guide.

See my blog post here:
http://dotnetjunkies.com/WebLog/darrell.norton/archive/2003/10/06/2090.aspx

Also, I developed URLScanWatcher for just this reason. Download here:
http://www.gotdotnet.com/Community/Workspaces/workspace.aspx?id=1c2cda67-58a8-4b49-94a3-5063d90c2506
Darrell wrote re: Adventures with IIS Lockdown
on 07-13-2004 6:00 AM
I should also chastise you for not Google-ing first!!!!
Brendan Tompkins wrote re: Adventures with IIS Lockdown
on 07-13-2004 8:30 AM
D-Ral.. Yes you should. I did google, just the wrong thing..

Remember - I gaurantee my posts 100%, or your money back. ;)
Darrell wrote re: Adventures with IIS Lockdown
on 07-13-2004 8:51 AM
Don't you mean 99%?
Brendan Tompkins wrote re: Adventures with IIS Lockdown
on 07-13-2004 9:08 AM
Noooooo! All of my posts are 99% complete! I gaurantee the 99% 100%!

Add a Comment

(required)  
(optional)
(required)  
Remember Me?