Brendan Tompkins [MVP]

Blog First. Ask Questions Later.

Adventures with IIS Lockdown

Recently, I installed and ran the Microsoft Baseline Security Analyzer (for IT Professionals) (I hope that includes me) on my development machine here at work. It had a couple of recommendations for securing IIS... 1) Deleting Parent Paths and 2) Running the IIS Lockdown Tool.

Deleting Parent Paths was painless, but running IIS Lockdown caused a bit more of a headache for me. When I loaded my solution, I was unable to load the Web project (project unavailable in visual studio). This was no biggie, I thought I'd just re-create the project from SourceSafe. Well when I tried to create a new Web project called “www.vit.org,“ I kept getting this message:

Unable to create Web project 'www.vit.org'. The file path 'c:\inetpub\wwwroot\www.vit.org' does not correspond to the URL 'http://localhost/www.vit.org'. The two need to map to the same server location.

To make a long morning short, it turned out that after running IIS Lockdown, I could no longer create a Web project with periods (.'s) in the name. So, I created the project as “publicweb“ and it worked fine.

I haven't figured out why this happened yet, and I'm sure there's a good reason for this, but wanted to report this behavior.

Published Jul 13 2004, 07:24 AM by Brendan Tompkins

Comments

Richard Dudley said:

Possibly because IIS Lockdown Tool installs URL Scan, which can limit all sorts of things until you configure it properly. It's a real guess, but might have to do a little searching on URL Scan. The best place I've seen to ask URL Scan questions is the IIS 5 list from iisanswers.com.

# July 13, 2004 4:57 AM

Scott Galloway said:

Take a look here: http://support.microsoft.com/default.aspx?scid=kb;EN-US;326444#8

# July 13, 2004 5:18 AM

Brendan Tompkins said:

Scott,

Yep.. It was right there in the docs!

AllowDotInPath=0

By default, this option is set to 0. If this option is set to 0, URLScan rejects any request that contains multiple periods (.). This prevents attempts to disguise requests for dangerous file name extensions by putting a safe file name extension in the path information or query string portion of the URL. For example, if this option is set to 1, URLScan might permit a request for http://servername/BadFile.exe/SafeFile.htm because it thinks that it is a request for an HTML page, when it is actually a request for an executable (.exe) file with the name of an HTML page in the PATH_INFO area. When this option is set 0, URLScan may also deny requests for directories that contain periods.

# July 13, 2004 5:21 AM

Darrell said:

Brendan - there are also some ini files you can take a look at for .NET dev and prod in the .NET operations guide.

See my blog post here:
http://dotnetjunkies.com/WebLog/darrell.norton/archive/2003/10/06/2090.aspx

Also, I developed URLScanWatcher for just this reason. Download here:
http://www.gotdotnet.com/Community/Workspaces/workspace.aspx?id=1c2cda67-58a8-4b49-94a3-5063d90c2506

# July 13, 2004 5:54 AM

Darrell said:

I should also chastise you for not Google-ing first!!!!

# July 13, 2004 6:00 AM

Brendan Tompkins said:

D-Ral.. Yes you should. I did google, just the wrong thing..

Remember - I gaurantee my posts 100%, or your money back. ;)

# July 13, 2004 8:30 AM

Darrell said:

Don't you mean 99%?

# July 13, 2004 8:51 AM

Brendan Tompkins said:

Noooooo! All of my posts are 99% complete! I gaurantee the 99% 100%!

# July 13, 2004 9:08 AM

Name (required)

Your URL (optional)

Comments (required)

Remember Me?

Enter the numbers above:

Add

About Brendan Tompkins

Brendan has been programming with .NET since the first public beta and is owner and operator of Port Technology Services, a consultancy company providing .NET application development services to the Maritime industry. In July, 2007, he was awarded the Microsoft MVP award for ASP.NET. He's also a proud co-founder of failed .COM startup Intrinsigo, and has had a hand in the failure of numerous other businesses. He currently runs CodeBetter.Com and Devlicio.us, and lives in Norfolk, Virgina with his wife Tiara and son Ian.