Somehow somebody is hacking our global.asa file (IIS 7.5). We do not use our global.asa file for anything, but when somebody inserts code into it, it of course used.
Initially, we didn't even have a global.asa file on the site until somebody pushed it there.
While we're reviewing permissions, firewall, all other security measures, is there any quick way we can totally stop IIS from looking for the file?
Yes, our site is traditional ASP.
Thanks!
You could try adding an empty global.asa and set the permissions to be very restricted, so basically only 'read' access to IIS_USR account
Related
The problem
We're running IIS on Windows 8.1 with Update. We're at the Orchard CMS first time setup screen, and IIS is giving 401s for all static content. We have read the following to no avail:
IIS 7.5 no images css js showing
IIS 7.5 no images css js showing
The official Orchard deployment documentation
Based on those, this is what I have tried that doesn't work.
Turn on the IIS feature to Serve Static Content.
Give IIS_IUSRS permission to Read, write & execute.
Give the site's application pool permission to Read, write & execute.
What does work though is the nuclear option: to give Everyone the Read permission (unless we want to proceed with the Orchard setup; then we need to give Everyone even more permissions.) That leads me to believe that I must give permission to some principle with less scope than Everyone but more scope than both IIS_IUSRS and the application pool combined.
Who/what is that principle?
Pictures to show the problem
We receive a 401 on ..\Themes\SafeMode\Styles\site.css
The task manager confirms that the site is running as the orchard user.
The security properties of the ..\Themes\SafeMode\Styles\ directory gives Read permission to orchard.
Why does it only work when we give Read permission to Everyone?
I had a similar problem. Under authentication, I right clicked "Anonymous Authentication" and clicked "Edit". That shows a dialog giving you the ability to set the identity of the anonymous user. I set it to "Application pool identity" and that fixed the problem for me.
.
This may not be the most secure configuration though, but I'm on a dev server so I don't care.
Try turn on the Static Content and Directory Browsing features under Internet Information Services->World Wide Web Services->Common HTTP Features node.
In my case I had to set Read permission for IUSR user for the web site folder.
So, what I had to do to fix this problem was the following:
(and please understand, that this is not ASP or PHP script related, the server wouldn't even show basic simple .html files, yet would serve out PHP results all day long!)
Two fold…
Had to set the application pool for each site, under advanced settings, to use LocalSystem for it’s process
Under site, advanced settings, security, add the IUSR account to have read & list contents access, for the site… :-)
See any problems with doing that?
'cuz it's working....
Updating windows feature for WWW services/Common Http Features/static content by selecting Static Content checkbox fixed my IIS not service static content issue.
Open IIS -> go to advanced settings of selected website and open Physical Path Credentials -> Select specific user and enter your local user credentials. Open below screenshot for further visualising the things:
IIS Settings
I've set up a site in IIS and even though the permissions on the folder are correct I still get "500.19 Cannot read configuration file due to insufficient permissions". To make it simple I've set full control (it's only for local use) instead of the "correct" permissions and they are set for authenticated users, system, my user account, administrators, iis_iusrs and my app pool. I've got these exact same permissions set on another computer and browsing the site works like charm on that one.
If I choose to runt the app pool as LocalSystem instead of ApplicationPoolIdentity the site load but without any of the static content (images, css, scripts, etc.).
Any idea what might be wrong here? Seems like a lot of people out there are having the exact same problem but no matter how much I search and read up on it there is no solution to be found.
These problems can be tough to answer because so many different things could cause this. Many times more than one thing is wrong. However, there might be a simple solution.
If switching the app pool to LocalSystem works, that is a start. Regarding the subsequent problem, I would suggest checking the links in the webpage to be sure they are pointing to valid locations on the server. If so, and you are still having trouble, please reply with the version of IIS that you are using and the authentication method used for the site.
Tom answered this question in his comment above but I don't know how to mark a comment as a solution. This is what he wrote:
"It sounds like your static content files might not have inherited the permissions you've set on the parent folder. To blanket set the permissions on all files and folders, go to the folder properties of the parent folder, click the security tab and select advanced, check the Replace all child object permission entries with inheritable permission entries from this object then click Apply."
I have a folder that contains log files. They're not super critical, but I don't want total strangers looking through them. I'd like to put a password on that one folder. The folder and its contents are served straight up from IIS, so I'm not looking for a coding solution.
With Apache I'd use a .htaccess file.
With IIS it's possible to use multiple Web.config files at various levels to control this kind of thing.
So, what goes in the Web.config file that allows me to require a password when accessing this folder?
I'm happy for the password to pop up in a dialog like old-school websites used to do (not sure what this is called -- I think it is digest authentication) and so avoid any loginUrl redirection stuff
I'm happy to put the password in the Web.config file in plain text if it's easier
The application is internet facing and running on shared hosting, so I don't have much control over the box beyond what I can configure in Web.config.
You can achieve this using the <location path="..."/> element of web.config file.
Check this link for step-by-step instructions..
Is it best practice to not use C:\Inetpub\wwwroot\wss\ for SharePoint? My concern is that the configuration wizard seems to look for this C: path and it may be too complicated to not use the default path(s),
What would be the reason for using an alternate location?
You should not be changing anything in the sharepoint IIS sites through IIS Manager, except through the sharepoint Central Admin site. There are dependencies in the sharepoint configuration that are not just stored in IIS, especially around the users that are applied for app pools etc. This website does most of the things you need to do (i.e. host headers etc)
So best practice is to create a folder in the C:\Inetpub\wwwroot\wss\ that is easy to map to the web application and then leave the folder as is.
Although it is hard to find stuff in the Central Admin site, the Infrastructure Update for SharePoint helps.
Having failed miserably in the past merely trying to change machine names on a VM after Sharepoint was installed, it is hard to imagine a goal more likely to frustrate than this idea!
The only arguments I've heard for not running IIS websites out of the Inetpub directory is that it's a commonly known location for evildoers to look at when attacking a system, but if security is your concern you're far past screwing the pooch if an attacker has file system access.
We've always let the configuration wizard pick that location for us. There's a lot of aspects of the underlying configuration that rely on that location and it's never seemed worthwhile to explore changing the home directory.
I'm making some changes to a legacy classic ASP application. I've made the changes locally, and now I want to copy the changed files to the server. At the same time, I need to download the Access database, add some fields to some tables, and upload it again. For this reason, I need to be able to stop visitors from modifying the database while this is happening.
My main question is, what is the best way to setup a quick "Down for Maintenance" page that will be shown immediately and no matter which page the visitor requests. The application is already established, so I'd rather an answer that didn't require me to rework the application's architecture.
My second question (maybe this should be a separate question):
Is there a better way to add fields to a db table than to copy it down, modify, and stick it up again? Please forgive if that's a dumb question - I'm new to ASP - new to Windows too.
I only have FTP access to the remote server.
Thanks.
two ways:
1
if you do a server-side include in every asp page you can do a response.redirect in that include to /upgrading.html
2
in global.asa you can do a response.redirect in the session on start event. THis is probably the best way. Will only work for .asp pages, not if the client comes to a .html page.
Do you have any control panel access to the site at all?
When I used to run a number of ASP Classic sites I often turned them off for the five minutes required to do what I needed.
Rude to do to your visitors I know.
As others have said you could redirect to a page, but that won't stop people visiting static content in html pages, but then that probably won't matter, at least it stops them making changes to the mdb whilst you download it.
It's a pity that ASP.net's app_offline.htm doesn't work for ASP classic.
Another option I used to use was to create a default.htm file that had the offline message, and the way IIS was setup default.htm overrode default.asp, so simply uploading default.htm changed the homepage. This of course doesn't stop anyone using any of the other .asp pages.
So no real answer! Sorry.
If you have just FTP access to the server (and no control over the IIS) just insert a response.redirect to the "down for maintenace" page in top of all the asp pages, and remove it when the update is completed.
The changes to the database can be performed with the ALTER TABLE statement.
With regards to the "Down Maintanance" page issue you can and taking mapache's idea a step further if there is an included file (for a header) in each of the pages you can put the Response.Redirect in that one file and upload that in place. This will avoid making changes to all pages.
Another option is to upload a temp html file which will be found first by IIS. In IIS you can set which page name.ext are looked for in a domain/folder. For example when you browse to www.example.com you don't specify the page you are looking for so it could load index.html or index.htm for example depending on setup. It will depend on your hosts configuration setup, but a bit of trial and error I'm sure you can find out which one they use. Common ones for IIS are default.htm, default.html, index.html and index.htm. You can then put it in each of the folders in the website (not ideal I know) and then carry out your maintenance.
When updating databases you can run a migration script, written in sql, to update the schema and data of the db. As you only have FTP access this will require some sort of page you can paste the sql into and run. This however opens security issues so downloading the db, making the changes and then uploading again is probably easier. In addition to doing it this way you can also save the file and you'll have a backup :-)
Hope this helps.
Better than an include file, just use the Global.asa.
In the Global.asa's Application_onStart, add
Application("Offline")= True
at the top of all of your ASP files, add
If VarType(Application("Offline")) = vbBoolean Then If Application("Offline") Then Response.Redirect "App_Offline.htm"
(The double-if gets around the lack of VBScript's short-circuit operators, and therefore any data type errors.)
You could even set the Global.asa code to
Set fso= Server.CreateObject("Scripting.FileSystemObject")
Application("Offline")= fso.FileExists(Server.MapPath("App_Offline.htm"))
Set fso= Nothing
Which would enable the offline page if it exists, like ASP.NET. However, the application start code is only reparsed when the server is reset (using iisreset), or when the Global.asa file is modified, merely adding the App_Offline.htm will not be enough.
Add below code in web.config
<?xml version="1.0"?>
<configuration>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
</configuration>
And place app_offline under root folder. This will work.