Re: Trend C/S/M SMB on SBS2003
From: Les Connor [SBS MVP] (les.connor_at_DEL.cfive.ca)
Date: 04/14/04
- Next message: Les Connor [SBS MVP]: "Re: Trend C/S/M SMB on SBS2003"
- Previous message: anonymous_at_discussions.microsoft.com: "Re: Shadow copy and 16K blocks"
- In reply to: Peter Scott: "Re: Trend C/S/M SMB on SBS2003"
- Next in thread: Les Connor [SBS MVP]: "Re: Trend C/S/M SMB on SBS2003"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 14 Apr 2004 10:40:11 -0500
Hi Peter,
This, from David Wang (MS)
<snip>
IIS6 is locked down by default, so you do not need to run IIS Lockdown
Wizard nor URLScan. However, URLScan can run on IIS6 if you wish.
IIS6 only allows upgrade from W2K if IIS Lockdown has been run on it.
URLScan, if installed, will be preserved on upgrade. However, we are aware
of several issues with running URLScan on IIS6 due to IIS6 security
restrictions.
Microsoft will be soon publishing the definitive answer on lockdown,
URLScan, and the upgrade/clean install to IIS6.
I recommend that you clean install Windows Server 2003 and don't bother with
IIS Lockdown because an upgrade from IIS5 with Lockdown is still not as
secure overall as the clean install. URLScan is optional with IIS6 -- you
don't really need it on IIS6 (many of its features are built into IIS6 with
finer control), but you can run it if it makes you feel better.
-- //David This posting is provided "AS IS" with no warranties, and confers no rights. // I don't really know where that leaves you with the in-place upgrade. I haven't yet seen the 'definitive answer' referred to by David. -- Les Connor [SBS MVP] ------------------------------------- SBS Rocks ! "Peter Scott" <me@privacy.net.au> wrote in message news:#FArwuiIEHA.3556@TK2MSFTNGP10.phx.gbl... > Fixed - problem caused by UrlScan.ini (preventing CGI script from running) > > As my SBS2003 was an upgrade from SBS2000, I had previously ran IISLockdown > Tool and installed UrlScan 2.5. > > My UrlScan file had the following settings: > > UseAllowExtensions=0 ; if 1, use [AllowExtensions] section, else > use [DenyExtensions] section > > [DenyExtensions] > ; Deny executables that could run on the server > .exe > .bat > .cmd > .com > > Since Trend Micro uses .exe to execute CGI, the UrlScan was preventing the > executable from loading the CGI script. > > I made the following changes to UrlScan.ini (located in: > C:\WINNT\System32\inetsrv\urlscan\) - which places a ";" in front of the > extension '.exe.' to allow it to be executed > > [DenyExtensions] > ;.exe > > For the changes to take affect, IIS needed to be restarted. From a command > prompt, I typed: > > NET STOP IISADMIN (I was prompted to confirm the stopping of services) - be > sure to note which services are stopped as you will to restart them > > then restart IIS Web Services > NET START W3SVC (and net start other services that were stopped like SMTP > service and so on..) > > I then proceeded to connect to my OfficeScan URL - which was successful. > > My Comments > I don't like the idea of allowing the extension ".exe" to run on my web > server as no other sites require this. I did try Configure URLScan to Allow > Requests with a Null Extension in IIS as per article 312376 - but was not > successful. > > I don't understand why Trend Micro still rely on this method (after several > OfficeScan versions) rather then using a ISAPI filter which would be more > secure. As I have been a user of Trend Micro InterScan Messaging Security > Suite on SBS2003 - which configs IIS6 with an ISAPI filter called > CCGIRedirect 'isapi_redirect.dll' for CGI scripting to be executed for the > virtual site or virtual folder. > > I guess this would not be a problem on a new install of SBS2003 as it would > not have URLSCAN by default as IIS uses alternative methods to allow > extensions to run. > > I hope other users will benefit from this as I found no help on Trend's web > site or the SBS newsgroup. > > If any other users have advice on how the UrlScan should be configured on > SBS2003 - please let me know - because I'm feeling pretty worried about > allowing the ".exe" extension to be available on my web server (which > currently hosts external web sites). > > Peter > > > "Peter Scott" <me@privacy.net.au> wrote in message > news:eHOBIMhIEHA.3356@TK2MSFTNGP11.phx.gbl... > > I have installed Trend Micro C/S/M SMB on SBS2003 but can not connect > > to the console - receive page not found error 404 > > > > 1. I used port 8085 - which was not used by any other service (by > > doing netstat -an) > > 2. Web service extension lockdown is authorising service > > 3. Correct path exists > > > > Here are the steps I used with Installing Trend Micro > > Client/Server/Messaging SMB > > > > 1. (I use the Administrator account.) > > 2. Run setup > > 3. Enter the FQDN server.domain.local OR the IP of the SBS. I used > > internal IP > > 4. Install into IIS Virtual Web Site (NOT the default web site). > > 5. Used port 8085 for communication. > > 6. Deselected SSL. > > 7. Used Administrator account - using ISA so I entered proxy info > and > > port > > 8. Entered activation code > > 9. Accept the server/client port. > > 10. Accept the client installation for the SBS (installs the > > Officescan client on the server) > > 11. The install proceeds, then open the admin console - then fails > to > > open > > > > I checked web service extensions - which are allowing the files in > the > > correct folder. > > I checked the persmissions on the OfficeScan directory - no problems > > with access > > Internet Explorer is set to bypass local domain and addresses to > > bypass proxy > > The services are started. > > > > Arrhhh!!! - I'm off to advanced hair for extreme hair replacement > > therapy! > > > > > >
- Next message: Les Connor [SBS MVP]: "Re: Trend C/S/M SMB on SBS2003"
- Previous message: anonymous_at_discussions.microsoft.com: "Re: Shadow copy and 16K blocks"
- In reply to: Peter Scott: "Re: Trend C/S/M SMB on SBS2003"
- Next in thread: Les Connor [SBS MVP]: "Re: Trend C/S/M SMB on SBS2003"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
