Re: Trend C/S/M SMB on SBS2003

From: Les Connor [SBS MVP] (les.connor_at_DEL.cfive.ca)
Date: 04/14/04 

Date: Wed, 14 Apr 2004 10:43:20 -0500

Here's a bit more, with links to more than you probably wanted to deal with.

INFO: Using URLScan on IIS
http://support.microsoft.com/default.aspx?scid=kb;[ln];307608 

--
Les Connor [SBS MVP]
-------------------------------------
SBS Rocks !
"Peter Scott" <me@privacy.net.au> wrote in message
news:#FArwuiIEHA.3556@TK2MSFTNGP10.phx.gbl...
> Fixed - problem caused by UrlScan.ini (preventing CGI script from running)
>
> As my SBS2003 was an upgrade from SBS2000, I had previously ran
IISLockdown
> Tool and installed UrlScan 2.5.
>
> My UrlScan file had the following settings:
>
> UseAllowExtensions=0           ; if 1, use [AllowExtensions] section, else
> use [DenyExtensions] section
>
> [DenyExtensions]
> ; Deny executables that could run on the server
> .exe
> .bat
> .cmd
> .com
>
> Since Trend Micro uses .exe to execute CGI, the UrlScan was preventing the
> executable from loading the CGI script.
>
> I made the following changes to UrlScan.ini (located in:
> C:\WINNT\System32\inetsrv\urlscan\) - which places a ";" in front of the
> extension '.exe.' to allow it to be executed
>
> [DenyExtensions]
> ;.exe
>
> For the changes to take affect, IIS needed to be restarted. From a command
> prompt, I typed:
>
> NET STOP IISADMIN (I was prompted to confirm the stopping of services) -
be
> sure to note which services are stopped as you will to restart them
>
> then restart IIS Web Services
> NET START W3SVC (and net start other services that were stopped like SMTP
> service and so on..)
>
> I then proceeded to connect to my OfficeScan URL - which was successful.
>
> My Comments
> I don't like the idea of  allowing the extension ".exe" to run on my web
> server as no other sites require this. I did try Configure URLScan to
Allow
> Requests with a Null Extension in IIS as per article 312376 - but was not
> successful.
>
> I don't understand why Trend Micro still rely on this method (after
several
> OfficeScan versions) rather then using a ISAPI filter which would be more
> secure. As I have been a user of Trend Micro InterScan Messaging Security
> Suite on SBS2003 - which configs IIS6 with an ISAPI filter called
> CCGIRedirect 'isapi_redirect.dll' for CGI scripting to be executed for the
> virtual site or virtual folder.
>
> I guess this would not be a problem on a new install of SBS2003 as it
would
> not have URLSCAN by default as IIS uses alternative methods to allow
> extensions to run.
>
> I hope other users will benefit from this as I found no help on Trend's
web
> site or the SBS newsgroup.
>
> If any other users have advice on how the UrlScan should be configured on
> SBS2003 - please let me know - because I'm feeling pretty worried about
> allowing the ".exe" extension to be available on my web server (which
> currently hosts external web sites).
>
> Peter
>
>
> "Peter Scott" <me@privacy.net.au> wrote in message
> news:eHOBIMhIEHA.3356@TK2MSFTNGP11.phx.gbl...
> >      I have installed Trend Micro C/S/M SMB on SBS2003 but can not
connect
> > to the console - receive page not found error 404
> >
> >       1. I used port 8085 - which was not used by any other service (by
> > doing netstat -an)
> >       2. Web service extension lockdown is authorising service
> >       3. Correct path exists
> >
> >       Here are the steps I used with Installing Trend Micro
> > Client/Server/Messaging SMB
> >
> >       1. (I use the Administrator account.)
> >       2. Run setup
> >       3. Enter the FQDN server.domain.local OR the IP of the SBS. I used
> > internal IP
> >       4. Install into IIS Virtual Web Site (NOT the default web site).
> >       5. Used port 8085 for communication.
> >       6. Deselected SSL.
> >       7. Used Administrator account - using ISA so I entered proxy info
> and
> > port
> >       8. Entered activation code
> >       9. Accept the server/client port.
> >       10. Accept the client installation for the SBS (installs the
> > Officescan client on the server)
> >       11. The install proceeds, then open the admin console - then fails
> to
> > open
> >
> >       I checked web service extensions - which are allowing the files in
> the
> > correct folder.
> >       I checked the persmissions on the OfficeScan directory - no
problems
> > with access
> >       Internet Explorer is set to bypass local domain and addresses to
> > bypass proxy
> >       The services are started.
> >
> >       Arrhhh!!! - I'm off to advanced hair for extreme hair replacement
> > therapy!
> >
> >
>
>

Relevant Pages

  • Re: Trend C/S/M SMB on SBS2003
    ... INFO: Using URLScan on IIS ... > Since Trend Micro uses .exe to execute CGI, ... > I don't like the idea of allowing the extension ".exe" to run on my web ...
    (microsoft.public.inetserver.iis)
  • Re: Unable to download Excel Files after Running IIS Lockdown
    ... Are you really sure you added the extension to the correct place? ... Kristofer Gafvert - IIS MVP ... > Since doing so it is not possible to download Excel documents from the ... > This seems to indicate that URLScan is getting in the way, however, it ...
    (microsoft.public.inetserver.iis)
  • Re: URLScan for IIS
    ... Subject: URLScan for IIS ... >extension '', ... Extensions listed here are commonly used on a typical IIS server. ...
    (NT-Bugtraq)
  • Re: IIS 6.0 Restricts files with .snp extension
    ... > I'm trying to make a file with a .snp extension available ... This works just fine in IIS 5, ... > URL with the .snp extension, and as I mentioned when I try ... IIS6 has something like URLScan already built in, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Trend C/S/M SMB on SBS2003
    ... Fixed - problem caused by UrlScan.ini (preventing CGI script from running) ... Tool and installed UrlScan 2.5. ... Since Trend Micro uses .exe to execute CGI, ... I don't like the idea of allowing the extension ".exe" to run on my web ...
    (microsoft.public.inetserver.iis)