RE: Challenge/Response and IIS Security
IF the DNS has a wild card entry and there is not a blank Host header for the site in IIS and they type a URL that does not have a host header they will be directed to the Default Website with the All Unassigned Header This is usually locked down. Rick -Original Message- From: Chunshen Li [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 7:48 AM To: CF-Talk Subject: Challenge/Response and IIS Security A client informed me that his site (on NT class OS and IIS web server) now required Network password to logon. I suspected it's NT Challenge/Response and IIS Security problem with his new setup. Did quick research to confirm my suspicion, seems that my suspicion is valid, it seems at least two situations would result in the above-mentioned problem: 1) Anonymous Access with an NT/its class OS IIS user account, IUSR_{machineOrHostName} has been disabled under Integrated Windows Authentication schema (haven't tested other two authen. schemas). 2) The default IIS user account, IUSER_{machineOrHostName) has been disabled. I've tested the above two scenarios separately with same result, that is, NT logon is prompted when accessing a site. Is there/ are there any further scenarios that cause the same NT access problem?Security gurus, you'll make my days. TIA. _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Challenge/Response and IIS Security
Sorry, could you elaborate a bit? IF the DNS has a wild card entry and there is not a blank Host header for the site in IIS and they type a URL that does not have a host header they will be directed to the Default Website with the All Unassigned Header This is usually locked down. Rick -Original Message- From: Chunshen Li [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 7:48 AM To: CF-Talk Subject: Challenge/Response and IIS Security A client informed me that his site (on NT class OS and IIS web server) now required Network password to logon. I suspected it's NT Challenge/Response and IIS Security problem with his new setup. Did quick research to confirm my suspicion, seems that my suspicion is valid, it seems at least two situations would result in the above-mentioned problem: 1) Anonymous Access with an NT/its class OS IIS user account, IUSR_{machineOrHostName} has been disabled under Integrated Windows Authentication schema (haven't tested other two authen. schemas). 2) The default IIS user account, IUSER_{machineOrHostName) has been disabled. I've tested the above two scenarios separately with same result, that is, NT logon is prompted when accessing a site. Is there/ are there any further scenarios that cause the same NT access problem?Security gurus, you'll make my days. TIA. _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Challenge/Response and IIS Security
In DNS if you have a Wild Card A record meaning any URL 3rd Level Domain Name will be directed to this IP *A 99.99.99.99 @A99.99.99.99 IN IIS Go to the Web Site tab of the Web Site and click Advanced. This shows the Host Headers. Click on Add Select the IP enter the Port but leave the Host Header Blank. Now when someone goes to http://WHATEVER.yourdomain.com http://whatever.yourdomain.com/they go to that site. I most cases the Default Website on the server will have the ALL Unassigned Host header so if you do not have a Blank Host header then the request will be directed to the default site. That site is usually the IIS Administration site and is Locked down. Rick -Original Message- From: Chunshen Li [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 8:46 AM To: CF-Talk Subject: Re: Challenge/Response and IIS Security Sorry, could you elaborate a bit? IF the DNS has a wild card entry and there is not a blank Host header for the site in IIS and they type a URL that does not have a host header they will be directed to the Default Website with the All Unassigned Header This is usually locked down. Rick -Original Message- From: Chunshen Li [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 7:48 AM To: CF-Talk Subject: Challenge/Response and IIS Security A client informed me that his site (on NT class OS and IIS web server) now required Network password to logon. I suspected it's NT Challenge/Response and IIS Security problem with his new setup. Did quick research to confirm my suspicion, seems that my suspicion is valid, it seems at least two situations would result in the above-mentioned problem: 1) Anonymous Access with an NT/its class OS IIS user account, IUSR_{machineOrHostName} has been disabled under Integrated Windows Authentication schema (haven't tested other two authen. schemas). 2) The default IIS user account, IUSER_{machineOrHostName) has been disabled. I've tested the above two scenarios separately with same result, that is, NT logon is prompted when accessing a site. Is there/ are there any further scenarios that cause the same NT access problem?Security gurus, you'll make my days. TIA. _ _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Challenge/Response and IIS Security
Forgot to add in case you wonder, I understand the IWAM_{machineOrHostName} NT user account is required to be enabled to start the IIS server, it's related but that relevant to the problem at hand. A client informed me that his site (on NT class OS and IIS web server) now required Network password to logon. I suspected it's NT Challenge/Response and IIS Security problem with his new setup. Did quick research to confirm my suspicion, seems that my suspicion is valid, it seems at least two situations would result in the above-mentioned problem: 1) Anonymous Access with an NT/its class OS IIS user account, IUSR_{machineOrHostName} has been disabled under Integrated Windows Authentication schema (haven't tested other two authen. schemas). 2) The default IIS user account, IUSER_{machineOrHostName) has been disabled. I've tested the above two scenarios separately with same result, that is, NT logon is prompted when accessing a site. Is there/ are there any further scenarios that cause the same NT access problem?Security gurus, you'll make my days. TIA. [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Challenge/Response and IIS Security
OK. I'm with you.Now, as my original posting indicated the IUSR_{machineOrHostName} NT user account needs to be enabled, by default, this user belongs to Web Anonymous Users group (which I guess created by IIS during installation or the like).Question, how do you find out which directories/folders that the group current has access to? OK, I could try reverse-approach, look at the current web doc root directory and see who can access it, now, among others, Users, which as Read Execute, List dir, Read, does NT imply that the IUSR_{machineOrHostName} user account is sort of part of this Users account? Otherwise, how?Secondly, if there's some sort of ghost account, unknown... user account, would that most likely a hacked acount? Thanks. At 01:05 PM 5/13/04, Don wrote: Also, your point is?if HTTP header is messed up / not set up properly in IIS, then NT logon would be prompted when accessing a page? The most common cause of the NT prompt is failure to grant permissions to WebUser for the folder where the files reside. [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Challenge/Response and IIS Security
Ahe, under default web site right under web site, the options show as you described, the setting on my box is same as what you said, now, question, if my client's box has some entry/TEXT for the Host Header Name, in other words, not blank, then, it would require NT logon? It does not seem this way, I just tried.Our comm. not sync yet? Rick, I don't have access to the DNS info about the client's box, so, don't know how it looks like, where should I advise him to look for this? Secondly, I looked at the property for web site on my own box with IIS 5.x, the HTTP Header, I see the Customer HTTP Header section is blank,clicking Add an entry, prompt with header name and value pair, are you saying? give the header name any test name and enter IP:port for the value entry?the header name field can't be blank, or are we talking about something slightly different? Click on Add Select the IP enter the Port but leave the Host Header Blank.I'm not with you here. Also, your point is?if HTTP header is messed up / not set up properly in IIS, then NT logon would be prompted when accessing a page? Thanks. Don In DNS if you have a Wild Card A record meaning any URL 3rd Level Domain Name will be directed to this IP *A 99.99.99.99 @A99.99.99.99 IN IIS Go to the Web Site tab of the Web Site and click Advanced. This shows the Host Headers. Click on Add Select the IP enter the Port but leave the Host Header Blank. Now when someone goes to http://WHATEVER.yourdomain.com http://whatever.yourdomain.com/they go to that site. I most cases the Default Website on the server will have the ALL Unassigned Host header so if you do not have a Blank Host header then the request will be directed to the default site. That site is usually the IIS Administration site and is Locked down. Rick -Original Message- From: Chunshen Li [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 8:46 AM To: CF-Talk Subject: Re: Challenge/Response and IIS Security Sorry, could you elaborate a bit? new NT logon is prompted when accessing a site. Is there/ are there any further scenarios that cause the same NT access problem?Security gurus, you'll make my days. TIA. _ _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Challenge/Response and IIS Security
I am not saying this is a solution to your problem my post was actually a 3rd situation to cause the problem and one I have found to be common. If you create a new site in IIS you are prompted for the default host header. Sometime this gets entered in as yourdomain.com and not www.yourdomain.com So if a user goes to www.yourdomain.com it will not have a website on the server. So IIS redirects it to a default site usually the Administration site. Check to make sure they have the host headers entered correctly and if there is a Wild Card A record in DNS ad a Blank to pick up missed typed URLS like IhaveFatFingers.yourdomain.com . I find it very un common that the default settings for IIS are tampered with unless the person is knowledgeable with IIS. I guess that should be the first question Did the person setting it up know what they are doing?. Please take know offence if it was you but it just makes a difference when troubleshooting. Without a Blank Host header and wild Card DNS entry or if the DNS entry does not have a host header in IIS then you would get a Cannot find server or DNS Error. Rick -Original Message- From: Chunshen Li [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 10:33 AM To: CF-Talk Subject: Re: Challenge/Response and IIS Security Ahe, under default web site right under web site, the options show as you described, the setting on my box is same as what you said, now, question, if my client's box has some entry/TEXT for the Host Header Name, in other words, not blank, then, it would require NT logon? It does not seem this way, I just tried. Our comm. not sync yet? Rick, I don't have access to the DNS info about the client's box, so, don't know how it looks like, where should I advise him to look for this? Secondly, I looked at the property for web site on my own box with IIS 5.x, the HTTP Header, I see the Customer HTTP Header section is blank, clicking Add an entry, prompt with header name and value pair, are you saying? give the header name any test name and enter IP:port for the value entry? the header name field can't be blank, or are we talking about something slightly different? Click on Add Select the IP enter the Port but leave the Host Header Blank. I'm not with you here. Also, your point is? if HTTP header is messed up / not set up properly in IIS, then NT logon would be prompted when accessing a page? Thanks. Don In DNS if you have a Wild Card A record meaning any URL 3rd Level Domain Name will be directed to this IP * A 99.99.99.99 @ A 99.99.99.99 IN IIS Go to the Web Site tab of the Web Site and click Advanced. This shows the Host Headers. Click on Add Select the IP enter the Port but leave the Host Header Blank. Now when someone goes to http://WHATEVER.yourdomain.com http://whatever.yourdomain.com/ they go to that site. I most cases the Default Website on the server will have the ALL Unassigned Host header so if you do not have a Blank Host header then the request will be directed to the default site. That site is usually the IIS Administration site and is Locked down. Rick -Original Message- From: Chunshen Li [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 8:46 AM To: CF-Talk Subject: Re: Challenge/Response and IIS Security Sorry, could you elaborate a bit? new NT logon is prompted when accessing a site. Is there/ are there any further scenarios that cause the same NT access problem? Security gurus, you'll make my days. TIA. _ _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Challenge/Response and IIS Security
I find it very un common that the default settings for IIS are tampered with unless the person is knowledgeable with IIS. Though I'm not a networkd admin or the sort.I would think if I were MS I would make your obversation above true. I guess that should be the first question Did the person setting it up know what they are doing?. Please take know offence if it was you but it just makes a difference when troubleshooting. Client set that up themselves, as a policy, me or any developer don't have any access to the box in question.If one does not want to work with the client he may ask that question. I appreciate your input. Without a Blank Host header and wild Card DNS entry or if the DNS entry does not have a host header in IIS then you would get a Cannot find server or DNS Error. Rick -Original Message- From: Chunshen Li [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 10:33 AM To: CF-Talk Subject: Re: Challenge/Response and IIS Security Ahe, under default web site right under web site, the options show as you described, the setting on my box is same as what you said, now, question, if my client's box has some entry/TEXT for the Host Header Name, in other words, not blank, then, it would require NT logon? It does not seem this way, I just tried. Our comm. not sync yet? _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Challenge/Response and IIS Security
Ahe, under default web site right under web site, the options show as you described, the setting on my box is same as what you said, now, question, if my client's box has some entry/TEXT for the Host Header Name, in other words, not blank, then, it would require NT logon? It does not seem this way, I just tried. Our comm. not sync yet? No, there is no correlation between web server authentication and the use of host header names. When you add a host header name entry to IIS, you're simply requiring that any HTTP requests sent to the site have a Host header, like this: GET /foo.cfm HTTP/1.1 Host: www.foo.com Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Challenge/Response and IIS Security
Forgot to add in case you wonder, I understand the IWAM_{machineOrHostName} NT user account is required to be enabled to start the IIS server, it's related but that relevant to the problem at hand. The IWAM_MACHINENAME account is only required for running out-of-process applications. Ideally, you should run the CF ISAPI extension in-process (set Application Isolation to Low in the Home Directory tab of the IIS web site properties dialog). Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Challenge/Response and IIS Security
A client informed me that his site (on NT class OS and IIS web server) now required Network password to logon. I suspected it's NT Challenge/Response and IIS Security problem with his new setup. Did quick research to confirm my suspicion, seems that my suspicion is valid, it seems at least two situations would result in the above-mentioned problem: 1) Anonymous Access with an NT/its class OS IIS user account, IUSR_{machineOrHostName} has been disabled under Integrated Windows Authentication schema (haven't tested other two authen. schemas). 2) The default IIS user account, IUSER_{machineOrHostName) has been disabled. I've tested the above two scenarios separately with same result, that is, NT logon is prompted when accessing a site. Is there/ are there any further scenarios that cause the same NT access problem?Security gurus, you'll make my days. For anonymous access to work, the IUSR_MACHINENAME account must have execute permissions to CF files and it must have execute permissions to the CF ISAPI extension. On CF 5, that extension is typically c:\cfusion\bin\iscf.dll, and on CFMX it's something like c:\cfusionmx\runtime\lib\wsconfig\1\jrun.dll. The exact path for the CFMX ISAPI extension will depend on how you've installed CFMX, but you can just look in the IIS management console under the list of ISAPI extensions to find out for sure. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Challenge/Response and IIS Security
Good info.Sorry I forgot to mention about the cf server version, it's 5.0.Now, as I asked, how to determine IUSR_MACHINENAME account's privilege to web root doc directory and subdirectories? Under IIS, for a particular directory (folder), the two most probable options are: 1) All Tasks a) permissions wizard (what's heck is the design! just tell me what who can access this folder and what sort of privilege) b) configure server extensions (again what's heck, why not say something like inherit admin rights, add add user and/or right to whom whom) 2) Property going to Application Config app mapping .cfm -- bound to -- cf installation\bin\iscf.dll edit Verbs: all verbs (meaning, full permission?) Thanks. A client informed me that his site (on NT class OS and IIS For anonymous access to work, the IUSR_MACHINENAME account must have execute permissions to CF files and it must have execute permissions to the CF ISAPI extension. On CF 5, that extension is typically c:\cfusion\bin\iscf.dll, and on CFMX it's something like c:\cfusionmx\runtime\lib\wsconfig\1\jrun.dll. The exact path for the CFMX ISAPI extension will depend on how you've installed CFMX, but you can just look in the IIS management console under the list of ISAPI extensions to find out for sure. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Challenge/Response and IIS Security
Now, as I asked, how to determine IUSR_MACHINENAME account's privilege to web root doc directory and subdirectories? Under IIS, for a particular directory (folder), the two most probable options are: 1) All Tasks a) permissions wizard (what's heck is the design! just tell me what who can access this folder and what sort of privilege) b) configure server extensions (again what's heck, why not say something like inherit admin rights, add add user and/or right to whom whom) 2) Property going to Application Config app mapping .cfm -- bound to -- cf installation\bin\iscf.dll edit Verbs: all verbs (meaning, full permission?) You will have to check the filesystem using Windows Explorer or the command line. You can't check file permissions in the IIS management console. What you can check within the IIS management console is whether you've enabled anonymous access to a given web site or directory, or if not, what kind of authentication you're using to allow access to that location. The all verbs thing refers to HTTP verbs: GET, POST, HEAD, DELETE, PUT and TRACE (I may have missed one). You shouldn't need to change anything in there. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Challenge/Response and IIS Security
Now, as I asked, how to determine IUSR_MACHINENAME account's You will have to check the filesystem using Windows Explorer or the command line. Yes, I did, as my other posting indicated, IUSR_MACHINENAME account does not show up in the Users/groups list under Security, however, my site is accessible by outside users, so, I guessed, IUSR_MACHINENAME may be associated implicitly by Microsoft, also, how about an unknown...account, further thought on this? You can't check file permissions in the IIS management console. What you can check within the IIS management console is whether you've enabled anonymous access to a given web site or directory, or if not, what kind of authentication you're using to allow access to that location. Yeah, in the know. The all verbs thing refers to HTTP verbs: GET, POST, HEAD, DELETE, PUT and TRACE (I may have missed one). You shouldn't need to change anything in there. Good to know, thanks, it seems you've read all the specs, good for you, I should too. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Challenge/Response and IIS Security
Yes, I did, as my other posting indicated, IUSR_MACHINENAME account does not show up in the Users/groups list under Security, however, my site is accessible by outside users, so, I guessed, IUSR_MACHINENAME may be associated implicitly by Microsoft, also, how about an unknown...account, further thought on this? The IUSR_MACHINENAME account is a member of the contextual groups Everyone and Authenticated Users, so if either of those groups have the appropriate permissions, that account will work. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Challenge/Response and IIS Security
Oops, sorry I forgot to mention I'm checking on my XP prof box, for XP prof there are no such user/group as of Everyone and Authenticated Users while your info could be helpful if my client's box uses this naming convention.Microsoft loves to play tricks on people :) Again thanks. The IUSR_MACHINENAME account is a member of the contextual groups Everyone and Authenticated Users, so if either of those groups have the appropriate permissions, that account will work. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Challenge/Response and IIS Security
Oops, sorry I forgot to mention I'm checking on my XP prof box, for XP prof there are no such user/group as of Everyone and Authenticated Users while your info could be helpful if my client's box uses this naming convention. Microsoft loves to play tricks on people :) I don't have an XP box handy, but I'm sure they're there. However, they're not real groups, like Administrators or Users or Power Users. They're contextual groups - their membership is determined at runtime, so to speak. Whenever you log in, you're a member of Authenticated Users. Whenever you connect, whether you log in or not (such as when you create a null session), you're a member of Everyone. You won't see these contextual groups within the Users Groups section of Computer Management, but you will be able to assign permissions to them within the filesystem or Registry. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Challenge/Response and IIS Security
Shoot, excuse me for the lang, I was so absent-minded, missed the key word, contextual in your last posting, OK, what's the nuance between EVERYONE and ANONYMOUS LOGON from a site access perspective? Man! you're very very detail-oriented, a great quality, I'd say. Don I don't have an XP box handy, but I'm sure they're there. However, they're not real groups, like Administrators or Users or Power Users. They're contextual groups - their membership is determined at runtime, so to speak. Whenever you log in, you're a member of Authenticated Users. Whenever you connect, whether you log in or not (such as when you create a null session), you're a member of Everyone. You won't see these contextual groups within the Users Groups section of Computer Management, but you will be able to assign permissions to them within the filesystem or Registry. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Challenge/Response and IIS Security
Shoot, excuse me for the lang, I was so absent-minded, missed the key word, contextual in your last posting, OK, what's the nuance between EVERYONE and ANONYMOUS LOGON from a site access perspective? The difference between them, from the perspective of setting filesystem permissions, is the same as the difference between a group and any member of that group. If you allow Everyone execute access to a file, the IUSR_MACHINENAME will have execute access to that file, since it (and every other account) is a member of Everyone. I would strongly recommend avoiding the use of Everyone when setting filesystem permissions, though. Use Authenticated Users instead. The IUSR_MACHINENAME account is also a member of that group. Man! you're very very detail-oriented, a great quality, I'd say. It's a necessary quality for configuring servers, unfortunately. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Challenge/Response and IIS Security
I would strongly recommend avoiding the use of Everyone when setting filesystem permissions, though. Use Authenticated Users instead. The IUSR_MACHINENAME account is also a member of that group. Excellent.I read about not to use EVERYONE account, however, I forgot (can't focus well these days, unfortunately).Now, how would you determine if some of the users from the list may be fakeID/backdoor user account?One way, I guess might be, get mandatory or system default user account list for NT/XP/given win OS and then separate them from the rest, then examine the remaining?better approach? I appreciate it. Don Man! you're very very detail-oriented, a great quality, I'd say. It's a necessary quality for configuring servers, unfortunately. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Challenge/Response and IIS Security
Now, how would you determine if some of the users from the list may be fakeID/backdoor user account? One way, I guess might be, get mandatory or system default user account list for NT/XP/given win OS and then separate them from the rest, then examine the remaining?better approach? I don't know of any tool or automation process that will handle this for you. I simply keep track of created user accounts - it's easy enough to check for differences. You might also check existing user accounts to ensure their privileges haven't changed, as it's often simpler to escalate privileges than to create a new account anyway. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]