IIS Informant - 22 Jan 2001
In this issue, Brett answers your questions about keeping up with security bulletins and hotfixes, troubleshooting and restarting Web sites, the SMTP service, and more.
January 21, 2001
Microsoft seems to release hotfixes and security bulletins weekly. How can I keep up with what I need to apply to my servers? Does anyone post all the hotfixes and bulletins in a one location or provide a notification service?
This problem is of growing concern to those of us who maintain IIS servers. Indeed, Microsoft releases hotfixes for IIS and related technologies regularly. Some of the problems fixed are more serious than others, but all are cause for concern.
As if the multiple hotfixes weren't problem enough, some administrators have reported problems with their servers after applying a hotfix. For example, concerns about hotfixes garnered attention recently when Microsoft released a hotfix (http://www.microsoft.com/technet/security/bulletin/ms00-086.asp) for a problem another hotfix had introduced.
The point here is that hotfixes aren't risk free. When a security problem is discovered, Microsoft is under pressure to release a hotfix quickly. As a result, hotfixes don't undergo the same level of testing as service packs; Microsoft releases the fixes without the benefit of those extensive tests and, sometimes, more quickly than is best.
Ideally, a product shouldn't need patches. However, I don't believe that IIS is less secure than any other Web server. Many people worldwide pound on products by Microsoft and other companies solely for the purpose of announcing to the world that they've found a security hole in a major product. Such products are more complex, in much greater use, and have more money flowing through them (e-commerce) than anyone ever imagined would be the case. Consequently, more problems are found, and any problem creates a greater risk. I don't believe that software is less secure than before, just that the software is under greater scrutiny.
I recommend that you don't automatically apply a hotfix to your servers the moment Microsoft releases that hotfix. You must weigh the seriousness of the security risk with the possibility that the hotfix might disable your server or expose another risk. I also strongly recommend that you make a complete backup of your server before you apply a hotfix. In addition, you should perform a test installation (if possible) on a nonproduction server. Ideally, you might wait awhile to see whether other administrators encounter problems with the hotfix.
So, how do you keep up with releases and current vulnerabilities? I use a combination of email lists and specific Web sites. See the Web-exclusive sidebar "Security Resources" for a list of these sites.
I handle a Web server that provides mission-critical service. Recently, my Web sites began taking turns stopping. IIS is still running, but when I use Internet Service Manager (ISM) to look at the sites, the sites appear stopped. No log entries or events are recorded. Does a tool exist that can help troubleshoot and restart the Web sites without constant human monitoring and intervention?
This experience is, unfortunately, all too common and one of the most complex problems to diagnose effectively. I can say that this problem isn't as prevalent in IIS 5.0 as it is in IIS 4.0, but that's of little help to IIS 4.0 Web administrators. Usually, you can trace the problem to the improper use of Active Server Pages (ASP) files; using a an earlier version of Microsoft Data Access Components (MDAC), which includes ActiveX Data Objects (ADO); an outdated scripting engine (e.g., VBScript, JScript); or insufficient memory to serve the load.
By far, the most common cause of a Web site stopping unexpectedly is the incorrect or sloppy use of ASP. Many administrators have reported that by releasing every called object at the end of each page and closing all connections the moment they can be closed, they solve the "stopping without warning" problem.
In addition, this problem can arise when you don't update IIS components. Microsoft releases updates to important IIS components by means other than service packs. For example, ADO is part of the MDAC package. You can download more recent versions of the MDAC package than those Microsoft supplies with the installation disks and service packs. You can even find service packs specifically for MDAC. The MDAC components have been known to cause sudden, "unexplained" stops in Web servers that you can fix by upgrading.
Determining the MDAC version you should be running is challenging. Five versions exist, and which one you've installed on your system is important. For example, MDAC 2.6, which comes with Microsoft SQL Server 2000, doesn't support clustering for SQL Server 7.0. For information about updates to IIS, see the Web-exclusive sidebar "Important Updates for IIS."
Everyone wishes that IIS would provide information about the site that stopped and why, but it doesn't, as you note. You can, however, implement monitoring for your sites that can restart a Web site when it's stopped. One popular tool is ipMonitor from MediaHouse (http://www.mediahouse.com). You can set up ipMonitor to check whether a Web site is delivering pages. If it isn't, ipMonitor can take several actions, including writing an event to the event log, paging an administrator, or executing a script. With scripting, you can easily stop and start a Web site. Sample scripts install with IIS that illustrate how you can script such actions. You can find the startweb.vbs sample script at winntsystem32inetsrvadminsamples in IIS 4.0 and at inetpubadminscripts in IIS 5.0.
To get you started, you can obtain a good yet inexpensive monitor called Servers Alive at http://www.woodstone.nu. This tool can perform much of the same monitoring as a more expensive monitor, but it lacks some reporting and logging features. Nevertheless, Servers Alive is a bargain and works well.
I'm running Windows NT with Service Pack 6a (SP6a), and I can't get my SMTP server to work on IIS 4.0. The event log shows error Event ID 7000 Source: Service Control manager. "Microsoft SMTP service. Service failed to start due to the following error: the system cannot find the file specified." I tried uninstalling and reinstalling SMTP and the service pack, but to no avail. Why won't SMTP work?
This problem occurs when you install IIS in a location other than the default location. When you install SMTP from Add/Remove Programs, SMTP doesn't realize that IIS exists in a different directory and incorrectly installs it in the default location. To fix the problem, follow the instructions in the Microsoft article "Added SMTP Service Fails After IIS 4.0 Is Installed on Non-Default Path" (http://support.microsoft.com/support/kb/articles/q245/2/08.asp).
I'm using Microsoft FrontPage 2000 Server Extensions on my IIS 5.0 server. I've been using FrontPage as a Web-development tool for several years and have many developers still using FrontPage 98. Recently, I implemented a policy that requires all developers to use FrontPage 2000 so I can standardize procedures and security administration. Can I cause the server to refuse connections from developers who aren't using FrontPage 2000?
Yes, you can. First, let me provide a little background. FrontPage 2000 Server Extensions add quite a few capabilities to your IIS server that require careful administrative management. The server extensions are well known for having a mind of their own and managing NTFS permissions for Web sites according to internal rules. This management works well, and you can use the Microsoft Management Console (MMC) Internet Information Services snap-in to enable and disable a lot of features. Unknown to most administrators, however, is that you can use a configuration file installed on FrontPage-extended webs to control many settings that you can't control in the UI. One such feature, ClientVerCutoff, is designed to do exactly what you're asking.
To enable this feature, browse to the _vti_pvt folder in the Home folder of the FrontPage-enabled web you want to affect. Use Notepad to open the services.cnf file. Go to the bottom of the file, then enter
vti_clientcutoffL:SX|4.0.1.2000:Sorry, you must useFrontPage 2000 to edit this web.
Save the file. That's all there is to it. You can't set this setting globally: You can set it only on a site-by-site basis.
Many other settings are available in the server extensions. You can enforce complex passwords; gain finer control of what executables users can upload; and control the search engine, SMTP, and other settings. You can find documentation about these settings in the appendix of the Microsoft FrontPage 2000 Server Extensions Resource Kit, which is available online at http://officeupdate.microsoft.com/frontpage/wpp/serk.
About the Author
You May Also Like