WWW and ftp Server Configuration Support

This IIS instruction is applicable to NT 4.0/2000 Server.  Windows 2000

Server has built-in IIS feature and has a different user interface.  NT 4.0

does not have newest version of IIS.  Need to install it from Option Pack

CD.  The Server computer needs to have one static IP.  AIX and Linux

have different setup procedure, but basic elements are the same.

Procedure:

·         Ask your ISP(eg. @work or uunet)  and Domain Name register(eg. NIC or registor.com)  to add an A record to their DNS Zone file.  They need to link your IP address(eg. 216.216.189.195)  to your domain name (eg. www.digital-us.net).   It may be necessary to request for a MX record to point to your Email server as well.  And so is ftp server.  You also need the DNS server's IP address from your ISP.  Need both the primary(eg. @work 24.2.68.33) and the 2ndary IP addresses.  These IP addresses will be used later. The information need to be added to your Zone file on ISP and Domain Name register's DNS are as follow:

§         ;

§         ;  Database file digital-us.com.dns for com zone.

§         ;      Zone version:  6

§         ;

§              

§         @                       IN  SOA dcs04.digital-us.com. . (

§                                             6           ; serial number

§                                             3600        ; refresh

§                                             600         ; retry

§                                             86400       ; expire

§                                             3600      ) ; minimum TTL

§              

§         ;

§         ;  Zone NS records

§         ;

§              

§         @                       NS    dcs04.digital-us.com.

§              

§         ;

§         ;  Zone records

§         ;

§          

§         @                   A   216.216.189.196

§         @                       MX    10   mail

§         dcs04               A   216.216.189.196

§         mail                A   216.216.189.196

§         www                 A   216.216.189.196

·         This file can be found at winnt/system32/DNS folder.  It is created by DNS manager.Go to Network properties, Protocols, TCP/IP:  Enter IP address and subnet (255.255.255.0).  Gateway IP is the SDSL modem(216.216.189.193) or ISDN router's IP address.  DNS is the IP's obtained from ISP.  If your server also run DNS, then use that server's IP address as well.  Maximum is three DNS IP's.  WINS server is the internal computer names(such as DCS01, 200mmx) resolving server.  Ours is 216.216.189.195 (DCS01).

·         Check for valid IP's: from Command Prompt, type nslookup <ent>, set type=all <ent>, digital-us.net to see the IP mappings. Type exit to exit nslookup.  Or simply type nslookup www.digital-us.net to see the the result.

·         You may test the Internet connections by type ping IP(eg 24.2.68.33) to ping the other server.

·         Open Internet Service Manager from programs.  Rename the default www server.  Open properties dialog for www server.  Nder Web Site tab: Change Description to www.digital-us.com, IP is 216.216.189.196,  TCP port is 80.  Connection time is 60 seconds.  No limit on number of connections.   Home directory is the folder that contains web pages, eg D:/digital-us.   Document: default to index.shtml, the home page for our web site.

·         Provide CGI script services: Under Home Directory, click Configuration, add cscrip.exe and extension .cgi.

ü       Add .pl c:\perl\bin\perl.exe %s %s PUT.DELETE

ü       .plx c:\perl\bin\perils.dll   PUT.DELETE

ü       .cgi c:\perl\bin\Perl.exe %s %s  PUT.DELETE

ü       modify registry:

1. Start Regedt32.exe and open the following registry key:
   
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC \Parameters\ScriptMap
2. Click Add Value from the Edit menu.
3. The Value Name is .pl
4. The Data type is REG_SZ.
5. The String value is <the full path to perl.exe>\perl.exe %s %s
   
   NOTE: The "%s %s" is case sensitive. (e.g. "%S %S" will not work).

·         ISAPI filter: If you need to provide PHP service, then add PHP to the filter list.  You may need to change the Registry(run regedt32) to add new keys.

·         Reboot NT

Some Problems and solutions….

·         Can not logon to the web site www.digital-us.com, Error 401. Ans:  Go to User's Manager. Create a new user IUSR_DCS04, no password change allowed, assign a blank password.  Run Internet Service Manager and open www.digital-us.com properties.  Under Directory Security, edit "Allow Anonymous Access" and type in IUSR_DCS04 for the anonymous user.

·         Security issue:

·          From Dean Farrington:

A Null Session connection, also known as Anonymous Logon, is a way of letting a Anonymous user retrieve information such as user names and shares over the network or connect without authentication. It is used by applications such as explorer.exe to enumerate shares on remote servers.

Unfortunately it lets non-authorized users do more than that. Particularly interesting is remote registry access, where the NULL session user has the same permissions as built-in group Everyone.

To connect using a null session issue the following command:

c:>net use computeripc$ "" /user:""

Where computer is a NetBIOS name, DNS name or IP address. The "ipc$" tagged on the end is the Inter-Process Communication default hidden share. The double quotation marks ("") are used to present a null password and a null user ID.

Why have such things as null sessions? Isn't it a big security issue?

Damn Straight, but the reason null sessions are necessary is that some of NT's internal goings on require a method whereby a machine can log on to a server and get some information. For example, if LMHOSTS is used on the network and the client's LMHOSTS file has an entry like "#include 123.123.123.123" this will cause the computer, on TCP/IP initialization, to logon to 123.123.123.123 using a null session and access the LMOSTS file on that machine which will be held in a null session share. A null session share is a share that can be accessed from a null session and allow (usually limited - eg read) access to files within that share.

Null Sessions are the basis for the "Red Button" attack. Red Button would enumerate all the shares on a system if it could establish a null session.

What can I access through a null session?

• The list of user accounts on that server
• RAS callback numbers
• Status of the account lockout for all users
• Last logged on date and time for user accounts
• Remote access to the Registry
• Status of all NTFS file permissions on the system
• Account policy on machine
• User rights on the machine
• List of services on the machine and their status

The special in-built group "Everyone" in NT includes null session users. Consequently if the "Everyone" group has read access or greater then a null session could access it. This behavior is found on Service Pack 1 and 2 machines but was disabled with Service Pack 3 with the introduction of a /winreg key. How do I remotely access the Registry? Connect to the remote computer from Regedit.exe or Regedt32.exe. Use the following format when prompted for the remote computer name: IP-address

The process will take a few minutes from across the Internet but will be much quicker on a LAN. Can I stop someone from connecting to me through a null session? If access to TCP port 139 is available the short and sweet answer is no.

There is a tool from Somarsoft called DumpSec (formerly DumpAcl) that will show you all the information available through a null session. Get it at:
http://www.somarsoft.com

How do I "stop this insanity?!"

With SP3 or later, a system administrator can restrict the NULL session access, (see MS Q143474). With this fix, a new well-known SID is defined, named "Authenticated Users", which is Everyone except NULL session connected users. Apply SP3 or greater. Next adjust the following registry keys:

Use Regedt32.exe to open the key
HKLMCurrentcontrolSetControlSecurePipeServerswinreg
(DWORD:1)

Highlight the winreg key, create it if it is not present.
>From the pull down menu select Security> Permissions.
Replace the Everyone with Authenticated Users.

Next go to:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA
And set Value Name: RestrictAnonymous
Data Type: REG_DWORD
Value: 1
(add it if the key is not present)

Now close the registry editor and reboot for the changes to take effect.

You should also be blocking ports 135,137,138, and 139 at the firewall. These ports are used for Microsoft services and file sharing, they should never be allowed in to or out of your private network! As always, be sure you know what will happen before making any firewall changes.

For a production server the NTFS file permissions would also need to have "Everyone" replaced with "Authenticated Users" However be cautious making wholesale NTFS permission changes to your systems, incorrect permissions can render a system unbootable.