Countdown to TechEd 2010 in New Orleans, LA: 2010-06-07 00:00:00 GMT-08:00

Tuesday, January 19, 2010

How to Fix Internet Explorer Cannot Download FileName from WebServer

You may find that when you create a link to a file from your web server that Internet Explorer cannot download or open the file.  When the user clicks the link, Internet Explorer returns the generic 404 error, as shown:



They also may receive an error stating, "Internet Explorer cannot download filename.ext from www.server.com.  Internet Explorer was not able to open this Internet site.  The requested site is either unavailable or cannot be found. Please try again later."

This happens when IIS doesn't understand the file extension and associated content type of the file.  Examples of such file extensions are .reg or .gadget.  To fix this problem you must add the extension and MIME type to IIS.

Here's how you do it in IIS 7.0 (Windows Server 2008) and IIS 7.5 (Windows Server 2008 R2):
  • Open Internet Information Services (IIS) Manager
  • Expand servername > Sites > Default Web Site
  • Select the website you want to configure, or select Default Web Site if you want to configure all websites on the server
  • Double-click MIME Types in the IIS section of the center pane
  • Click Add in the Actions pane
  • Enter the extension you wish to add, including the . prefix (i.e., .reg or .gadget)
  • Enter the MIME type (i.e., text/plain for .reg files or application/x-windows-gadget for .gadget files)
  • Click OK
The changes go into effect immediately - there's no need to restart IIS.

For a quick reference of MIME types, see MIME Type Detection in Internet Explorer.

Labels: , ,


Subscribe in a reader Subscribe by Email

Tuesday, January 5, 2010

How to Enable Reverse DNS Lookup in IIS



This article explains how to enable reverse Domain Name System (DNS) lookup for all versions of Internet Information Services (IIS).

When reverse DNS lookups are enabled on the web server, the IP address of each web client that connects to the IIS server is resolved to a DNS name, and the DNS name instead of the web client IP address is placed in the IIS log files.  Enabling reverse DNS also affects what CGI and ISAPI extensions see as a value of the Remote_Host variable.

Microsoft KB article 297795 gives a step-by-step demonstration how to enable RDNS for IIS4, IIS5 and IIS6, but all you need to do is run the following in a command prompt from the ADScripts folder:

For IIS4 run:
adsutil set w3svc/EnableReverseDNS TRUE
For IIS5 and IIS6 run:
cscript adsutil.vbs set /wesvc/EnableReverseDNS "TRUE"
In IIS7, you must install the IP and Domain Restrictions role service for the Web Server (IIS) role.  You can do this in Server Manager or from the command line using the following command:
ServerManagerCMD -install Web-IP-Security
In Windows Server 2008 R2, the ServerManagerCMD.exe program is deprecated and has been replaced with the ServerManager Powershell cmdlets.  The following two cmdlets are used to install the IP and Domain Restrictions role service:
Import-Module ServerManager
Add-WindowsFeature Web-IP-Security
Now that the role service is installed, you can configure reverse DNS lookups, as follows:
  • Open Internet Information Services (IIS) Manager.
  • Navigate to the Server Name in the Connections pane.  If you only want to enable reverse lookups on a particular website, navigate to that website.
  • Double-click IP Address and Domain Restrictions in the center pane and click Edit Feature Settings in the Actions pane.
  • Put a checkmark in Enable domain name restrictions and click OK.
You will see the following warning:
Restricting access by domain name requires a DNS reverse lookup on each connection. This is a very expensive operation and will dramatically affect server performance. Are you sure you want to enable restrictions based on domains?
Clicking Yes will enable reverse lookups for all clients connecting to the web server.  I have not noticed any more than a 1-2% increase in CPU performance and the websites are just as performant as before.

Each of these changes go into effect immediately.  There is no need to restart IIS.

Labels: , ,


Subscribe in a reader Subscribe by Email

Thursday, March 20, 2008

Configuring Virtual Directories with Directory Browsing in IIS7

A website that uses directory browsing is a convenient way to display the files and folders in a directory using a web browser. An example of this is demonstrated here.

To configure directory browsing in IIS6, you simply enable the Directory Browsing checkbox on Home Directory tab of the virtual directory. If you want to configure it so that users are required to authenticate to access the virtual directory, you disable anonymous access, enable Basic Authentication and configure the appropriate NTFS permissions on the target folder.

It's slightly different in IIS7 since IIS7 introduces the concept of delegated administration. This means that you can have the IIS configuration in web.config files which reside in the virtual directory. IIS has to read these config files very early in the connection attempt, i.e. when there is no authenticated user available yet. For this reason IIS has to use the process identity (usually Network Service) to read the web.config file.

To configure a virtual directory for directory browsing in IIS7:

  • Create or select the virtual directory in Internet Information Services (IIS) Manager
  • Double-click Authentication and select the appropriate authentication methods for the Vdir (default is Anonymous)
  • Select the Vdir again and double-click Directory Browsing. Click the Enable action
  • Right-click the Vdir and select Edit Permissions. Configure the NTFS permissions for the target folder and ensure that Network Service has read access to the folder

If you don't grant the Network Service account read rights on the Vdir, you'll get the following error when accessing it:

500 - Internal server error.

There is a problem with the resource you are looking for, and it cannot be displayed.

Labels: , ,


Subscribe in a reader Subscribe by Email

Monday, March 3, 2008

Automatically Reset the FTP Service in Windows Server 2008


One of the more popular tips I've posted is, "How to automatically reset the FTP service," in Windows Server 2003. This tip is useful for public FTP sites where bad guys are trying to hack in, usually using a dictionary attack.

Doing the same thing in Windows Server 2008 is slightly different and has an important caveat - It will not work with the Microsoft FTP Publishing Service for IIS 7.0 yet. It will work fine if you use the standard FTP Publishing Service, included on the Windows Server 2008 DVD.

As in my original post, create a batch file named C:\Scripts\ResetFTPService.bat, as follows:
net stop msftpsvc
ping -n 10 127.0.0.1
net start msftpsvc
The batch file stops the FTP service, pings the loopback adapter 10 times to create a 10 second pause, and starts the FTP service again. Stopping the FTP service causes the hacker's session to be dropped immediately. Since no one can connect for 10 seconds, this creates a form of "tarpitting", making it too expensive to continue the attack.

To make the script run automatically on the correct event, use the Windows Server 2008 Task Manager:

  • Right-click Task Manager (under Configuration in Server Manager) and select Create a Basic Task

  • Name the task, "Reset FTP Service" and click Next

  • Choose When a specific event is logged as the Task Trigger, click Next

  • Select Log: System, Source: IIS-FTP, and Event ID: 100. Click Next

  • Select Start a program and click Next

  • Enter C:\Scripts\ResetFTPService.bat for the Program/script and click Next

  • Click the checkbox for Open the Properties dialog for this task when I click Finish and then click Finish

  • In the Properties window select Run whether user is logged on or not and Run with highest privileges

  • Click OK

  • Enter the User name and Password for running this task

This causes the ResetFTPService.bat batch file to run whenever an event ID 100 with source IIS-FTP is logged in the System event log.

Remember, this will not work with the Microsoft FTP Publishing Service for IIS 7.0 because this service strangely does not log failed logon attempts to the event log. I've posted a request to the IIS7 team for this functionality.

Labels: , , , , , ,


Subscribe in a reader Subscribe by Email

Monday, January 21, 2008

EXPTA Server Upgrade

I ordered a new server this weekend to replace my existing Windows Server 2003 infrastructure. This new server will run the same roles as my existing server, but will have twice as much RAM and will be "green." It will utilize the new AMD Athlon X2 BE-2400 Brisbane 2.3GHz 45W Dual-Core CPU, less cooling (due to the low wattage CPU), and a smaller power supply. Should be fun. I haven't built my own hardware since the 90's. :)

I'll be building it with x64 Windows Server 2008 Enterprise edition and utilize Hyper-V for my virtual DC and Exchange 2007 servers, instead of VMware. The host server will function as my Exchange 2007 Edge server and host the www.expta.com blog on IIS 7.

The plan is to bring up the the new W2K8 server, build new virtual DC and Exchange servers, move the mailboxes to the new Exchange server, install the Exchange Edge role, and move the blog to the new server. Once I know everything is working properly I'll decommission the old Windows 2003 and Exchange 2007 servers.

Hopefully, there will be very little downtime. I only expect brief outages as I update my router configuration. As usual I'll post my experiences with the upgrade, as will as any troubleshooting tips and gotchas I discover along the way.

Labels: , , ,


Subscribe in a reader Subscribe by Email

Monday, November 5, 2007

Installing or switching ASP.NET versions on x64 platforms

When installing SQL 2005 on an x64 server, I came across the following warning:


32-bit ASP.Net is Registered. Required 64-bit ASP.Net to install Microsoft Reporting Services 2005(64-bit).
This article explains how to install and enable the correct version of ASP.NET for x64 platforms to fix this error.

After you install the ASP.NET redistributable packages, you can switch between the different versions of ASP.NET. To do this, follow these steps for each ASP.NET version:





ASP.NET 1.1, 32-bit version
To run the 32-bit version of ASP.NET 1.1, follow these steps:
1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command to enable the 32-bit mode:


cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1
3. Type the following command to install the version of ASP.NET 1.1 and to install the script maps at the IIS root and under:


%SYSTEMROOT%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe -i
4. Make sure that the status of ASP.NET version 1.1.4322 is set to Allowed in the Web service extension list in Internet Information Services Manager.





ASP.NET 2.0, 32-bit version
To run the 32-bit version of ASP.NET 2.0, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command to enable the 32-bit mode:


cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1
3. Type the following command to install the version of ASP.NET 2.0 (32-bit) and to install the script maps at the IIS root and under:


%SYSTEMROOT%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -i
4. Make sure that the status of ASP.NET version 2.0.50727 (32-bit) is set to Allowed in the Web service extension list in Internet Information Services Manager.





ASP.NET 2.0, 64-bit version
To run the 64-bit version of ASP.NET 2.0, follow these steps:

1. Click Start, click Run, type cmd, and then click OK.
2. Type the following command to disable the 32-bit mode:


cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0
3. Type the following command to install the version of ASP.NET 2.0 and to install the script maps at the IIS root and under:


%SYSTEMROOT%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe -i
4. Make sure that the status of ASP.NET version 2.0.50727 is set to Allowed in the Web service extension list in Internet Information Services Manager.





ASP.NET on Windows Server 2008
The bits for the correct platform of ASP.NET on Windows Server 2008 are included in the OS cache. To install ASP.NET on Windows Server 2008 (x86 or x64) follow these steps:

1. Run Server Manager
2. Select Roles and click Add Roles
3. Select Web Server (IIS). Click Add Required Features if prompted
4. Select ASP.NET in Role Services and run through the rest of the wizard to complete the installation

If the Web Server (IIS) role has already been installed on your server, do the following to add ASP.NET:

1. Run Server Manager
2. Expand Roles and select Web Server (IIS)
3. Click Add Role Services in the right-hand pane
4. Add the ASP.NET role service and run through the wizard to complete the installation

Labels: , , ,


Subscribe in a reader Subscribe by Email