IIS

Following on from some recent OpenVAS testing and in turn discovering that some of our PHP versions were sorely out of date I’ve set about to patch and document all of the installations. In turn we have a simple guide on how to update PHP security releases!

Please note – this guide is aimed at really simple single server instances of PHP that are being used by Microsoft IIS, be sure to test the upgrade outside of your production environment before deploying it.

For this guide you will also need this link – http://windows.php.net which contains the downloads for PHP on Windows.

Troubleshooting:

  • If you encounter an error message during the overwrite of the existing PHP install consider stopping the IIS server service first and then restarting it with the following commands from an elevated command/PowerShell prompt.
    • net stop WAS
    • net start W3SVC

Looking for some fun ways to get more out of your your Smart Card deployment? If so have you tried……?

  1. Use Smart Cards to login to your Servers via Remote Desktop
  2. Use Smart Cards with the PowerShell Get-Credential Commandlet
  3. Use Smart Cards with your Firewall for single sign on
  4. Use Smart Cards to login to IIS Web Applications (just a box to tick and a radio option to select)
  5. Store multiple identities on your Smart Card and assign different (and perhaps more complex) PINs to the identities

Have a look at the screen shots below for some more details…

In recent testing with iOS8 (specifically 8.0.2) we’ve discovered that any web application (in particular we’ve got a number of in house applications that were built using Visual Studio Lightswitch 2013) that relies on Windows Authentication (on Microsoft Internet Information Services) simply does not work.

In particular users get to the login prompt screen to enter their username and password and on attempting to login are just presented with the login window again with no apparent error message.

The work around for now is to use an alternative browser (Chrome works good for us), hopefully Apple will fix this annoyance soon.

So you now have your WebDAV server setup and its time to get this out to your users. To help you along you feel free to edit the guides below to your particular requirements.

  Using Cloud - iOS (225.4 KiB, 4,346 hits)

  Using Cloud - Windows Phone (196.8 KiB, 4,137 hits)

  Using Cloud - Windows XP (157.4 KiB, 2,826 hits)

  Using Cloud - OSX (193.4 KiB, 2,751 hits)

  Using Cloud - Windows 7 (149.3 KiB, 4,017 hits)

  Using Cloud - Windows Vista (166.2 KiB, 2,834 hits)

  Using Cloud - Windows 8 (327.6 KiB, 2,060 hits)

  Using Cloud with iWorks - iOS (5.1 MiB, 1,836 hits)

For further reading take a look at the links below-

In the previous article in this series we looked at the topology needed to setup a WebDAV infrastructure.

I’ll assume that

  • You have a public DNS record which points to a IP address on your firewall which is in turn port forwarding 443 (HTTPS) to your IIS server (this also works through Web Application Proxys like the ones built into Smoothwall firewalls)
  • You have a internal DNS record which points to the network adapter on your IIS server
  • Your IIS server has your paid (and signed) SSL certificate imported

You will also need a few server roles installed on your IIS server (you can do this through Server Manager), these are

  • Web Server (IIS)
  • WebDAV Publishing
  • Basic Authentication
  • Request Filtering
  • HTTP Logging and Logging Tools
  • IIS Management Console (unless you feel like doing everything remotely)
Server setup

So now to the fun bit! Which is all in the screen shot sequence below…

Testing

So you now have your server setup with the basics…so its time to do some testing. The screen shot sequence below shows how to connect to the WebDAV share on a Windows 8 PC.

Things you really need to test include
  • Users only have permissions to access the folders you want them to
  • You can upload/download files up to the maxium size you defined earlier
  • That you can access the share from both inside and outside your network
Next time

In the next part you can get some example user guides that I have made for my own implementation as well as some links to further reading.

Every once in a while a magical bit of software comes along that makes life so very good; today that software is WebDAV and its been around so long that some people might have forgotten how good it is.

The premise goes
  • You have one or more internal Windows Server(s) which hosts users personal documents and shared drives
  • You would like your users to access these files on any device ranging from their home PC (running say Windows 7) to their personal mobile devices (iPad)
  • You would like your users to access these files both inside and outside the firewall
  • You would like your users to access these files natively (like a mapped drive) so they don’t have to muck around with web based applications
  • You would like your users to be able to use this service with as little configuration on their part as possible
  • All while maintaining a secure and auditable system
To accomplish this you will need a few things
  • A valid paid for SSL certificate (don’t ever think you can get away with a self signed one) – personally I use a GoDaddy wildcard certificate
  • A spare Internet Information Services (IIS) Server to host the WebDAV service on
  • Depending on how things go 20 minutes
Topology

The basic topology is your clients point their WebDAV client at a DNS address which is mapped against a IP address which is port forwarded through your firewall to your IIS server which then serves requests to your file servers (clients don’t get to talk to the file servers direct). Don’t forget to setup your internal DNS to point to the internal network adapter of your IIS server as well.

Next time

In the next article I’ll run through the setup of a WebDAV server.

After recently setting up a Moodle install (hosted on IIS on Server 2008 R2) with SSO (LDAP server based (good old Microsoft AD) with NTLM looking after things) we found that any new users were getting this error message appearing.

Fatal error: $CFG->dataroot is not writable, admin has to fix directory permissions! Exiting.

The simple solution is to this problem is to change the NTFS permissions on the moodledata folder to allow write/modify to any user who is using moodle (I just set ours to domain users).