Installing Sawmill as a CGI Program Under IIS
This chapter was contributed by a customer.
This describes how to install Sawmill in CGI mode under IIS. It was done on IIS 4 (NT 4, SP6a) in this example, but the basic method should work for any IIS installation.
CGI based or Sawmill Web Server?
There are two ways to install Sawmill -- as a CGI program or as a web server.
This document deals only with CGI mode installation. See Installation for
information about web server mode, and the advantages and disadvantages of each way.
Because of the security issues involved with installing Sawmill under IIS,
web server mode may be a better solution for Windows installation -- in web server mode
none of the following configuration steps are necessary.
Initial Installation
Start following the CGI installation instructions (see Installation)
on some installations of IIS, that's all that is needed. If you're able to see
the Administrative Menu with images in your CGI installation, then you're done. If
you have problems, continue on:
URLScan
One common source of problems is URLScan.
Microsoft has a tool called "IIS Lockdown" to help block all those nasty
worms. By default, URLScan blocks are attempts
to run EXE (among many other things) files on the system. Unfortunately, this also blocks
all accesses to Sawmill, which is an EXE file. By editing the
EXE blocking, and giving all the Sawmill directories FULL permissions, you can
get it to work. This is a simple approach, but not very secure. A more secure approach is
described below.
Installation Procedures:
Sawmill Directories:
You would need the following Directories:
{BASE}\inetpub\wwwroot\ ==> your website
{BASE}\inetpub\ sawmill
{BASE}\inetpub\cgi-bin\
{BASE}\inetpub\cgi-bin\LogAnalysisInfo (sawmill creates this automatically)
Initially give both cgi-bin and sawmill FULL permission.
IIS Console setup:
Created Virtual Directories (NT4 calls them web shares as well) for CGI-BIN
& Sawmill in IIS Management Console;
Both Virtual Directories are given Execution, and write, Rights (FULL permission)
Make sure the "Index this directory" is checked OFF
(after the installation is completed we will come back and change this to a
more secure setting)
Keep in mind the \cgi-bin and and sawmill directories, are in
fact virtual directories under your website, and are not physically under your
"website" directory.
Execution and Sawmill Installation:
Once we have all the Subdirectories and Virtual directories in place, then:
- Copy "Sawmill.exe" to {BASE}\inetpub\cgi-bin\ directory.
- Execute (run) "Sawmill.exe"
- Following the Sawmill Installation procedures (see Installation)
- Establish passwords and Temp Directory {BASE}\inetpub{=PRODUCT_EXECUTABLE_DOCS=}
- Create your first "configuration", and add the Log Files, and look
at the "Statistics"
- Enjoy your hard work ;-)
Securing the Installation:
Sawmill needs access to many different subdirectories, which it automatically
creates when you execute the program, or try to view the statistics. Therefore,
it needs permissions to Write, Read, Create subdirectory, execute!!
The reason we gave FULL permission rights to all the subdirectories was
the fact that Sawmill creates many additional subdirectories during it's installation
routines. Therefore we need to give it the ability to create these subdirectories.
However, after the initial installation, we can take away permissions from {BASE}\inetpub\cgi-bin\
and {BASE}\inetpub{=PRODUCT_EXECUTABLE_DOCS=}, to run a more secure server.
{BASE}\inetpub\cgi-bin\ : (File Manager)
I took away FULL permission from the cgi-bin\ directory, and gave it
Read/Execute ONLY.
Note: When you make the change here, make sure the "Replace Permission
on Subdirectories" is checked OFF
{BASE}\inetpub\cgi-bin\LogAnalysisInfo : (File Manager)
Here, Sawmill still needs to create directories for all additional websites,
or if there is any changes to the "configuration". However, there
is no need to Execute and scripts here. So give Read/Write/Delete Permission
Note: When you make the change here, make sure the "Replace Permission
on Subdirectories" is checked ON
{BASE}\inetpub{=PRODUCT_EXECUTABLE_DOCS=} : (File Manager)
I took away FULL permission from the sawmill\ directory, and gave it
Read/Write/Delete permission, (no Execution)
Note: When you make the change here, make sure the "Replace Permission
on Subdirectories" is checked ON
\cgi-bin : (IIS Console)
I took away FULL permission from the cgi-bin\ virtual directory, and gave
it Read/Execute permission.
Note: Make sure the "Index this directory" is checked OFF
NOW, your Sawmill Installation on NT should
be complete !
Tips:
1. cgi-bin Directory:
By default there is a cgi-bin directory under the "default web site"
of the IIS. You could use this Virtual Directory under any website. However,
if you try to delete the directory and create another one (IIS keeps the "cgi-bin"
in it's meta file !), it will show up as cgi-bin2 !!
In order to fully delete the old cgi-bin, you will need to use Microsoft
Meta Editor 2.2 (mtaedt22.exe). PLEASE, do this with great care, you COULD
kill the whole IIS here!!!
2. Sawmill Instances:
During the installation / debugging, reduce to only one instance of Sawmill.
3. DNS Lookup:
I've also disabled "DNS Lookup", in my Sawmill Configurations.
4. Open Files / IIS Index Server:
In IIS, all Virtual Directories are Indexed by default. However, I think there
may be a conflict between Sawmill, and the Index Server, due to Open Files.
My updates routinely crashed, and sometimes they even crashed the Server !
After I disabled the Indexing on both sawmill\ and cgi-bin\ directories, I've
have very few issues with open files and Sawmill.
5. NT Server Scheduler:
By default NT 4 does not have a Scheduler (Windows 200 server does). We used
the Schedule Wizard by www.authord.com
for periodical scheduling of events. You could even get a version which runs
as a service on NT.
6. URLScan.ini:
I have blocked access to the following in the urlscan.ini file:
cmd.exe
root.exe
shell.exe
shtml.exe
.bat
.cmd
.com
.dll
.pl
.cgi
.ini
.dat
.log
Reference: Microsoft URLScan Security Tool
Reference: IISFAQ - URLScan Setup