Installing Sawmill as a CGI Program Under IIS

This chapter was contributed by a customer.

This describes how to install Sawmill in CGI mode under IIS. It was done on IIS 4 (NT 4, SP6a) in this example, but the basic method should work for any IIS installation.

CGI based or Sawmill Web Server?
There are two ways to install Sawmill -- as a CGI program or as a web server. This document deals only with CGI mode installation. See Installation for information about web server mode, and the advantages and disadvantages of each way. Because of the security issues involved with installing Sawmill under IIS, web server mode may be a better solution for Windows installation -- in web server mode none of the following configuration steps are necessary.

Initial Installation
Start following the CGI installation instructions (see Installation) on some installations of IIS, that's all that is needed. If you're able to see the Administrative Menu with images in your CGI installation, then you're done. If you have problems, continue on:

One common source of problems is URLScan. Microsoft has a tool called "IIS Lockdown" to help block all those nasty worms. By default, URLScan blocks are attempts to run EXE (among many other things) files on the system. Unfortunately, this also blocks all accesses to Sawmill, which is an EXE file. By editing the EXE blocking, and giving all the Sawmill directories FULL permissions, you can get it to work. This is a simple approach, but not very secure. A more secure approach is described below.


Installation Procedures:

Sawmill Directories:

You would need the following Directories:

{BASE}\inetpub\wwwroot\ ==> your website
{BASE}\inetpub\ sawmill
{BASE}\inetpub\cgi-bin\LogAnalysisInfo (sawmill creates this automatically)

Initially give both cgi-bin and sawmill FULL permission.

IIS Console setup:

Created Virtual Directories (NT4 calls them web shares as well) for CGI-BIN & Sawmill in IIS Management Console;

Both Virtual Directories are given Execution, and write, Rights (FULL permission)
Make sure the "Index this directory" is checked OFF
(after the installation is completed we will come back and change this to a more secure setting)
Keep in mind the \cgi-bin and and sawmill directories, are in fact virtual directories under your website, and are not physically under your "website" directory.

Execution and Sawmill Installation:
Once we have all the Subdirectories and Virtual directories in place, then:

- Copy "Sawmill.exe" to {BASE}\inetpub\cgi-bin\ directory.
- Execute (run) "Sawmill.exe"
- Following the Sawmill Installation procedures (see Installation)
- Establish passwords and Temp Directory {BASE}\inetpub{=PRODUCT_EXECUTABLE_DOCS=}
- Create your first "configuration", and add the Log Files, and look at the "Statistics"
- Enjoy your hard work ;-)


Securing the Installation:
Sawmill needs access to many different subdirectories, which it automatically creates when you execute the program, or try to view the statistics. Therefore, it needs permissions to Write, Read, Create subdirectory, execute!!
The reason we gave FULL permission rights to all the subdirectories was the fact that Sawmill creates many additional subdirectories during it's installation routines. Therefore we need to give it the ability to create these subdirectories. However, after the initial installation, we can take away permissions from {BASE}\inetpub\cgi-bin\ and {BASE}\inetpub{=PRODUCT_EXECUTABLE_DOCS=}, to run a more secure server.

{BASE}\inetpub\cgi-bin\ : (File Manager)

I took away FULL permission from the cgi-bin\ directory, and gave it Read/Execute ONLY.
Note: When you make the change here, make sure the "Replace Permission on Subdirectories" is checked OFF

{BASE}\inetpub\cgi-bin\LogAnalysisInfo : (File Manager)
Here, Sawmill still needs to create directories for all additional websites, or if there is any changes to the "configuration". However, there is no need to Execute and scripts here. So give Read/Write/Delete Permission
Note: When you make the change here, make sure the "Replace Permission on Subdirectories" is checked ON

{BASE}\inetpub{=PRODUCT_EXECUTABLE_DOCS=} : (File Manager)

I took away FULL permission from the sawmill\ directory, and gave it Read/Write/Delete permission, (no Execution)
Note: When you make the change here, make sure the "Replace Permission on Subdirectories" is checked ON


\cgi-bin : (IIS Console)

I took away FULL permission from the cgi-bin\ virtual directory, and gave it Read/Execute permission.
Note: Make sure the "Index this directory" is checked OFF

NOW, your Sawmill Installation on NT should be complete !


1. cgi-bin Directory:
By default there is a cgi-bin directory under the "default web site" of the IIS. You could use this Virtual Directory under any website. However, if you try to delete the directory and create another one (IIS keeps the "cgi-bin" in it's meta file !), it will show up as cgi-bin2 !!
In order to fully delete the old cgi-bin, you will need to use Microsoft Meta Editor 2.2 (mtaedt22.exe). PLEASE, do this with great care, you COULD kill the whole IIS here!!!

2. Sawmill Instances:
During the installation / debugging, reduce to only one instance of Sawmill.

3. DNS Lookup:
I've also disabled "DNS Lookup", in my Sawmill Configurations.

4. Open Files / IIS Index Server:
In IIS, all Virtual Directories are Indexed by default. However, I think there may be a conflict between Sawmill, and the Index Server, due to Open Files. My updates routinely crashed, and sometimes they even crashed the Server !
After I disabled the Indexing on both sawmill\ and cgi-bin\ directories, I've have very few issues with open files and Sawmill.

5. NT Server Scheduler:
By default NT 4 does not have a Scheduler (Windows 200 server does). We used the Schedule Wizard by for periodical scheduling of events. You could even get a version which runs as a service on NT.

6. URLScan.ini:
I have blocked access to the following in the urlscan.ini file:


Reference: Microsoft URLScan Security Tool
Reference: IISFAQ - URLScan Setup