![]({=fileref("picts/docs/docs_wwwroot_directory.gif");=})
You would need the following Directories:
{BASE}\inetpub\wwwroot\ ==> your website
{BASE}\inetpub\ $PRODUCT_EXECUTABLE_DOCS
{BASE}\inetpub\cgi-bin\
{BASE}\inetpub\cgi-bin\LogAnalysisInfo ($PRODUCT_EXECUTABLE_DOCS creates this automatically)
This chapter was contributed by a customer.
This describes how to install $PRODUCT_NAME in CGI mode under IIS. It was done on IIS 4 (NT 4, SP6a) in this example, but the basic method should work for any IIS installation.
CGI based or $PRODUCT_NAME Web Server?
There are two ways to install $PRODUCT_NAME -- as a CGI program or as a web server.
this document deals only with CGI mode installation. See [docs-installation] for
information about web server mode, and the advantages and disadvantages of each way.
Because of the security issues involved with installing $PRODUCT_NAME under IIS,
web server mode may be a better solution for Windows installation -- in web server mode
none of the following configuration steps are necessary.
Initial Installation
Start following the CGI installation instructions ([docs-installation]).
On some installations of IIS, that's all that is needed. If you're able to see
the Administrative Menu with images in your CGI installation, then you're done. If
you have problems, continue on:
URLScan
One common source of problems is URLScan.
Microsoft has a tool called "IIS Lockdown" to help block all those nasty
worms. By default, URLScan blocks are attempts
to run EXE (among many other things) files on the system. Unfortunately, this also blocks
all accesses to $PRODUCT_NAME, which is an EXE file. By editing the
EXE blocking, and giving all the $PRODUCT_NAME directories FULL permissions, you can get
it to work. This is a simple approach, but not very secure. A more secure approach is
described below.
Installation Procedures:
$PRODUCT_NAME Directories:
You would need the following Directories:
{BASE}\inetpub\wwwroot\ ==> your website
{BASE}\inetpub\ $PRODUCT_EXECUTABLE_DOCS
{BASE}\inetpub\cgi-bin\
{BASE}\inetpub\cgi-bin\LogAnalysisInfo ($PRODUCT_EXECUTABLE_DOCS creates this automatically)
Initially give both cgi-bin and $PRODUCT_EXECUTABLE_DOCS FULL permissions.
IIS Console setup:
![]({=fileref("picts/docs/docs_mmc1.gif");=})
Created Virtual Directories (NT4 calls them web shares as well) for CGI-BIN
& $PRODUCT_NAME in IIS Management Console.
![]({=fileref("picts/docs/docs_cgibin_VD.gif");=})
Both Virtual Directories are given Execution, and write, Rights (FULL permission)
Make sure the "Index this directory" is checked OFF
After the installation is completed we will come back and change this to a
more secure setting.
Keep in mind the \cgi-bin and and $PRODUCT_EXECUTABLE_DOCS directories, are in
fact virtual directories under your website, and are not physically under your
"website" directory.
Execution and $PRODUCT_NAME Installation:
Once we have all the Subdirectories and Virtual directories in place then:
- Copy "$PRODUCT_EXECUTABLE_DOCS_WIN32" to {BASE}\inetpub\cgi-bin\ directory.
- Execute (run) "$PRODUCT_EXECUTABLE_DOCS_WIN32".
- Following the $PRODUCT_NAME Installation procedures from the manual. <link
to the $PRODUCT_NAME documentation>
- Establish passwords and Temp Directory. {BASE}\inetpub\{=PRODUCT_EXECUTABLE_DOCS=}
- Create your first "configuration", and add the Log Files, and look
at the "Statistics".
- Enjoy your hard work ;-)
Securing the Installation:
$PRODUCT_NAME needs access to many different subdirectories, which it automatically
creates when you execute the program, or try to view the statistics. Therefore,
it needs permissions to Write, Read, Create Subdirectory, and Execute!!
The reason we gave FULL permission rights to all the subdirectories was
the fact that $PRODUCT_NAME creates many additional subdirectories during it's installation
routines. Therefore we need to give it the ability to create these subdirectories.
However, after the initial installation, we can take away permissions from {BASE}\inetpub\cgi-bin\
and {BASE}\inetpub\{=PRODUCT_EXECUTABLE_DOCS=}, to run a more secure server.
{BASE}\inetpub\cgi-bin\ : (File Manager)
![]({=fileref("picts/docs/docs_cgibin_permission.gif");=})
This took away FULL permission from the cgi-bin\ directory, and gave it
Read/Execute ONLY.
Note: When you make the change here, make sure the "Replace Permission
on Subdirectories" is checked OFF.
{BASE}\inetpub\cgi-bin\LogAnalysisInfo : (File Manager)
Here, $PRODUCT_NAME still needs to create directories for all additional websites,
or if there are any changes to the "configuration". However, there
is no need to Execute any scripts here. So give Read/Write/Delete Permission.
Note: When you make the change here, make sure the "Replace Permission
on Subdirectories" is checked ON.
{BASE}\inetpub\{=PRODUCT_EXECUTABLE_DOCS=} : (File Manager)
![]({=fileref("picts/docs/docs_sawmill_permission.gif");=})
This takes away FULL permission from the $PRODUCT_EXECUTABLE_DOCS\ directory, and gave it
Read/Write/Delete permission, (no Execution)
Note: When you make the change here, make sure the "Replace Permission
on Subdirectories" is checked ON.
\cgi-bin : (IIS Console)
This takes away FULL permission from the cgi-bin\ virtual directory, and gave
it Read/Execute permission.
Note: Make sure the "Index this directory" is checked OFF.
\{=PRODUCT_EXECUTABLE_DOCS=} : (IIS Console)
{=fileref("/picts/docs/docs_sawmill_VD.gif")=}}
This takes away FULL permission from the $PRODUCT_EXECUTABLE_DOCS\ virtual directory, and gave it
Read/Write permission. (No Execution)
Note: Make sure the "Index this directory" is checked OFF.
NOW, your $PRODUCT_NAME Installation on NT should
be complete !
Tips:
1. cgi-bin Directory:
By default there is a cgi-bin directory under the "default web site"
of the IIS. You could use this Virtual Directory under any web site. However,
if you try to delete the directory and create another one (IIS keeps the "cgi-bin"
in it's metafile !), it will show up as cgi-bin2 !!
In order to fully delete the old cgi-bin, you will need to use Microsoft
Meta Editor 2.2 (mtaedt22.exe). PLEASE, do this with great care, you COULD
kill the whole IIS here!!!
2. $PRODUCT_NAME Instances:
During the installation/debugging, reduce to only one instance of $PRODUCT_NAME .
3. DNS Lookup:
I've also disabled "DNS Lookup", in my $PRODUCT_NAME Configurations.
4. Open Files / IIS Index Server:
In IIS, all Virtual Directories are indexed by default. However, I think there
may be a conflict between $PRODUCT_NAME, and the Index Server, due to Open Files.
My updates routinely crashed, and sometimes they even crashed the Server !
After I disabled the Indexing on both $PRODUCT_EXECUTABLE_DOCS\ and cgi-bin\ directories, I've
have very few issues with open files and $PRODUCT_NAME.
5. NT Server Scheduler:
By default NT 4 does not have a Scheduler (Windows 2000 server does). We used
the Schedule Wizard by www.authord.com
for periodical scheduling of events. You could even get a version which runs
as a service on NT.
6. URLScan.ini:
I have blocked access to the following in the urlscan.ini file:
cmd.exe
root.exe
shell.exe
shtml.exe
.bat
.cmd
.com
.dll
.pl
.cgi
.ini
.dat
.log
Reference: Microsoft URLScan Security Tool