I've finally figured out all the coding and permissions necessary to let me add banned IP Addresses to IIS via VB6 using ASDI.

This means I can stop badly behaved bots in their tracks in real time automatically via several levels of spider traps.

I do have some concerns about how secure this is.

First, I had to modify the ACL for the anonymous IIS account (IUSR_x) so it had read/write access to the IIS metabase system itself.

Second, I had to give IUSR_x Modify permissions on metabase.xml.

The script that does all this is located in a password protected folder so IUSR_x can't really get to the .asp file that's needed to tinker with the metabase. But if someone somehow gets past my firewall, IDS, IPS, application hardening and other stuff they will have RW access to the IIS metabase. This would be very undesirable!

Here's my question for anyone who is knowledgeable about such things:

With all the above in mind am I right to be concerned about the permissions required to accomplish this real time banning of IP Addresses?

Thanks in advance,
~gary.

To me sounds like your opening up the Anonymous user permissions to allow modification to the IIS Metabase and I would say that's a huge concern as if there are anymore exploits in window which I'm sure there is someone could crap out your IIS Metabase.

Here is what you need to do. All that code that requires special permission to make changes to the meta base take that and make a VB6 DLL that can run in Component services.

In component services when you register the DLL you can assign it permission to a user that has permission to change the metabase rather then change the anonymouse user so it can.

Once this is done from ASP you can call your DLL to make your changes to the metabase. This way the anonymous user can not directly change the metabase and can only call your dll methods that make the changes you want not the changes a hacker would want.

Hopefully this is enough information to get you want you need. If you need help making a Component Services DLL or what I call an MTS or MTX dll (from the old days when it was call Microsoft Transaction Server) let me know, I have over 10 years software development expierience in this area and would only take me a few minutes to create the type of DLL you need. OR if you like if you give me the code I could translate it into .NET and create a C# .NET dll to do the same but that would take longer as my .NET expierence is limited to only a year.

Hi Chris,

Thanks for your time and your advice.

According to an MS TechNet chat transcript I read, the IIS lead developers stated it's not possible to do this with IIS6 because ASDI doesn't support alternate logins, but it will be included in IIS7. Nobody mentioned the possibility of using component services though so I'll give it a try and let you know how it goes.

Thanks again,
~gary.

Yea Microsoft always seems to leave out something important just to get something to market faster.

Making it a Component in Component services should give you exactly what you need though since you can specify exactly what user the component runs as (Impersination).

Let me know if you need any help.

Chris,

I think the guys from MS were right.

I created a new dll with just the code for modifying the metabase, registered it, and gave myself permissions to it.

Then I created a new COM+ Application and added my component to it, making sure that it uses my logon to run. Finally, I added myself as a user under CreatorOwner.

Next came modifying the IIS ACL so that I had RW access. And finally I gave myself Modify permissions to the metabase xml file.

When I instantiate the object I get a permission denied error.

To me that suggests it can't handle the alternate login. What do you think?

If you want to see the code I'll be happy to post it.

I might need to see the code.

But you should be able to create your own object from ASP or where ever.

I would test to make sure you can create your own object and then call some test method or something so you know that is working in COM+ and ASP and then call the method that does the work for you.

Are you trying to do your work in the Initialization of your COM+ object?

Chris,

I'm not sure what you mean by creating my own object in ASP. I do create an object in ASP and that object in turn is what calls the COM+ object. Is that what you mean? As you can tell I don't have a lot of experience creating my own COM+ applications even though I've been a software developer since 1973.

The only thing I'm doing in the class initialization event is setting the default value of the path to a file the class uses to get a list of IP Addresses to ban. All the heavy lifting is done in a separate method.

~gary.

You should only have 1 object (dll)

That dll will have your ADSI code that you need to modify IIS.

It needs to be a COM+ MTS DLL and be registered in component services and given the identity of the person who has permission to modify IIS.

From ASP you do a createobject on that COM+ MTS object that is in component services.

Does this clear things up?

If you want you can email me the code your using to cward (at) dynamicbydesign.com

Include your asp page that is calling it to and your vb6 files that you used to make your dll (or dll's). And I'll see what you got going there and see if I can guide you in the right direction cause I really think what your trying to do should work.

I understand what you're stating, but I am calling the .dll that has the ADSI code in it from a class in another dll, not directly from an ASP page. Also please remember this did work when I used the anonymous account. So on some level I know the code itself works. It's just not working as a COM+ app using alternate credentials because it's crapping out at the exact same place it did before I gave the anonymous account RW access to the metabase.

This is the code that's compiled into a dll and registered in COM+:

Option Explicit

Public PathToFile As String

Private Function LineIsAnIP(Line) As Boolean
Dim Pos As Integer
Dim Ch As String
For Pos = 1 To Len(Line)
Ch = Mid(Line, Pos, 1)
If ((Ch >= "0") And (Ch <= "9")) Or (Ch = ".") Then
Else
LineIsAnIP = False
Exit Function
End If
Next
LineIsAnIP = True
End Function

Public Sub RefreshIISBannedIPAddresses()
Dim IPCount As Long
Dim DomainCount As Long
Dim FSO As FileSystemObject
Dim TextFile As TextStream
Dim Line As String
Dim IISOBJECT As Object
Dim IPSecurity As Object
Dim IPList As Variant
Dim DomainList As Variant
Const IISPath As String = "IIS://localhost/w3svc"
ReDim IPList(10000)
ReDim DomainList(10000)
IPCount = 0
DomainCount = 0
Set FSO = New FileSystemObject
Set TextFile = FSO.OpenTextFile(PathToFile, ForReading)
Do Until TextFile.AtEndOfStream
Line = Trim(TextFile.ReadLine)
If LineIsAnIP(Line) Then
IPList(IPCount) = Line
IPCount = IPCount + 1
End If
Loop
TextFile.Close
Set TextFile = Nothing
Set FSO = Nothing
ReDim Preserve IPList(IPCount)
ReDim Preserve DomainList(DomainCount)
Set IISOBJECT = GetObject(IISPath)
Set IPSecurity = IISOBJECT.Get("IPSecurity")
IPSecurity.GrantByDefault = True
IPSecurity.IPDeny = IPList
IPSecurity.DomainDeny = DomainList
IISOBJECT.IPSecurity = IPSecurity
IISOBJECT.Setinfo
Set IPSecurity = Nothing
Set IISOBJECT = Nothing
End Sub


Next, from within a class of another dll I use the following code snippet:

Dim IIS As Object

Set IIS = CreateObject("IIS_Metabase.AddBannedIPs")
IIS.PathToFile = ASP.Application.value("PhysicalPathToRoot") & "\application\data\banned_ip.txt"
IIS.RefreshIISBannedIPAddresses
Set IIS = Nothing

The "permission denied" error happens on the first line where I try to instantiate the dll that's a COM+ application, IIS_Metabase.

I hope I've made sense. Thanks again for trying to help me out.

~gary.

Ok of these 2 which do you have in Component Services?

I'm going to assume the first one.

When you put it into component services had you already run regsvr32 on it? If so when you added it to your package did you say existing and pick from the list or new and pick the dll?

This can sometimes confuse it I've found. Normally what I do is either never register the dll or unregister it (regsvr32 /u myobject.dll) before I add it to component services and then when I add it to a package I pick NEW and select the DLL.

On the package you should have your identity set to the user that has permission to make those changes to IIS.

from there anything that component does including creating your class that actually creates the the ADSI object should be created under the identy of the package.

Your assumption about the first code snippet being the one that's in component services is correct.

The above dll was already registered and I selected new. I'll undo everything and start over again and let you know how it goes.

~gary.

yea sometimes that can hokie up the registry, cause regsvr32 registers it in a different way then when you put it in component services. I've never bothered figuring out why or what the difference is just know it does and it's gotten me in the past. I would suppect it was not really creating it in Component services when you tried and re-doing it will get you better results (I hope have my figured crossed).

No luck. Now I am totally convinced this is a limitation of IIS like I saw in that chat transcript. It was fun trying to make it work though because i learned a few things in the process. Again I really appreciate your assistance.

Now I have to consider whether I want this feature enough to take the risks associated with giving the anonymous user permissions that could do my server real harm if someone makes it past my firewall.

As I see it the worst case scenario is someone mucking-up the metabase.

I have that backed-up so a simple restore would put things right again.

Also, if someone makes it past the firewall I'm pretty much screwed anyway, right?

Sorry it's not workin, seems odd to me that it doesn't though.

It should work in theory. If you grant permission to the anonymous user it works cause the object is created AS the anonymous user. So if you put the object in component services and make a user and grant it the same permissions it should work fine. That just blows me away that it doesn't unless it's something else that I'm missing.

I'll muck with it some and see if I have a breakthrough.

I only have XP at home and the office so not sure if I can replicate the issue here, and am still waiting on Microsoft to send me my dang Media CD's for Windows 2003 Server so that I can install them in a Virtual PC for testing purposes.

I agree with you completely except the IIS developers did state that ADSI doesn't support alternate credentials. I wish you luck if you experiment with it. If I can help at all please let me know.

Right now I have to turn my attention to getting an ISAPI_Rewrite ruleset working. I've used it for years as an exceptionally flexible hot link blocker and a badly behaved bots blocker. This will be my first attempt at doing URL rewriting.