How to use Notification Server with IIS lockdown and URLScan

book

Article ID: 179717

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

 

Resolution

Question

How do I use Notification Server with IIS lockdown and URLScan?

Answer

Integrating IIS Lockdown and URLScan

This section describes the requirements for integrating NS with the Microsoft IIS Lockdown Utility and URLScan. The core NS features require that Web Service (HTTP) must be enabled and Active Server Pages (.ASP) must be supported.

Integrating IIS Lockdown

When the IIS Lockdown utility is launched, you are prompted to select the "Server Template" that best matches the server's role. Dynamic Web Server (ASP enabled) best describes the role of the NS.

Note: If some other template is selected then the services that will be modified will differ and may require additional configuration.

The Internet Services that are associated with the Dynamic Web server templates are

  • Web service (HTTP)—must be enabled to respond to Web client requests
  • File Transfer Service (FTP)—not used by NS
  • E-mail service (SMTP)—If the NS server is also to be an SMTP server then this option must be enabled
  • News Service (NNTP)—not used by NS

The utility provides the ability to disable Script Maps and Active Server Pages (.ASP) is the only entry that must not be disabled.

The IIS Lockdown Wizard allows for additional security settings but the NS doesn't require any of these settings to be enabled.

Integrating URLScan

The IIS Lockdown Wizard provides the capability of installing the Microsoft URLScan utility or it can be installed manually. When URLScan installs it creates a WINNT\SYSTEM32\INETSRV\URLSCAN\URLSCAN.INI file. This file can be tuned to meet specific needs. Installing the URLScan utility as part of the IIS Lockdown wizard with the Dynamic Web server (ASP enabled) template configures the URLSCAN.INI file with these settings.

The following extensions must be added to allow for core NS functionality:

  • .VBE (used in the creation of the various web pages within the console. Data is pulled from a SQL database to create Dynamic web pages)
  • .JSE (used in the creation of the various web pages within the console. Data is pulled from a SQL database to create Dynamic web pages)
  • .ASPX
  • .XSL
  • .BMP
  • .XML
  • .EXE (only needed to install the NS client to the server or to push the client to remote machines. This extension also needs to be removed from the `deny extensions' list.)
  • .LPK
  • .CSS
  • .CAB (needed for the loading of cab files during the initial load of the web console and installing of additional solutions through the Solution Center. Remote Administrator Consoles and Web Reports will also install cab files during the initial opening of the console)
  • .ICO

If other NS processes fail to function, refer to the WINNT\SYSTEM32\INETSRV\URLSCAN\URLSCAN.LOG file. It will describe which files have failed because the extensions are not specifically allowed.

These extensions can then be added to the list. The World Wide Web publishing service must be restarted for the changes to take effect.

Note: Refer to Technet for specifics on the URLScan.ini file.

When the Internet Information Services Lockdown wizard runs, modifications are written to the C:\WINNT\System32\Obit-log.log file.

Other security settings

For NS Client to be able to communicate to the server the client must have rights to read and execute from the AeXNS virtual directory (we leave anonymous access to this directory by default. If anonymous access is removed then they have to make sure that all the users have rights to the Notification Server directory).

The Anonymous Access account must have full control of the following file directories:

  • install path\Altiris\eXpress\Notification Server\NSCap\EvtInbox
  • install path\Altiris\eXpress\Notification Server\NSCap\EvtQFast
  • install path\Altiris\eXpress\Notification Server\NSCap\EvtQueue
  • install path\Altiris\eXpress\Notification Server\NSCap\EvtQSlow
  • install path\Altiris\eXpress\Notification Server\NSCap\EvtQLarge
  • install path\Altiris\eXpress\Notification Server\NSCap\Temp

In addition to the above, read and execute permissions must always be permitted on the Postevent.asp, GetClientPolicies.asp, and the CreateResource.asp files for the Anonymous Access account.