How do I use Notification Server with IIS lockdown and URLScan?
Answer
Integrating IIS Lockdown and URLScan
This section describes the requirements for integrating NS with the Microsoft IIS Lockdown Utility and URLScan. The core NS features require that Web Service (HTTP) must be enabled and Active Server Pages (.ASP) must be supported.
Integrating IIS Lockdown
When the IIS Lockdown utility is launched, you are prompted to select the "Server Template" that best matches the server's role. Dynamic Web Server (ASP enabled) best describes the role of the NS.
Note: If some other template is selected then the services that will be modified will differ and may require additional configuration.
The Internet Services that are associated with the Dynamic Web server templates are
The utility provides the ability to disable Script Maps and Active Server Pages (.ASP) is the only entry that must not be disabled.
The IIS Lockdown Wizard allows for additional security settings but the NS doesn't require any of these settings to be enabled.
The IIS Lockdown Wizard provides the capability of installing the Microsoft URLScan utility or it can be installed manually. When URLScan installs it creates a WINNT\SYSTEM32\INETSRV\URLSCAN\URLSCAN.INI file. This file can be tuned to meet specific needs. Installing the URLScan utility as part of the IIS Lockdown wizard with the Dynamic Web server (ASP enabled) template configures the URLSCAN.INI file with these settings.
The following extensions must be added to allow for core NS functionality:
If other NS processes fail to function, refer to the WINNT\SYSTEM32\INETSRV\URLSCAN\URLSCAN.LOG file. It will describe which files have failed because the extensions are not specifically allowed.
These extensions can then be added to the list. The World Wide Web publishing service must be restarted for the changes to take effect.
Note: Refer to Technet for specifics on the URLScan.ini file.
When the Internet Information Services Lockdown wizard runs, modifications are written to the C:\WINNT\System32\Obit-log.log file.
For NS Client to be able to communicate to the server the client must have rights to read and execute from the AeXNS virtual directory (we leave anonymous access to this directory by default. If anonymous access is removed then they have to make sure that all the users have rights to the Notification Server directory).
The Anonymous Access account must have full control of the following file directories:
In addition to the above, read and execute permissions must always be permitted on the Postevent.asp, GetClientPolicies.asp, and the CreateResource.asp files for the Anonymous Access account.