Hand hold through IIS set up to run on localhost

Offering money for services is against the terms and conditions of the site, however there are lots of people here that will be willing to help for free. Please remove your email address from your original post

First thing is what OS is it

Window2000 professonal with IIS and Personal Web setup too but I am confused about how to get it all to work correctly.

Sorry, I didn't know about the no$$ policy. How do I edit my original question to take out my email address?

hmmm... can't edit the original question any more since they did an interface upgrade, post a 0 point question in community support aslking to remove the last paragraph.

The policy basically includes things saying no advertising for goods and services
https://www.experts-exchange.com/memberAgreement.jsp

Right Windows 2000 Pro. Straight off the bat, you do realise that Pro will only support 1 web site at any one time. You need a server edition if you want multiple. Also teh pro version will not support more than 10 concurrent users. Provided this is not an issue read on

Logged in as the local or domain adminstrator. You need to:
1. go into Settings > control panel > Add / Remove programs
2. click Add/Remove Windows Components
3. (after a while) a screen will appear sayign what components, highlight (not check) the Internet Information Manager and click details
4. Check Common Files, Internet Information Server Snap In and World Wide Web Server

Click OK a few times and make sure you put the 2000 disk in when asked

Once done:

Go into Settings > control panel > Administrative Tools > Services and find World Wide Web Service. Double click and choose to stop it at this time (if started) and say start up manualy

The reason we do this is so that it is not on while we patch and secure the machine

Do that for starters

I'll assume that you have rebooted the machine, if not it would be a good idea. Next you need to do two things

1. Install IISLockdown toolkit. This will install URLScan which will protect you from a number of possible elemntary hacks. It is available at :
http://www.microsoft.com/downloads/details.aspx?familyid=dde9efc0-bb30-47eb-9a61-fd755d23cdec&displaylang=en
All you  need to know is that you should choose "Dynamic Web Server (ASP Enabled)" from the list. Choose to install URLScan (this is default anyway) and click next a few times - I have assumed here that you want to make an site using asp,

2. Patch your Server to SP4 and ideally run the Microsoft Baseline security analyser
SP4: http://www.microsoft.com/downloads/details.aspx?familyid=dc27b8c6-2a5a-4399-ad3d-4a97a25f41d9&displaylang=en
MBSA: http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=9a88e63b-92e3-4f97-80e7-8bc9ff836742

Run both - the security anaylser, we are really looking to check first of all that we have all teh patches installed that we should do for both the OS & IIS

Next go to Settings > Control Panel > Adminstrative Tools and click Internet Information Server. This will open an MMC, expand the nodes until you  see a "Default Web Site" - this is your web server instance. At this point we have a number of options on how to proceed, depending on what you eventually want to do with this machine

I already sent general question for them to edit question. Thanks.

Ok, trying to do what you are telling me to do. I will be right back.

At this stage you can now go back into Settings > Control Panel > Administrative tools > Services, find WWW Service that we earlier stopped, change the startup to automtic and start it

You should now be able to browsse to http://localhost. I suspect that unless you already have SP4 or some dazzling link to the web this will be it for today, however safe to say that you now have a server that is pretty well secured, all that is left is to tweak a few things within the webserver setup and give you a quick walk around

I think that I may have already installed all of the above mentioned components. When I go into control panel/services, I already see the World Wide Web Publishing services., as well as IIS Admin services and both are set to Started Automatic. I went to WWW publishing and stopped it like you said to.

Since it was already installed, I guess I do not have to shut down and I can go to the next you said about the URL scan?

Yes, the idea in not having it running is that in its default state following install there are a number of things that have since been proven to have vulnerabilities, so it is best to turn it off as soon as you can so it can be patched.

OK, I am in the middle of installing the iislock and in the beginning, it shows me a bunch of select server template... so I choose Dynamic Web Service ASP enable like you tell me to do.... then I hit next and the URLscan box is checked so I hit next again and now it shows me all of this stuff that it is going to disable. This is correct, right?  I just need to hit 'Next', Right?

Also, I upgraded to SP4 months ago. So I should be OK in this area, right?

I will run the analyzer after I finish the iislockdown

Given that you had IIS on there before you installed SP4 then yes you should be OK. Typically if you install or reinstall IIS after installation then some of the files will be from the original media

"OK, I am in the middle of installing the iislock and in the beginning, it shows me a bunch of select server template... so I choose Dynamic Web Service ASP enable like you tell me to do.... then I hit next and the URLscan box is checked so I hit next again and now it shows me all of this stuff that it is going to disable. This is correct, right?  I just need to hit 'Next', Right? "

Yes

Oh, the iislock down is finished. I am currently downloading the analyzer now. I see that it requires sql 7. (2000)   do I have this or how can I tell?

OK, so after I am sure about the SQL 7 (2000) that MS says I need before running the analyzer and after the analyzer is completed.

Can I then go into my explorer and say for instance doubleclick  on 'exampleprogram.csproj' and be able to run the project and switch views to see what my webpage looks like to others before actually putting it on a live server?

That last post doesn't read well, however the analyser does exactly that it just loks at all the software and tells you if you are adequatley patched I wasn't aware that it needed SQL installed, but will check the software if it is up to date.

Provided there are no big red crosses on the analyser report, then you should be able to goto http://localhost on the machine, and you are now browsing your web site.

What site so you intend to run, technologies etc ?

URGENT.... I started to load the analyzer and it told me to get out of all programs so I got off the web and closed all of my windows axcept for the install.  I have a Norton AntiVirus alert saying "Alert: Malicious script detect"   Object Windows Script Host Shell Object   Activity Run  File is MsiExec.exe   What to do gives options to Stop, Run Once, Authorize it, Quarantine it.  

I am assuming that this is the analyzer file and that I should 'Authorize' since I will use it more than once?    Or do I just say run just once?    I am awaiting your response. Thanks.

Yes, the virus detection has spotted that somethign is about to install, this is expected in this instance you want to authorise it - only in this instance mind, the "MicroSoft Installer EXECutaable" will install teh program, and will not be called again after installation

I have some programs that are written in C# and ASP.net on VS.NET 2002 and VS.NET 2003.  I have tried to open the projects to run them and that is when I kept getting the error that '404 not found' when I try to compile the project in .NET and then look at it on my localhost.  

As well, I also tried to create a couple of projects using CodeCharge and even though I followed their every step I still had an error Not Found type page in the browser window. They 'CodeCharge' support told me to make sure that my IIS was setup correctly and that was probably my problem.   I am learning web development and so I have different languages I can use... J#, C#, C++, ASP.NET etc.    Did this answer your question on my technologies?

That last line did yes :)

You need to go to http://windowsupdate.microsoft.com and see if .NET Framework is listed. I suspect that you may not yet have it installed. This is a big download, and once done you need to go back and install the service pack (if it is not bundled)

When that is complete we can look at why certain code samples are not working

OK, I am trying to run the analyzer and it says:

"The following services must be enabled: Workstation service and Server service. "

Does this mean I that I should go back into control/admin/services and start something?
I am awaiting your response.

And yes, I have all my .NET Profeesional 2002 and 2003 already installed and both 1.0 and 1.1 Frameworks already installed.

You will need the server service running for IIS to work - do you get any errors at start up ?

These services can be started from the services applet, and are called supriseingly enough Server and Worksation

OK, I checked and they (server and workstation) are started so I will continue on. No I haven't gotten any errors yet.  I will be right back after I try this. Thanks.

OK, this is what my system kicked back and now I do not know what to do so I am just waiting for your response. I think I missed a step. Should I have done WindowUpdate before running this? Thanks.

Computer name: Workgroup\Karla
IP address: 207.69.82.251
Security report name: Workgroup - Karla (07-23-2003 12-09 PM)
Scan date: 7/23/2003 12:09 PM
Scanned with MBSA version: 1.1.1
Security update database version: Could not access the security update XML file.
Security assessment: Incomplete Scan (Could not complete one or more requested checks.)


Security Update Scan Results

Score Issue Result
 Windows Security Updates
 Could not perform the security update scan.
   
 
 
 IIS Security Updates
 Could not perform the security update scan.
   
 
 
 Windows Media Player Security Updates
 Could not perform the security update scan.
   
 
 
 Exchange Server Security Updates
 Could not perform the security update scan.
   
 
 
 SQL Server Security Updates
 SQL Server is not installed on this computer.
   
 
 


Windows Scan Results


Vulnerabilities

Score Issue Result
 Local Account Password Test
 Some user accounts (3 of 7) have blank or simple passwords, or could not be analyzed.
What was scanned Result details How to correct this
 
 
 Restrict Anonymous
 Computer is running with RestrictAnonymous = 0. This level prevents basic enumeration of user accounts, account policies, and system information. Set RestrictAnonymous = 2 to ensure maximum security.
What was scanned  How to correct this
 
 
 Password Expiration
 Some unspecified user accounts (5 of 7) have non-expiring passwords.  
What was scanned Result details How to correct this
 
 
 File System
 All hard drives (2) are using the NTFS file system.
What was scanned Result details  
 
 
 Autologon
 Autologon is not configured on this computer.
What was scanned  
 
 
 Guest Account
 The Guest account is disabled on this computer.
What was scanned  
 
 
 Administrators
 No more than 2 Administrators were found on this computer.  
What was scanned Result details  
 
 


Additional System Information

Score Issue Result
 Auditing
 Enable auditing for specific events like logon/logoff. Be sure to monitor your event log to watch for unauthorized access.
What was scanned  How to correct this
 
 
 Services
 Some potentially unnecessary services are installed.
What was scanned Result details How to correct this
 
 
 Shares
 4 share(s) are present on your computer.  
What was scanned Result details How to correct this
 
 
 Windows Version
 Computer is running Windows 2000 or greater.
What was scanned  
 
 


Internet Information Services (IIS) Scan Results


Vulnerabilities

Score Issue Result
 Parent Paths
 Parent paths are enabled in some web sites and/or virtual directories.
What was scanned Result details How to correct this
 
 
 IIS Lockdown Tool
 The IIS Lockdown tool has been run on the machine.
What was scanned  
 
 
 Sample Applications
 IIS sample applications are not installed.
What was scanned  
 
 
 IIS Admin Virtual Directory
 IISADMPWD virtual directory is not present.
What was scanned  
 
 
 Msadc and Scripts Virtual Directories
 The MSADC and Scripts virtual directories are not present under the default web site.
What was scanned  
 
 


Additional System Information

Score Issue Result
 IIS Logging Enabled
 Some web or FTP sites are not using the recommended logging options.
What was scanned Result details How to correct this
 
 


SQL Server Scan Results

Score Issue Result
 SQL Server Status
 SQL Server is not installed on this computer.
   
 
 


Desktop Application Scan Results


Vulnerabilities

Score Issue Result
 IE Zones
 Internet Explorer zones do not have secure settings for some users.
What was scanned Result details How to correct this
 
 
 Macro Security
 4 Microsoft Office product(s) are installed. Some issues were found.
What was scanned Result details How to correct this
 
 
 Outlook Zones
 Microsoft Outlook 2000: Some security issues were found.
 

I am off home in 15 mins, but will be online again tomorrow morning

Hmmm.. it looks like it failed to get the XML file - is it connected to the web ?

I did get booted off the web and had to reconnect. So should I try the anlysis over from the beginning?

OK, I understand you have to go for now. I will accept this question.... you have been the best! I will repost another question so that maybe someone else can start where you left off.  

As for the last question, do I just run windowsupdate for the analyzer to complete all of the scans successfully and then try to address each of the warnings individually and then run alalyzer again until I get a OK for each item?    

I promise, I will not ask any more questions of you today.   Thanks.

I just finished the WindowsUpdate and it said 'There are no new updates available for your system' so I guess I am OK on all of my software installed, with patches in place.

Windows Update: Should be a link at teh top of the start menu, otherwisr just click on the following:
http://windowsupdate.microsoft.com

Security anaylser downloads a small file to check what the latest patches are, this was interupted so it didn't then complete the check correctly hence the first four importnat items on teh liest all said failed!

Before you give me the points lets double check that you can get to teh site. If you type in http://localhost into the web browser on that machine what do you get ?

I get 'The Page Cannot Be Displayed'

Okay, not good news.

Is the "World Wide Web Service" started ?

WWW Service is now started.  Sorry about that. Now I get a 'Enter Network password"
User name, password and Domain but I don't know what to enter here.

*Phew* had me worried there. Make sure that service is set to start automatically.

Now the pop up you are getting is because we have some small issues with the authentication. Frst of all go into the Internet Services Manager Settings> Control Panel > Admin Tools

find teh default website

right click > properties

go to

1. The Home directory tab - note down teh path to teh root of the web site
2.  Directory security tab, click the button at teh top, turn on Annoymous user and uncheck all others

In windows explorer, go to the root of the web site in 1 right click on the directry and choose properties, choose security and add in ISUR_<MachineName> if not there and give it Read permissions

For future reference, if you have errors, check that the server is running in teh service applet, and that the site is started in the Internet Services Manager, then :

1. Turn off "Friendly HTTP Errors" in your web browser, they are only 'friendly' becuase they mask a potentially ugly but more informative error from teh server
2. Check the following places for information on the error
a) Event Viewer
b) IIS Logs - typically by default in c:\WINDOWS\system32\Logfiles\W3SVC1 format is exYYMMDD.log (that is YearYearMonthMonthDayDay)
c) URLScan Logs -  c:\WINDOWS\system32\inetsrv\urlscan same format is urlscan.YYMMDD.log

I am trying to do this now.  Home is c:\inetpub\wwwroot and I unchecked everything but the annoymous

Now I am in brower and right clicked on wwwroot and am looking at it now.

What is my machine name?   Is it Karla?

I do not know what you machien name is  - the thing is that there should be an account on your PC called IUSR_<Machine Name> i.e. if you machine is called Karla then the account is IUSR_Karla

When I went into and hit ADD if gave me a bunch to choose from I saw ISUR_Karla so I hit that and said OK.... now it says in wwwroot properteries  under security 'Internet Guest Account KARLA/ISUR_KARLA ?    Is this right?

Now when I http:localhost it says "you are not authorized to view this page''

Yep :) Choose Read & Execute, List Contents and Read permissions (you might want to change that to jsut read later on)

I checked those three items.

Ok what that could mean is that there is no default page defined. What to do here is to go into c:\inetpub\wwwroot  and create a page called default.htm in it pout the following:

<HTML>
<BODY>
Hello World
</BODY>
</HTML>

next try http://localhost/default.htm

For some reason you may have lost the defautl docuemnts - these are the pages that the web server servers if you do not specify a particular page. Go into Internet Services Manger and get the properties and go to the defautl document tab check that it is enabled and that there is somethign in there i.e. default.htm default.asp etc

I know you said that you had to go and I feel bad that I am taking all your time. I tried http://localhost/  again and it still says 'you are not authorized to view this page' ??

It *may*be calling the locastart.asp at start up this may spawn a new browser window - which subsequantly will give a 404 not found error as the pages that were meant to be in there have been removed by the installation if the IIS Lockdown toolkit

Don't worry I have other things to do, and I feel bad that it doesn't work properly

Please open command prompt window and type HOSTNAME for me - hopefully it will say Karla

did you try the default.htm page like I said ?

Yes, something like that when I set up the ISUR_Karla was in the window that said locastart  should I have deleted that?

localstart.asp is fine, I just went off there on a random thought process. Please set up teh default.htm and then try the link I sent before and tell me what you get

I am sorry but I do not know how to set up the default.htm?

OK I see the msg you sent and I am doing it now ... default.htm

No problem

Open notepad, copy cand paste that little bit of html then say file save as

navigate to C:\inetpub\wwwroot
filename : default.htm
file type : *.* All types

I am sorry but I had a major problem and had to reboot, etc.
lower left of browser said downloading from sit: res://c:\winnt\system32\shdoclc.dll\dnserror.htm   I will try the other thing now.

res://c:\winnt\system32\shdoclc.dll\dnserror.htm   - that suggests that it can't reach teh site, check that the service has started and that the website has started & my comments in previsou posts

If it is any consoluation ( and I doubt it is) we are very, very close to having this work

I have done everything you said to do this point and tried http://localhost  just now and it says again 'you are not auth.....'

It is a consoluation.... I am hopeful and I trust you. I really am doing everything that you are telling me to do.  I feel pretty comfortable with computers and have had many programming classes but just not website development.

fz2hqs:    Thank you so much for all of your help.  I am printing our discussion and am going to go over it one by one again and try to figure this out. I hope that if you see a question from me again and can help me that you will.

I closed this question with a AAAA  I wish they let us give more than A. Thanks for all your time and help.

I have edited the orginal question and deleted the email and offer of money.  hinkleyk knows this is wrong.

YensidMod
EE Moderator