Solved

Locking Down IIS files and sites

Posted on 2009-06-30
2
808 Views
Last Modified: 2012-05-07
We need assistance in building a VB Script that can set IP/Subnet restrictions on  multiple folders and/or files in IIS for our web based application. Will need to accept a list of addresses and/or subnets. It needs to work under IIS 7, 6, 5.

The current script on hand does not work in IIS7 without the IIS6 compatibility layer. Even then, running it twice will cause problems. Running the script below multiple times on IIS 4/5/6 causes no problems.

on error resume next
 
 

'SiteIndex will typically be 1, but may change where Windows SBS, Sharepoint, or Intranets are pre-existing

  'Running against wrong site will typically be benign as the script is looking for very specific names

  'If they are not there, not too much happens! 

  'You should also see that the "The following IP addresses are now Allowed:" will show nothing, indicating failure.

  'The 'ListSiteIndex' subroutine will show the current setup and will help if '1' is not working for you

    
 

'ToFiles array is for individual files and is geared towards locking individual files to local/admin access only

'ToFolders array is suited to locking the whole virtual folder to just the CU subnet(s)

'Any IP/Subnet not specified will be DENIED

  'For just an IP use ("nnn.nnn.nnn.nnn") 

  'For Subnet, ("nnn.nnn.nnn.nnn,nnn.nnn.nnn.nnn")

  'Adding Multiple entries is ok, and you can mix IP and Subnets together like ("127.0.0.1","192.168.5.0,255.255.255.0")
 
 

'Start - Edit Name/Index/IPs as required. *************************************************************************************************

'Calling from command line will override these values if specified.
 

  strServerName = "localhost" 

  strSiteIndex = "1"

   

  arrGrantTheseIPs_ToFiles = Array("127.0.0.1")

  arrGrantTheseIPs_ToFolders = Array("127.0.0.1","192.168.5.0,255.255.255.0")

  

'End - Edit Name/Index/IPs ****************************************************************************************************************
 
 
 

'Do not edit! *****************************************************************************************************************************
 

  strSiteRoot = "IIS://" & strServerName & "/W3SVC" & "/" & strSiteIndex & "/ROOT"

  ListSiteIndex

  wscript.echo vbTab & "Current Site Index: " & strSiteIndex

  

'/Do not edit! ****************************************************************************************************************************
 
 

'Grab argument from command line and overrride settings embedded in file
 
 

IF WScript.Arguments.Named("grantFiles") <> "" THEN

                   tgf=WScript.Arguments.Named("grantFiles")

                   wscript.echo vbCRLF & "Granting IP/Networks " & tgf & " to config files"

                   arrGrantTheseIPs_ToFiles = Array(tgf)

END IF
 

IF WScript.Arguments.Named("grantFolders") <> "" THEN

                   tgfl=WScript.Arguments.Named("grantFolders")

                   wscript.echo vbCRLF & "Granting IP/Networks " & tgfl & " to user facing folders"

                   arrGrantTheseIPs_ToFiles = Array(tgfl)

END IF
 
 
 

      'Create a config block for *each* config file/folder that needs ip restrictions

      'Use the examples below for guidence - then copy/paste and adapt the block to the desired configuration

      'When using the examples, ensure you uncomment the lines between Start and End!

      'The only value(s) to edit/replace are indicated with *xxxxxx*
 
 
 

      'Start Folder IP Restrict Definition Block EXAMPLE----------------------------------------------------------

        'strFolderPath = strSiteRoot & "/*theFoldername*"

        'strConfigFilePath = strFolderPath & "/" & strConfigFileName

        'wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath

        '    SetFolderIPSec

      'End Folder IP Restrict Definition Block EXAMPLE------------------------------------------------------------
 
 

          'Start File IP Restrict Definition Block EXAMPLE------------------------------------------------------------

            'strConfigFileName = "*thefile.extension*"

            'strFolderPath = strSiteRoot & "/*theFoldername*"

            'strConfigFilePath = strFolderPath & "/" & strConfigFileName

            'wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strConfigFilePath

            '    CreateFile

            '    SetFileIPSec

          'End File IP Restrict Definition Block EXAMPLE--------------------------------------------------------------
 
 
 
 

'Edit below here! *************************************************************************************************************************
 

      'Start Folder IP Restrict Definition Block------------------------------------------------------------------

        strFolderPath = strSiteRoot & "/CDPManageWebService"

        strConfigFilePath = strFolderPath & "/" & strConfigFileName

        wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath

            SetFolderIPSec

      'End Folder IP Restrict Definition Block--------------------------------------------------------------------
 
 

      'Start Folder IP Restrict Definition Block------------------------------------------------------------------

        strFolderPath = strSiteRoot & "/CDPManageWebServiceMega"

        strConfigFilePath = strFolderPath & "/" & strConfigFileName

        wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath

            SetFolderIPSec

      'End Folder IP Restrict Definition Block--------------------------------------------------------------------
 
 

          'Start File IP Restrict Definition Block -------------------------------------------------------------------

            strConfigFileName = "configuration.aspx"

            strFolderPath = strSiteRoot & "/CDPManageWebServiceMega"

            strConfigFilePath = strFolderPath & "/" & strConfigFileName

            wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strConfigFilePath

                CreateFile

                SetFileIPSec

          'End File IP Restrict Definition Block ---------------------------------------------------------------------
 
 

      'Start Folder IP Restrict Definition Block------------------------------------------------------------------

        strFolderPath = strSiteRoot & "/CDPManageDocumentSearch"

        strConfigFilePath = strFolderPath & "/" & strConfigFileName

        wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath

            SetFolderIPSec

      'End Folder IP Restrict Definition Block--------------------------------------------------------------------
 
 

      'Start Folder IP Restrict Definition Block------------------------------------------------------------------

        strFolderPath = strSiteRoot & "/CDPCentralWebService"

        strConfigFilePath = strFolderPath & "/" & strConfigFileName

        wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath

            SetFolderIPSec

      'End Folder IP Restrict Definition Block--------------------------------------------------------------------
 
 

          'Start File IP Restrict Definition Block -------------------------------------------------------------------

            strConfigFileName = "configuration.aspx"

            strFolderPath = strSiteRoot & "/CDPCentralWebService"

            strConfigFilePath = strFolderPath & "/" & strConfigFileName

            wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strConfigFilePath

                CreateFile

                SetFileIPSec

          'End File IP Restrict Definition Block ---------------------------------------------------------------------
 
 

      'Start Folder IP Restrict Definition Block------------------------------------------------------------------

        strFolderPath = strSiteRoot & "/CDPCentralWebServiceMega"

        strConfigFilePath = strFolderPath & "/" & strConfigFileName

        wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath

            SetFolderIPSec

      'End Folder IP Restrict Definition Block--------------------------------------------------------------------
 
 

          'Start File IP Restrict Definition Block -------------------------------------------------------------------

            strConfigFileName = "configuration.aspx"

            strFolderPath = strSiteRoot & "/CDPCentralWebServiceMega"

            strConfigFilePath = strFolderPath & "/" & strConfigFileName

            wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strConfigFilePath

                CreateFile

                SetFileIPSec

          'End File IP Restrict Definition Block ---------------------------------------------------------------------
 
 

      'Start Folder IP Restrict Definition Block------------------------------------------------------------------

        strFolderPath = strSiteRoot & "/CDPTellerWebInquiry"

        strConfigFilePath = strFolderPath & "/" & strConfigFileName

        wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath

            SetFolderIPSec

      'End Folder IP Restrict Definition Block--------------------------------------------------------------------
 
 

          'Start File IP Restrict Definition Block -------------------------------------------------------------------

            strConfigFileName = "configuration.aspx"

            strFolderPath = strSiteRoot & "/CDPTellerWebInquiry"

            strConfigFilePath = strFolderPath & "/" & strConfigFileName

            wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strConfigFilePath

                CreateFile

                SetFileIPSec

          'End File IP Restrict Definition Block ---------------------------------------------------------------------
 
 

      'Start Folder IP Restrict Definition Block------------------------------------------------------------------

        strFolderPath = strSiteRoot & "/CDPCentralWebService3_98"

        strConfigFilePath = strFolderPath & "/" & strConfigFileName

        wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strFolderPath

            SetFolderIPSec

      'End Folder IP Restrict Definition Block--------------------------------------------------------------------
 
 

          'Start File IP Restrict Definition Block -------------------------------------------------------------------

            strConfigFileName = "configuration.aspx"

            strFolderPath = strSiteRoot & "/CDPCentralWebService3_98"

            strConfigFilePath = strFolderPath & "/" & strConfigFileName

            wscript.echo vbCRLF & "Setting permissions on: " & vbCRLF & strConfigFilePath

                CreateFile

                SetFileIPSec

          'End File IP Restrict Definition Block ---------------------------------------------------------------------
 
 
 

'No Edits below here! *********************************************************************************************************************
 
 
 

Sub CreateFile
 

  Set objFolder = GetObject(strFolderPath)

  set objCreateConfigFile = objFolder.Create("IISWebFile",strConfigFileName)

      objCreateConfigFile.SetInfo
 

      Set objFolder = Nothing

      set objCreateConfigFile = Nothing

    

End Sub
 
 
 

Sub SetFileIPSec
 

  Set nub_object = GetObject(strConfigFilePath)

  Set objIPRestrict = nub_object.IPSecurity

  objIPRestrict.GrantByDefault = False

  'Leaving these in for flexibility - reverses things to allow all EXCEPT the addresses indicated

  'objIPRestrict.GrantByDefault = True

  'objIPRestrict.IPDeny = arrDenyTheseIPs_ToFiles

  objIPRestrict.IPGrant = arrGrantTheseIPs_ToFiles

  nub_object.IPSecurity = objIPRestrict

  nub_object.SetInfo
 

  WScript.Echo vbTab & "The following IP addresses are now Allowed:"

  arrGrantedIPs = objIPRestrict.IPGrant

  for i = 0 to Ubound(arrGrantedIPs)

    WScript.Echo vbTab & arrGrantedIPs(i)

  next

  

  WScript.Echo vbTab & "ALL OTHER ADDRESSES ARE DENIED!!!"

  

    Set nub_object = Nothing

    Set objIPRestrict = Nothing

    strConfigFileName = Nothing

    strFolderPath = Nothing

    strConfigFilePath = Nothing

  

End Sub
 
 
 

Sub SetFolderIPSec
 

  Set nub_object = GetObject(strFolderPath)

  Set objIPRestrict = nub_object.IPSecurity

  objIPRestrict.GrantByDefault = False

  'Leaving these in for flexibility - reverses things to allow all EXCEPT the addresses indicated

  'objIPRestrict.GrantByDefault = True

  'objIPRestrict.IPDeny = arrDenyTheseIPs_ToFolders

  objIPRestrict.IPGrant = arrGrantTheseIPs_ToFolders

  nub_object.IPSecurity = objIPRestrict

  nub_object.SetInfo
 

  WScript.Echo vbTab & "The following IP addresses are now Allowed:"

  arrGrantedIPs = objIPRestrict.IPGrant

  for i = 0 to Ubound(arrGrantedIPs)

    WScript.Echo vbTab & arrGrantedIPs(i)

  next

  

    WScript.Echo vbTab & "ALL OTHER ADDRESSES ARE DENIED!!!"

  

    Set nub_object = Nothing

    Set objIPRestrict = Nothing

    strConfigFileName = Nothing

    strFolderPath = Nothing

    strConfigFilePath = Nothing

  

End Sub
 
 
 

Sub ListSiteIndex
 

  Dim parent_object 

  Dim child_object 

  Dim allsites 
 

  IISPath = "IIS://" & strServerName & "/W3SVC"

  Set parent_object = GetObject(IISPath)

  For each child_object in parent_object 

      If IsNumeric(child_object.Name) then

        Wscript.echo "Site Index ID: " & child_object.Name & vbTab                     & "ServerComment: " & child_object.ServerComment 

      End If

  Next

  

    IISPath = Nothing

    parent_object = Nothing

    child_object = Nothing

    allsites = Nothing

  

End Sub

Open in new window

0
Comment
Question by:carswelldp
2 Comments
 
LVL 37

Assisted Solution

by:meverest
meverest earned 500 total points
ID: 24755696
Hi,

although WMI is supposed to be supported on IIS7, it tends to be problematic in some cases - as you have apparently discovered.

For IIS7 config, it is a better idea to use appCmd.exe to apply configuration changes, or to use httpmodule support using c# or other managed code.

for appcmd.exe see:  http://learn.iis.net/page.aspx/114/getting-started-with-appcmdexe/

for httpmodules see: http://learn.iis.net/page.aspx/241/configuration-extensibility/

cheers.
0
 
LVL 1

Accepted Solution

by:
carswelldp earned 0 total points
ID: 24798325
This has led us into the proper direction we believe.  This is something that we are going to explore in greater detail.  

cheers!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now