You can set the various IIS processes(web/ftp) to serve content only on
specific
iterfaces(ie. localhost only, only one of IPs on a machine), is there a
way to apply this type of setting to the IISAdmin service? Can I run
IIS(publish
content) without running the IISAdmin Service(or providing access to
it from other hosts by binding IISAdmin to localhost)?
Don't quite get you.
But you need iis admin service as web/ftp/inetinfo depends on this service.
and there's no interface for you to restrict access to it. it is just a
local service that belong to the entire IIS suite.
--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/
"Matt Woodyard"
news:1144344011.107674.87970@v46g2000cwv.googlegroups.com...
> You can set the various IIS processes(web/ftp) to serve content only on
> specific
> iterfaces(ie. localhost only, only one of IPs on a machine), is there a
> way to apply this type of setting to the IISAdmin service? Can I run
> IIS(publish
> content) without running the IISAdmin Service(or providing access to
> it from other hosts by binding IISAdmin to localhost)?
>
If it is just a local service then why does a port scan reveal a 5
ports for a server that should only be publishing content on port
80/443/admin site port? The host responds (and netstat -anp reveals the
responding service is inetinfo.exe) on a tcp port and a udp port that
are randomly assigned. This is not at all local, or at least not in my
config.
Well, there's other port involved of coz
INFO: Inetinfo Services Use Additional Ports Beyond Well-Known Ports
http://support.microsoft.com/?id=327859
but those port do not need for website access
just 80/443 will do. if you have admin site that not binding standard port
80, then open that incoming port as well.
--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/
"Matt Woodyard"
news:1144900776.628692.179360@i40g2000cwc.googlegroups.com.. .
> If it is just a local service then why does a port scan reveal a 5
> ports for a server that should only be publishing content on port
> 80/443/admin site port? The host responds (and netstat -anp reveals the
> responding service is inetinfo.exe) on a tcp port and a udp port that
> are randomly assigned. This is not at all local, or at least not in my
> config.
>
This is correct. Since those ports are not needed for website content
services, I would like to make them 'go away'(not be available on any
host other than localhost). In unix land this would be trivially
accomplished by editting the apache config and setting Listen
127.0.0.1:80 (or whatever, since apache doesn't use RPC the analogy
doesnt really hold completely). So it sounds as if I'm going to run an
IIS server I'm just going to have accept that a webserver running
content on 1 port(80) will require 2 ports that simply increase our
internal exposure?
Well that's Apache land, this is IIS, I can't comment on behalf of MS.
Typically, firewall control access is how I deal with this.
--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/
"Matt Woodyard"
news:1144957362.732026.116840@t31g2000cwb.googlegroups.com.. .
> This is correct. Since those ports are not needed for website content
> services, I would like to make them 'go away'(not be available on any
> host other than localhost). In unix land this would be trivially
> accomplished by editting the apache config and setting Listen
> 127.0.0.1:80 (or whatever, since apache doesn't use RPC the analogy
> doesnt really hold completely). So it sounds as if I'm going to run an
> IIS server I'm just going to have accept that a webserver running
> content on 1 port(80) will require 2 ports that simply increase our
> internal exposure?
>
Yeah, I understand that its a different software, just trying to draw a
parallel, and it sounds like there is none, and the we'll just have to
accept this exposure on our network. Thanks for the help.
Matt
Sure, I will help relay the message to MS.
--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/
"Matt Woodyard"
news:1145045854.310374.215320@v46g2000cwv.googlegroups.com.. .
> Yeah, I understand that its a different software, just trying to draw a
> parallel, and it sounds like there is none, and the we'll just have to
> accept this exposure on our network. Thanks for the help.
>
> Matt
>