IIS-Script to validate and apply security settings
am 05.11.2007 01:41:01 von EdSimpson
I am looking for script that will validate IIS settings such as,
⢠Log file location
⢠Log file type
⢠Client IP Address
⢠User Name
⢠Method
⢠URI Stem
⢠HTTP Status
⢠Win32 Status
⢠User Agent
⢠Server IP Address
⢠Server Port
Determine if âEveryoneâ failed access on key and all subkeys of â
HKEY_LOCAL_ MACHINE\SOFTWARE\Microsoft\Windows\Current Version\â and
âHKEY_LOCAL_ MACHINE\SYSTEM\ CurrentControlSet\Services\W3SVCâ is being
logged.
To enumerate path to all Webroot directory, and sub-directories.
Determine if all failed access to metabase, %SystemRoot%\ System32\Inetsrv ,
each Webroot directory and sub-directories, Web Scripts and Web Executables
is being logged.
--
Appreciate all responses.
Re: IIS-Script to validate and apply security settings
am 05.11.2007 11:51:03 von Ken Schaefer
"Ed Simpson" wrote in message
news:42CA7FA6-299F-4007-92ED-D45869D8EB2E@microsoft.com...
>I am looking for script that will validate IIS settings such as,
> ⢠Log file location
> ⢠Log file type
These are stored in the metabase - use
adsutil.vbs/WMI/system.directoryservices to get their values
> ⢠Client IP Address
> ⢠User Name
> ⢠Method
> ⢠URI Stem
> ⢠HTTP Status
> ⢠Win32 Status
> ⢠User Agent
> ⢠Server IP Address
> ⢠Server Port
This is per-request. Look in the IIS logfiles
> Determine if âEveryoneâ failed access on key and all subkeys of â
> HKEY_LOCAL_ MACHINE\SOFTWARE\Microsoft\Windows\Current Version\â and
> âHKEY_LOCAL_ MACHINE\SYSTEM\ CurrentControlSet\Services\W3SVCâ is being
> logged.
You need to enable Object Access Auditing, and then turn on auditing in the
SACL for these reg keys
> To enumerate path to all Webroot directory, and sub-directories.
adsutil.vbs
> Determine if all failed access to metabase, %SystemRoot%\ System32\Inetsrv
> ,
> each Webroot directory and sub-directories, Web Scripts and Web
> Executables
> is being logged.
Object Access Auditing
>
> --
> Appreciate all responses.
Sounds like you are a consultant or similar engaged to deliver a piece of
work, and think that a script can do all of this for you.
You need read up on what these requirements are, and what they involve,
first.
Putting "appreciated all responses" in your sig is just a laugh.
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken