IIS-Script to validate and apply security settings

IIS-Script to validate and apply security settings

am 05.11.2007 01:41:01 von EdSimpson

I am looking for script that will validate IIS settings such as,
• Log file location
• Log file type
• Client IP Address
• User Name
• Method
• URI Stem
• HTTP Status
• Win32 Status
• User Agent
• Server IP Address
• Server Port
Determine if “Everyone” failed access on key and all subkeys of ”
HKEY_LOCAL_ MACHINE\SOFTWARE\Microsoft\Windows\Current Version\” and
“HKEY_LOCAL_ MACHINE\SYSTEM\ CurrentControlSet\Services\W3SVC” is being
logged.

To enumerate path to all Webroot directory, and sub-directories.
Determine if all failed access to metabase, %SystemRoot%\ System32\Inetsrv ,
each Webroot directory and sub-directories, Web Scripts and Web Executables
is being logged.

--
Appreciate all responses.

Re: IIS-Script to validate and apply security settings

am 05.11.2007 11:51:03 von Ken Schaefer

"Ed Simpson" wrote in message
news:42CA7FA6-299F-4007-92ED-D45869D8EB2E@microsoft.com...
>I am looking for script that will validate IIS settings such as,
> • Log file location
> • Log file type

These are stored in the metabase - use
adsutil.vbs/WMI/system.directoryservices to get their values

> • Client IP Address
> • User Name
> • Method
> • URI Stem
> • HTTP Status
> • Win32 Status
> • User Agent
> • Server IP Address
> • Server Port

This is per-request. Look in the IIS logfiles

> Determine if “Everyone” failed access on key and all subkeys of ”
> HKEY_LOCAL_ MACHINE\SOFTWARE\Microsoft\Windows\Current Version\” and
> “HKEY_LOCAL_ MACHINE\SYSTEM\ CurrentControlSet\Services\W3SVC” is being
> logged.

You need to enable Object Access Auditing, and then turn on auditing in the
SACL for these reg keys


> To enumerate path to all Webroot directory, and sub-directories.

adsutil.vbs

> Determine if all failed access to metabase, %SystemRoot%\ System32\Inetsrv
> ,
> each Webroot directory and sub-directories, Web Scripts and Web
> Executables
> is being logged.

Object Access Auditing

>
> --
> Appreciate all responses.

Sounds like you are a consultant or similar engaged to deliver a piece of
work, and think that a script can do all of this for you.

You need read up on what these requirements are, and what they involve,
first.

Putting "appreciated all responses" in your sig is just a laugh.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken