IIS Lockdown - unable to edit script map
Jeremy Tyler
to edit script map". it does this on NT4 and 2000. yes,
I have administrative priveleges when I am running it.
thanks for any help.
jer
![Karl Westerholm [MS]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Karl Westerholm [MS]
That error behavior has been seen to occur in cases where the
'scriptmaps' metabase property was already set to nothing/null before the
IIS Lockdown tool was run. Are the NT4/IIS4 & W2K/IIS5 servers already in
use, or are they completly fresh installations?
If these IIS servers have already been in use for some time, you could
use the following command to examine the scriptmaps entries for the first
(default) website...as well as any additional websites you may have
configured by issuing an identical command but changing the '1' to match
the instance #s of your additional websites.
(Note: issue from command-prompt, after first CD'ing into the directory
containing your copy of the 'adsutil.vbs' script - generally this will be
'<drive>:\inetpub\adminscripts' for a W2K/IIS5 server)
adsutil get w3svc/1/root/scriptmaps
If these are completely fresh installations, the behavior has also been
seen in association with 3rd-party IIS add-in products, such as SiteMinder.
Regards,
-->Karl
“Please do not send email directly to this alias. This is our online
account name for newsgroup participation only.”
This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved.
--------------------
| Content-Class: urn:content-classes:message
| From: "Jeremy Tyler" <jty...@utah.gov>
| Sender: "Jeremy Tyler" <jty...@utah.gov>
| Subject: IIS Lockdown - unable to edit script map
| Date: Fri, 5 Jul 2002 12:30:33 -0700
| Lines: 7
| Message-ID: <1336e01c2245a$6e2f10b0$a5e62ecf@tkmsftngxa07>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="iso-8859-1"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
| Thread-Index: AcIkWm4v/KY3KDY4SnaPhoPZrA7cgA==
| Newsgroups: microsoft.public.inetserver.iis.security
| Path: cpmsftngxa07
| Xref: cpmsftngxa07 microsoft.public.inetserver.iis.security:8230
| NNTP-Posting-Host: TKMSFTNGXA07 10.201.232.166
| X-Tomcat-NG: microsoft.public.inetserver.iis.security
David Wang [MS]
are served as static files, meaning its contents are *not* executed?
--
//David
"Jeremy Tyler" <jty...@utah.gov> wrote in message
news:1336e01c2245a$6e2f10b0$a5e62ecf@tkmsftngxa07...
Jeremy Tyler
new. However, since you noted it, both have Siteminder
clients installed. I could uninstall the Siteminder
client on the W2K machine and then run IIS Lockdown and
reinstall the Siteminder client, but I cannot do this on
the NT4 machine. Is there a good way to work around
this? Thanks.
jer
>.
>
David Wang [MS]
CSCRIPT %SYSTEMDRIVE%\Inetpub\adminscripts\adsutil.vbs get w3svc/scriptmaps //
this gets the global scriptmaps
CSCRIPT %SYSTEMDRIVE%\Inetpub\adminscripts\adsutil.vbs get w3svc/1/scriptmaps
// this gets the site scriptmaps
CSCRIPT %SYSTEMDRIVE%\Inetpub\adminscripts\adsutil.vbs get
w3svc/1/root/scriptmaps // this gets the root vdir's scriptmap
And see whether any exist. There *should* be a global scriptmap, and if you've
edited the website's scriptmaps, one should also exist at the root vdir level.
The way the scriptmaps node works, it's by masking. The more general one
(global) is completely masked by the more specific (root vdir). You can also
have scriptmaps on a vdir level, which overrides all others for that vdir.
SiteMinder probably removed the global scriptmaps entry. Go into the IIS UI,
Master Properties for WWW Service, choose the "Home Directory" Tab and select
"Configuration. Make sure it is not empty - you can add a scriptmap, hit apply,
remove the scriptmap, hit apply -- this will create a ScriptMap node with
nothing on it (I'm guessing that SiteMinder deletes the Node).
Be aware of the fact that having no scriptmaps means that dynamic content will
not be executed. In particular, ASP source files will be returned instead of
executed without an ASP scriptmap.
--
//David
"Jeremy Tyler" <jty...@utah.gov> wrote in message
news:1388401c2254f$5cb7aae0$37ef2ecf@TKMSFTNGXA13...
Jeremy Tyler
scriptmaps that i don't use that don't need to be there
for security reasons.
The global scriptmap exists on both machines. When I try
to disable a mapping through the IIS WWW Master Properties
menu it disables these mappings on W2K but my NT4 mappings
just keep reappearing after I delete them and close the
menu and reopen it. Siteminder adds some of it's own
scripmaps but I don't see how that would cause problems in
editing the scriptmaps later on.
>>| From: "Jeremy Tyler" <jtyler@utah.gÍ{ wÀ f oMOq ov>
David Wang [MS]
all the mappings at a non-global node, it'd probably revert to inheriting, which
would re-inherit values from the parent node.
Of course, this is all a function of the UI; one can conclusively edit
ScriptMaps with adsutil.vbs (ADSI), ABO, or WMI.
--
//David
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Jeremy Tyler" <jty...@utah.gov> wrote in message
news:13b6701c22699$df6e1320$9ee62ecf@tkmsftngxa05...
>>You assume all risk for your use. ゥ 2001 Microsoft
>Corporation. All rights
>>reserved.
>>
>>--------------------
>>| Content-Class: urn:content-classes:message
>>| From: "Jeremy Tyler" <jtyler@utah.gヘ{掫タ f oMOq ov>