Just a short, simple blog for Bob to share his thoughts.
31 January 2011 • by Bob • FrontPage, IIS, WebDAV
In this latest installment on my series about configuring your server for hosting without the FrontPage Server Extensions (FPSE), I'd like to discuss a couple of WebDAV best practices that I like to use.
In my How to Migrate FPSE Sites to WebDAV walkthough, I discuss the following FPSE-related folders:
Folder | Notes |
_fpclass | Should contain publicly-available FrontPage code - but should be secured. |
_private | The FrontPage Server Extensions often keep sensitive data files in this folder, so it should be secured to prevent browsing. |
_vti_bin | This is the virtual directory for the FrontPage Server Extensions executables. This path is configured to allow executables to function, and since we are migrating sites to WebDAV it should be secured to prevent browsing. |
_vti_cnf | The FrontPage Server Extensions keep sensitive metadata files in this folder, so it should be deleted or secured to prevent browsing. |
_vti_log | The FrontPage Server Extensions keep author logs in this folder, so it should be deleted or secured to prevent browsing. |
_vti_pvt | This folder holds several files that contain various metadata for your website, and should be secured. |
_vti_txt | This folder contains the text indices and catalogs for the older FrontPage WAIS search. Since later versions of FrontPage only used Index Server, it is safe to delete this folder, but at the very least it should be secured to prevent browsing. |
fpdb | FrontPage keeps databases in this folder, so it should be secured to prevent browsing. |
One of the actions that I usually take on my servers is to lock down all of these folders for my entire server using Request Filtering. To do so, open a command prompt and enter the following commands:
cd %WinDir%\System32\inetsrv
appcmd.exe set config -section:system.webServer/security/requestFiltering /+"hiddenSegments.[segment='_vti_cnf']" /commit:apphost
appcmd.exe set config -section:system.webServer/security/requestFiltering /+"hiddenSegments.[segment='_fpclass']" /commit:apphost
appcmd.exe set config -section:system.webServer/security/requestFiltering /+"hiddenSegments.[segment='_private']" /commit:apphost
appcmd.exe set config -section:system.webServer/security/requestFiltering /+"hiddenSegments.[segment='_vti_log']" /commit:apphost
appcmd.exe set config -section:system.webServer/security/requestFiltering /+"hiddenSegments.[segment='_vti_pvt']" /commit:apphost
appcmd.exe set config -section:system.webServer/security/requestFiltering /+"hiddenSegments.[segment='_vti_txt']" /commit:apphost
appcmd.exe set config -section:system.webServer/security/requestFiltering /+"hiddenSegments.[segment='fpdb']" /commit:apphost
Note: You should only enter the following commands if you are sure that you will not be using FPSE anywhere on your server!
cd %WinDir%\System32\inetsrv
appcmd.exe set config -section:system.webServer/security/requestFiltering /+"hiddenSegments.[segment='_vti_bin']" /commit:apphost
These settings will prevent any of the FPSE-related paths from being viewed over HTTP from a web browser; web clients will receive an HTTP Error 404.8 - Not Found message when they attempt to access those paths. But that being said - when you enable WebDAV for a website by using the Internet Information Services (IIS) Manager, it will configure the Request Filtering settings that enable WebDAV clients to access those paths through WebDAV requests, even though access from a web browser is still blocked. (All of this is made possible through the built-in integration between WebDAV and Request Filtering.
In part 4 of this blog series I discussed why I like to set up two websites when using WebDAV; as a quick review, here is the general idea for that environment:
There is a list of several reasons in that blog post why using two sites that point to the same content can be beneficial, and I won't bother quoting that list in this blog post - you can view that information by looking at that post.
But that being said, one of the items that I mentioned in that list was using separate application pools for each website. For example:
This configuration helps alleviate problems from uploading invalid Web.config files that might otherwise prevent HTTP access to your website. By way of explanation, the WebDAV module attempts to validate Web.config files when they are uploaded over WebDAV - this is done to try and prevent crashing your HTTP functionality for a website and being unable to fix it. Here's what I mean by that: IIS 7 allows configuration settings to be delegated to Web.config files, but if there is a mistake in a Web.config file, IIS 7 will return an HTTP Error 500.19 - Internal Server Error message for all HTTP requests. Since WebDAV is HTTP-based, that means that you won't be able to fix the problem over WebDAV. (If the WebDAV module didn't perform any validation, that means that your website would become unusable and unrepairable if you had uploaded the bad Web.config file over WebDAV.) To help alleviate this, the WebDAV module performs a simple validation check to prevent uploading invalid Web.config files. But if you save an invalid Web.config file through some other means, like the local file system or over FTP, then you will have no way to repair the situation through WebDAV.
This leads us back to the idea that you can implement when you are using two websites - you can configure the application pool for the WebDAV-enabled website to ignore delegated configuration settings; so it doesn't matter if you have an invalid Web.config file - you will always be able to fix the problem over WebDAV. To configure an application pool to ignore delegated configuration settings, open a command prompt and enter the following commands:
cd %WinDir%\System32\inetsrv
appcmd.exe set config -section:system.applicationHost/applicationPools /[name='authoring.example.com'].enableConfigurationOverride:"False" /commit:apphost
Note: you need to update the highlighted section of that example with the name of your website, such as "Default Web Site," etc.
When you have two websites configured in this example and you have an invalid Web.config file that is causing the HTTP 500 error for the www.example.com website, you can still connect to authoring.example.com via WebDAV and fix the problem.
For additional information on the concepts that were discussing in this blog, see the following topics:
I hope this helps.
Note: This blog was originally posted at http://blogs.msdn.com/robert_mcmurray/
31 January 2011 • by Bob • IIS
Many years ago I wrote a series of instructions that used dozens of screenshots in order to show my coworkers how to set up and enable Secure Sockets Layer (SSL) communications in IIS 5, which I eventually turned into a blog series on one of my personal blog sites. A few years later I wrote a sequel to that series of instructions for my coworkers, and I wanted to turn that into a series of walkthroughs in the IIS.net website. Sometime ago I proposed the idea to Pete Harris, who was in charge of IIS.net at the time, but then I changed jobs and we scrapped the idea. We followed up on the idea a short time ago, but we just couldn't find a place where it made sense to host it on IIS.net, so Pete suggested that I turn it into another blog series. With that in mind, over a series of several blog entries I will show how to configure SSL on IIS 6.
Note: This first post will leverage a lot of the content from the overview that I wrote for my IIS 5 blog series, but subsequent posts will reflect the changes in IIS 6.
Much like IIS 5, setting up SSL on IIS 6 is pretty simple. SSL is a Public Key/Private Key technology, and setting up SSL is essentially obtaining a Public Key from a trusted organization. The basic process for working with SSL is reduced to the following actions:
While not necessary, installing certificate services on your computer is helpful when troubleshooting SSL issues, and I'll discuss that later in this blog series.
This is a series of steps that need to be performed on the web server, and they differ widely depending on the server and version. A web administrator is required to enter information about their organization, their locality, etc. This information will be used to validate the requester.
This is when a web administrator submits their request for a certificate to a Certificate Authority (CA), which is a trusted organization like VeriSign or Thawte. For a list of trusted organizations, see the following section in Internet Explorer.
You can choose to trust a new CA by obtaining the Root Certificate from the CA. (I'll post an Obtaining a Root Certificate blog with more information later.)
After a request has been processed by a CA, the web administrator needs to install the certificate on the web server. Once again, this series of steps needs to be performed on the web server, and the steps differ depending on the web server and version.
In future blogs I'll go through the steps for creating certificate requests, obtaining certificates from a CA, and installing certificates. Following that, I'll discuss setting up a CA for testing SSL in your environment.
Note: This blog was originally posted at http://blogs.msdn.com/robert_mcmurray/
30 January 2011 • by Bob • Military
Today's contribution marks the 7th installment in my series about the 511th MI Company's misadventures, which I collected during my tenure there from 1988 through 1991. This list was composed by the EW2 platoon during the ARTEP of 1991 - I believe it was in April - which we dubbed "Operation Pogo Stick." This name seemed apropos because of the considerable frequency that the EW platoons were required to jump sites, for no apparent reason other than the sheer fun of watching the level of aggravation that it caused. I think that this was the last deployment that I went on with the 511th; shortly after the ARTEP had ended, DeGrood and I got our orders to PCS back to the states, and everyone else got orders to Kuwait.
Things we learned during ARTEP '91
In another strange turn of events, after I PCS'd to Fort Huachuca, I met the guy that made those 2-minute intercept to 2-hour static tapes that we mentioned in item #38 of the list, and I wound up working with him. (And just to satisfy anyone's curiosity - yes, he made those on purpose. He was a nice guy, but he had a wicked sense of humor.) Later on, I was asked to create intercept tapes for the MI officer school at Fort Huachuca, and I followed his lead by creating tapes that sounded like HF traffic - with hours and hours of radio printers, static, and morse code transmissions stomping on top of the voice messages. (FYI - The officers hated these tapes - mission accomplished.) But here's a quick behind-the-scenes trivia fact: I didn't actually record any actual radio printer or morse code transmissions from HF frequencies - I created them on my computer. Most radio printer traffic is simple Frequency Shift Key transmissions, so I wrote some algorithms that would allow me to enter a text string into my computer, which would be converted to binary, and then encoded into an audio stream based on a baud rate and space/mark frequencies that I picked. When I was done - they sounded identical to the real thing. So what did all of those ear-splitting radio printer messages actually say if you plugged them into a computer? Things like, "I hate the Army," "I can't wait to ETS," etc. Yes - even then I was a geek.
IHateTheArmy.mp3 (76.73 kb) "I Hate The Army" Frequency Shift Key (FSK) Sample
29 January 2011 • by Bob • Military
In the 6th part of my series on the 511th MI Company, I have a short list of quotes that the ESM guys collected at Hohenfels, 1990.
Ah, CPT Quinn - everyone tried to explain to him that "break" was the proper proword to use when you had more to send over the radio, but he steadfastly refused to use anything other than "more follows." Obviously CPT Quinn was trained incorrectly when he went through MI Officer Basic. In one of those weird full circle coincidences, when I transferred to Fort Huachuca the following year, I wound up being the NCO that was in charge of training and grading the officers that were going through MI Officer Basic. I had no qualms whatsoever about telling any officer that they were a "NOGO" at my station, because I knew that these officers were going to wind up in charge of some poor MI platoon, and I couldn't put my fellow MI brethren through the embarrassment of having an officer that didn't know how to use the darn radio correctly.
1LT Innocenti and I did not get along on this field problem - although I don't think that he got along with anyone else in the EW platoons. Since 1LT Innocenti moved to GSR immediately after we returned to garrison, we only had him as a platoon leader for the combined duration of Hohenfels and Grafenwoehr, or about six weeks total, making that one of the shortest durations for a platoon leader that I saw in my eight years of military service. D.A. Morris saved my career while we were out in the field at Hohenfels when I stepped towards 1LT Innocenti with the full intention of decking him after he refused to let D.A. and I take everyone's guard duty and radio watch shifts to make up for all their hard work over the past several weeks. 1LT Innocenti claimed that he had done more work than anyone else, while in reality the only duty that he performed was running chow for us when he wasn't sleeping. What was even worse, his poor choices for words were accusing all of my subordinates of being lazy, while in reality they had been working nearly round-the-clock for several days. This was too much for me to take, so my right arm clenched into a fist and it would have been travelling in the direction of 1LT Innocenti's face when D.A. caught my arm and pulled me aside. I found out later that 1LT Innocenti had a black belt in Karate - so I probably wouldn't have been able to land a single punch before being hauled away to prison for assaulting an officer. (Thanks D.A. for saving my life!)
I bumped into CPT Innocenti several years later when he was going through the MI Officer Advanced Course in Ft. Huachuca, where I was helping to teach MI Operations. By that time we were able to have a few laughs about our shared history with no hard feelings. (CPT Innocenti - if you ever read this, my apologies once again; I was pretty young at the time.)
Another funny story about Hohenfels in 1990 was that I was one of only a handful of people that were chosen from the 11th ACR to brief LTG Joulwan, (who was the commanding general for all of the US Army forces in Europe), about regimental operations in Hohenfels. When the general arrived, I gave him a tour of the ESM gear, showed him how it worked, explained how we conducted operations, etc. After fifteen minutes or so, LTG Joulwan asked me what I thought of his field problem. I looked him right in the eye and said, "Frankly sir, I think it sucks." At that moment, 1LT Innocenti was standing behind the general, and I watched as he put his face in his hands - probably feeling that his career had just ended. The general was momentarily taken aback, and then he asked, "Why?" So I took the next five to ten minutes or so explaining how his deployment of US forces didn't match actual enemy tactics, how their radio communications were completely dissimilar, how we were able to wreak havoc simply by ICD'ing everyone on the planet, etc. The general and I had a pretty good conversation that lasted for several minutes, and eventually we agreed to disagree on several points. Before his departure, LTG Joulwan gave me one of his custom-made USAEUR coins "in recognition of my outstanding achievements," then he got in his humvee and drove off. CPT Quinn dropped by later and informed me that out of the hundreds of people that LTG Joulwan had met that day, I was one of only two people to which the general had given a coin. (CPT Quinn also asked me never to do that again.) So I like to remember that I received a medal (more or less) for being one of the few people who was willing to tell a three-star general to his face that I thought his training sucked.
27 January 2011 • by Bob • Military
My 5th installment of this series about the 511th MI Company is pretty much a sequel to the 4th installment. I'm fairly certain that I had two lists in my notes because they were more than likely created during different field problems a year or so apart.
It was also a great day for the 511th when...
I should like to point out that the mistake that I made on the TRQ-32 was not opening the ventilation flap on the side of the generator. I pointed that out myself, but that didn't stop the rest of the squad from holding me down and giving me a pink belly. I believe D.A. was the overall ringleader for my punishment, but I'm sure that I had it coming. ;-]
26 January 2011 • by Bob • Military
In the 4th installment of this series about the 511th MI Company, I have a list of what we thought were great moments in 511th history. I don't know if anyone else recalls, but whenever morale was hitting a low point during a field problem - I'd pull out a pad of paper and have everyone make an obnoxious list of some sort. These lists were usually laced with a great deal of cynicism - and more often than not a great deal of profanity. So I'll have to clean these up a little before posting. ;-]
It was a great day for the 511th when...
Bryant - I'd like to apologize on behalf of Smith, Martin, and myself for stealing your clothes at Mt. Meissner. :-S
I'd also like to state - both emphatically and for the record - that I was a member of EW2 when EW1 was thrown out of the Turkish brothel. :-O
And it would be a great disservice if I didn't point out that there's no way that Cyr would have been lost in Turkey if it had not been for 2LT Gibson - the age old adage that the only thing more dangerous than a 2LT with a gun is a 2LT with a map certainly applies to that situation.
24 January 2011 • by Bob • Military
In part 3 of this series about the 511th MI Company, we'll take a look at some common quotes that were said by several members of the 511th, although this list is obviously not exhaustive. These particular phrases were compiled by members of the EW platoons during one of our field problems, although it's been so many years I don't recall which one. ;-]
For the future, I have some great lists of famous moments in 511th history, and famous quotations from Hohenfels 1990.
23 January 2011 • by Bob • Military
In part 2 of my series on the 511th MI Company, we'll take a look at some of the nicknames from the 511th that I managed to write down; although I need to stick to my disclaimer that I did not come up with these nicknames - I just took the time to write them down. ;-]
And my personal favorite:
There is one nickname that I wrote down that I didn't post here, and that was for Bill McCollum. I didn't add his nickname to this list because it might not be fit for the public. If you remember his nickname, you can smile about it now. If you don't, that'll remain a secret between the rest of us.
Who did I miss?
10/21/2014 Update - Bullseye Babbs was a 1LT who took over one of the EW platoons. He earned his nickname on one of the M-60 ranges when he failed to understand how his weapon's scopes worked, so instead of throwing rounds 1km downrange like everyone else, he was thoroughly pulverizing the ground about 5-10 feet in front of us; huge amounts of debris were being thrown into the air as everyone was screaming at him to cease fire. (It probably would have been funny if it hadn't been so dangerous.)
03/14/2018 Update - Terry Knaul dropped me a line to let me know that I had his name listed incorrectly; my apologies, and that has been fixed.
22 January 2011 • by Bob • Military
Over the 3.5 years that I spent in the Fulda Gap with the 511th MI Company, I collected and saved a lot of the stories and lists that the EW and TCAE teams put together. All of this nostalgic trivia is twenty years old now, but it still makes me laugh when I think about the people and times that it represents. Of course, this is mostly a collection of inside jokes with the people that were there.
So this will be part one of a series, and I should point out that I did not create this information - I just took the time to write it down. ;-]
UPDATE: While these were not entirely unique, we often used the following color-coded generic callsigns when we were on recon assignments where only one radio entity was present from each of the different platoons:
07 January 2011 • by Bob • Humor
For those of you who thought that the killer rabbit in Monty Python's "Holy Grail" was a work of fiction, I suggest that you see the top center pane in this stained glass detail from the West Rose Window of Notre Dame in Paris. Apparently brutal bunnies must have been an issue when the French built this cathedral, or perhaps the French will run away from anything.
(Note: Giving credit where it is due, this image is originally from the web page at La Cathédrale Notre Dame de Paris.)