Internet Information Server 7.x

Internet Information Server 7.x
Pre requisites

Pre requisite Description
Control Panel Server The server component of the control panel is required to be deployed on the webserver. In case multiple webserver are available, an additional server component can be deployed and specified as redundant server within the server configuration. Important is that both server deployments do preferable use the same AD Account for their applications pools and require to have the same password defined for the communication with the enterprise server componentThe used AD Account requires to be member of the domain admins since it will create users as well
Webserver The webservers will have their content stored within the Hosting spaces. Therefor it is important the webservers as such do have write access within the hosting space in order to store their logfilesThe domain WSP_IUSRS group to be added to the local IUS_IUSRS group on each web hosting server after the first site has been created.
Add-ons The webhosting component is rich in functionality though does rely on various add ons such web deployment, IIS database administrator etc etc. These add-ons are required to be installed on the webserver in order to be able to use them:

IIS Management Services
IIS Modules
Web Deploy v3
IIS Database Manager

 

Service Configuration

Active Directory Settings

Item Information
Security Mode Create Active Directory Accounts
Root Domain Specify over here the full qualified domain name of the domain where the user objects will reside in e.g.: hosting.local

 

Internet Information Services Settings

Select the following provider: “Internet Information Services 7.0” from the “Web Sites” group.

Category Item Information
Server Settings
Web Service Settings Web Sites Shared IP Addresses Either choose “all unassigned” or register an IP address within the address collection. In case of a webfarm and a shared configuration, register the virtual address.
Web Users Group Name: WSP_IUSRS. This is a local group create within the webservers
Automatically allocated “dedicated” IP Addressed on space creation
Web Publishing Settings publishing via Web Deploy Web publishing enables your customers to publish content to their web sites through Web Deployment publishing protocol that is supported in modern web development tools such as Web Matrix and Visual Studio .NET 2010
Repair publishing settings
ASP.NET ASP.NET 1.1
ASP.NET 2.0 32-bit:
ASP.NET 2.0 64-bit
ASP.NET 4.0:
ASP.NET 4.0 64-bit:
Application Pools
ASP.NET 1.1: ASP.NET 1.1
ASP.NET 2.0 Classic: ASP.NET 2.0 (Classic)
ASP.NET 2.0 Integrated: ASP.NET 2.0 (Integrated)
ASP.NET 4.0 Classic: ASP.NET 4.0 (Classic)
ASP.NET 4.0 Integrated: ASP.NET 4.0 (Integrated)
ASP.NET Mode (2.0/4.0): 32 or 64
Microsoft Web Appication Gallery Gallery feed URL: You could overwrite default Web App Gallery ATOM feed located at Microsoft web site by your own to provide your own applications to your customers. Leave this field blank to use default feed.
Gallery feed filter:
Web Extensions ASP Library Path: %windir%\system32\inetsrv\asp.dll
PHP 4.x Executable Path: %PROGRAMFILES%\PHP\php.exe
PHP 5.x Executable Path %PROGRAMFILES%\PHP\php-cgi.exe
Perl Executable Path: %SYSTEMDRIVE%\Perl\bin\PerlEx30.dll
Web Management Service Service URL: e.g. webmgt.hosting.com
Service Port: 8172 (default)
Credentials Mode Windows Credentials
NETBIOS Domain name: e.g. HOSTING
ColdFusion ColdFusion Path: C:\ColdFusion9\runtime\lib\wsconfig\jrun_iis6.dll
Scripts Directory: C:\Inetpub\wwwroot\CFIDE
Flash Remoting Directory: C:\ColdFusion9\runtime\lib\wsconfig\1
Secure Folders Module Assembly: WebsitePanel.IIsModules.SecureFolders, WebsitePanel.IIsModules, Version=1.0.0.0, Culture=Neutral, PublicKeyToken=37f9c58a0aa32ff0
AuthUserFile Name .htpasswd
AuthGroupFile Name: .htgroup
.htaccess Helicon Ape product provides .htaccess and .htpasswd files support on IIS 7+ and includes all major Apache modules.
Other Settings Shared SSL Web Sites:
Active Directory Integration: Users OU (Optional): WebHostingUsers
Groups OU (Optional): WebHostingGroups

 

Setting your Global DNS Records Properly for WebsitePanel

Please follow the instructions at this page to understand the required Global DNS Settings for the IIS Service

Making the required changes to your IIS Service Global DNS Records to Support WebsitePanel 2.0

IIS Hardening and Configuration

Set default .NET trust level to medium reduced with: EnvironmentPermission and PrintingPermission removed and OleDbPermission added as follows:

Within the following directories:

  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config
  1. Copy web_mediumtrust.config to cust_web_mediumtrust.config
  2. For NET 2.0 ONLY
    Edit cust_web_mediumtrust.config, add the line:

    <SecurityClass Name=”OleDbPermission” Description=”System.Data.OleDb.OleDbPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″/>
  3. For NET 4.0 ONLY
    Edit cust_web_mediumtrust.config, add the line:

    <SecurityClass Name="OleDbPermission" Description="System.Data.OleDb.OleDbPermission, System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
  4. For both NET 2.0 and NET 4.0
    1. Comment out:
      EnvironmentPermission
      and
      PrintingPermission
    2. Add the the PermissionSet element:
      <IPermission class="OleDbPermission" version="1" Unrestricted="true"/>
    3. Edit the WebPermission so that the ConnectAccess element is removed and Unrestricted is set to true, as shown in the following example:
      Before:
      <IPermission class="WebPermission" version="1">
       <ConnectAccess>
         <URI uri="$OriginHost$"/>
       </ConnectAccess>
      </IPermission>
      
      After: 
      <IPermission class="WebPermission"version="1" Unrestricted="true"/>
  5. For both NET 2.0 and NET 4.0 Modify your web.config files
    1. Add the following element:
      <trustLevel name=”Custom” policyFile=”cust_web_mediumtrust.config” /> to <system.web><securityPolicy>
    2. Set allow override to false
      <location allowOverride=”false”>

Set remote file location to full trust on each webserver as necessary:

Issue the following command on each webserver:

  • %windir%\Microsoft.NET\Framework\v2.0.50727\caspol -m -ag 1. -url “file://\\<filesrv>\HostingSpaces\*” FullTrust
  • %windir%\Microsoft.NET\Framework\ v4.0.30319\caspol -m -ag 1. -url “file://\\<filesrv>\HostingSpaces\*” FullTrust

Hide drives through group policy on the webservers:

Use the group policy editor to create a new group policy to be applied to all servers that are running the WebHosting IIS services

User Configuration -> Administrative Templates -> Windows Components ->
Windows Explorer -> Hide these specific drives in My Computer ->
Restrict All Drives

Deny access to all local not used volumes

Modify the file permissions where access is denied to the domain WSP_IUSRS group for all volumes that are not used by the WebHosting IIS services.

Deny access to executables on operating system partition

You need to adjust permissions and deny access to IIS_IUSRS on the following folders:

  • C:\Windows\System32\*.exe
  • C:\Windows\Syswow64\*.exe

From command line type the following.

takeown /F c:\windows\system32\*.exe
takeown /F c:\windows\syswow64\*.exe
cacls c:\windows\system32\*.exe /E /D IIS_IUSRS
cacls c:\windows\syswow64\*.exe /E /D IIS_IUSRS