Using Caspol.exe to grant .NET applications rights to a remote network share


When you host a .NET application on a remote network share, you may receive a System.SecurityException exception error message or a security warning message.

The Code Access Security Policy tool (CASPOL) enables administrators to modify security policy for the machine policy level, the user policy level, and the enterprise policy level.

Caspol is used to fully trust a remote share, since by default network shares only get LocalIntranet permissions.

The solution for the System.SecurityException exception error message is to use caspol to grant a .NET application the FullTrust right to a network share. To do this:

1. Launch a command prompt with administrative credentials

2. Change to the C:\Windows\Microsoft.NET\Framework\v2.0.50727 directory.

3. Run the following command:

caspol -m -ag 1 -url “file://\\server\share\*” FullTrust -exclusive on

Replace \\server\share\ with the path to your .NET application located on the remote network share.

Running the above command allowed me to resolve the following IIS 7.0 error:

SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed

By the way, .NET Framework 3.5 SP1 allows managed code to be launched from a network share.

References:
http://support.microsoft.com/?id=320268
http://blogs.msdn.com/shawnfa/archive/2004/12/30/344554.aspx
http://books.google.com/books?id=VJOtwMawoswC&pg=PA576&lpg=PA576&dq=iis+7.0+caspol.exe&source=bl&ots=W88GOo1Cfp&sig=U8sBtcNzbaSgPTghAp519S9O3sM&hl=en&ei=o1zSSeafEobmnQfHrbzlBQ&sa=X&oi=book_result&resnum=1&ct=result
http://www.iislogs.com/articles/23/
http://support.microsoft.com/kb/837909
http://www.sharepointblogs.com/ssa/archive/2007/09/06/using-caspol-exe-to-add-assemblies-to-full-trust-assembly-list.aspx
http://www.dotnetjunkies.ddj.com/quickstart/howto/doc/security/SecScripting.aspx

Fix: The World Wide Web Publishing Service (WWW Service) did not register the URL prefix http://x.x.x.x:80/ for site 1. The site has been disabled. The data field contains the error number


Fix for The World Wide Web Publishing Service (WWW Service) did not register the URL prefix http://x.x.x.x:80/ for site 1. The site has been disabled. The data field contains the error number.

System log Event: 1004 Source: IIS-W3SVC Error received when trying to start the stopped web site: 

The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)
 
To verify nothing else is using the x.x.x.x:80 IP address and port (which would be a different issue), launch administrative command prompt and type:
 
netstat -ano |findstr 80
 
Verify no other process is listening on the x.x.x.x IP and port 80 (or whatever port the web site is running on).  If you are running the affected web site on a port other than 80, substitute that port number in the netstat command listed above.  If something is listening on that IP and port when the web site is stopped, this is probably not going to fix your problem.  
 
FIX:
 
From administrative command prompt type:
 
net stop http
 
In regedit browse to
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\ListenOnlyList
 
If an IP address is listed in the ListenOnly List, change the IP address to 0.0.0.0
 
From administrative command prompt type:
 
net start http
 
From the services applet , restart the World Wide Web Publishing Service
 
Restart the affect web site by opening Server Manager > Roles > Web Server (IIS) > Internet Information Services (IISM) Manager > Your Server Name > Sites.  Highlight the affected site and select Restart.
 
My issue was caused by an old, invalid IP address being specified at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\ListenOnlyList.  This happened because I had previously ran the web site on a different IP address on this server.  
 
See KB 890015 details on the solution.

Howto: Export IIS 7.0 web server configuration


To export a backup copy of your IIS 7.0 configuration on a Windows 2008 Server:

Open Server Manager

Expand Roles – Web Server (IIS) – Internet Information Services (IIS) Manager

Highlight the web server name

From the Management category, double click Shared Configuration

Under Actions, select Export Configuration. Accept or change the default export path of C:\Windows\system32\inetsrv\config\export

Click the Connect As button, and enter administrative credentials. If the server is a domain member, you may need to enter your credentials in the format domain\username or username@domain.com

Enter the encryption keys password twice and press OK

You should now have three files in the C:\Windows\system32\inetsrv\config\export directory: administration.config, applicationHost.config, and configEncKey.key. Save the files in a safe place.

Howto: Backup IIS 7.0 web server configuration


To backup your IIS 7.0 configuration on a Windows 2008 Server, you just need to make a copy of the \windows\system32\inetsrv\config directory (and subdirectories) and save it in a safe location.

You can also use the appcmd.exe utility to create the backup via the command line. The syntax to create a backup is:

%windir%\system32\inetsrv\appcmd.exe add backup “Backup Name”

to restore the backup, the syntax is:

%windir%\system32\inetsrv\appcmd.exe restore backup “Backup Name”

to remove a backup, the syntax is:

%windir%\system32\inetsrv\appcmd.exe delete backup “Backup Name”

For additional details on appcmd.exe see Bill’s IIS blog, or check out Mike’s IIS 7.0 Server-side blog for information on backing up and restoring IIS 7.0 shared configuration.

Running Windows Media Services and and IIS on the same server in Windows Server2008


MS KB328728 describes how to run Windows Media Services and and IIS on the same server in Windows 2003, but the WMSHttpSysCfg utility the KB article references does not exist on Windows 2008.

Here’s how to run both WMS and IIS on Windows 2008.

1. Install both WMS and IIS

2. Add a second IP address to the server by either configuring a second NIC or by binding a second IP address to the existing network card.

3. From a command prompt type
net stop wmserver
net stop iisadmin
net stop http

4. From a command propmt run netsh.exe. It will open a netsh> command prompt.

5. Type http and press enter. You will now have a netsh http> command prompt.

6. Type show iplisten and press enter. It should not show any IP addresses under “IP Listen” if this procedure has not been done before.

7. What you want to do now is to add the IP address that IIS websites will EXCLUSIVELY use. Type add iplisten 99.99.99.99 and press enter (where 99.99.99.99 is the IP address that IIS websites will use).

You can confirm this by repeating step #6 above.

8. From a command prompt type
net start wmserver
net start iisadmin
net start http

9. Create websites (or configure the default website) using only the IP address that was used in step #7 above.

To configure IIS, open Server Manager > Roles > Web Server (IIS) > Internet Information Services (IIS ) Manager > ServerName > Sites.

Right click Default Web Site and select Edit Bindings.

Highlight the binding, press edit, and enter the IP address > OK > Close.

10. Restart the web server by typing iisreset from a command prompt.

11. Configure WMS HTTP Server Control Protocol to use the IP address THAT WAS NOT USED in step #7 above.

To configure WMS HTTP Server Control Protocol, open Server Manager > Roles > Streaming Media Services > Windows Media Services > ServerName.

Select the Properties tab, then click Control Protocol.

Right click WMS HTTP Server Control Protocol and click Disable.

Right click WMS HTTP Server Control Protocol and select Properties.

Click Allow selected IP Addresses to use this Protocol. Specify the IP address you DID NOT assign to IIS in step #7 above. Click Apply > OK.

Right-click WMS HTTP Server Control Protocol, and then click Enable.

Instructions are based on a solution posted by Wayne Coleman.

Script to securely backup and export IIS 6.0 Configuration


Last week I posted a basic script that took advantage of file encryption to securely backup the iis metabase. Today’s script builds upon it by backing up the IIS configuration and exporting it using iiscnfg.vbs.

REM delete mapping for H: if it exists
net use h: /del

REM map H: to remote server share
net use h: \\RemoteServer\backup /user:RemoteServer\user password

REM replace YouriisServerName with the name of your IIS web server
SET SERVER=YouriisServerName

REM yymmdd will be the current date.
REM For example June 18 2008 will be in the format 080618
SET yymmdd=%date:~12,2%%date:~4,2%%date:~7,2%

REM replace YouriiSserverPassword with the password of an
REM administrative user on the IIS box
SET PASSWORD=YouriiSserverPassword

REM replace User with an administrative user on IIS server
SET USER=Administrator

REM replace DECRYPTPWD with the password for decrypting IIS exported configuration
SET DECRYPTPWD=pwd

REM Saves configuration to C:\WINDOWS\system32\inetsrv\metabase.xml
iiscnfg.vbs /save /s %SERVER% /u %USER% /p %PASSWORD%

REM export IIS Configuration to date.metabase.xml.file
REM The following command should be on one line
iiscnfg.vbs /export /s %SERVER% /u %USER% /p %PASSWORD% /d %PASSWORD% /f H:\%SERVER%\%yymmdd%.metabase.xml /sp / /children

Now, for the secure part. We need to encrypt the bkupmeta.bat file so that not just anyone can read it’s contents. That would be a bad thing, since we have our password saved in the script.

To encrypt the bkupmeta.bat file:

In Windows Explorer right click on the bkupmeta.bat file
Select Properties
Select Advanced
Check the Encrypt Contents to Secure Data check box – OKApply
Select Encrypt the File Only

While you’re at it, double check the bkupmeta.bat’s ntfs permissions to make sure only the appropriate administrative user has access to the file. You should also verify the %windir%\system32\inetsrv\metaback\ directory has the appropriate permissions, even though it’s secured by default.

Finally, create a scheduled task that runs bkupmeta.bat whenever you’d like. Verify the backups are occuring by checking for the MD* and SC* files on the remote server.

This script was modified from one found in Chapter 9 of ”IIS 6.0 Administration Scripts, Tips, and Tricks”.