How to set permissions on MS IIS 6.0 (Windows Server 2003) to allow ISAPI extension execution


This applies to A-Forum and to all other ISAPI extensions developed by APD-Soft.

Unlike earlier versions, MS IIS version 6.0 running on Windows Server 2003 may have all active server content disabled by default. Server administrator may need to set proper permissions in the IIS settings.

Note: A-Forum is an ISAPI script application, which is native for MS IIS. It has nothing to do with ASP.NET or any other type of application/extension support on the server, and does not require any such support to be enabled or installed. A bare MS IIS is quite enough, provided that permissions are set properly as described below.

If server permissions are not set properly on MS IIS 6.0, the server may respond with a "faked" error message 404 ("Page not found") regardless of the actual type of the error.

To set permissions:

  1. Open Internet Information Services Manager locally on the server - by typing "inetmgr" in Start/Run, or by any other known method.
  2. In Internet Information Services Manager, expand the local computer, and click on "Web Service Extensions".
  3. Right-click on "Web Service Extensions" and select "Add new Web service extension" in the pop-up menu (screenshot).
  4. Enter "Aforum" (or something else) as Extension name, and click on Add button for the file to be added. Click on Browse and choose a physical path to the file aforum.isa located in the cgi-bin directory on the server (see screenshot). Note: the 2nd file, aforum26.dll, does not need to be added as an extension, and should not be mentioned anywhere in the settings.

    Check "Set extension status to allowed" checkbox and click OK (screenshot).

    You should now have "Aforum" extension appearing in the list of allowed extensions (screenshot).
  5. OR - as an alternative way - you may allow all ISAPI extensions on the server:

    In the right pane, click on "All Unknown ISAPI Extensions" and make it "Allowed".

    Note. If you have concerns about enabling "All Unknown ISAPI Extensions", keep in mind that those extensions are executed in a safe pool with very limited access rights. Such ISAPI extension cannot access any files or other server resources outside the designated directories, cannot create new processes or threads, cannot make any changes to system registry, etc. Also, for an ISAPI extension to be executed, it should first be placed on the server and reside there in a directory with execution access rights set as described below.

    This is no more threat than allowing other active and scripting components on the server. Also, clearing all access rights for the script directory (see below) ensures that it will not be possible to upload or otherwise access that directory over the network.

    Moreover, ISAPI extensions are more secure and reliable than the latest ASP.NET and other .NET server components. ISAPI extensions do not need sophisticated server-side support layers. It is virtually impossible to influence the behavior of a correctly written ISAPI extension from outside of the server. Since the layer of interaction between server and ISAPI extension is simpler, it is free of all numerous vulnerabilities which definitely exist in some other Microsoft server components.
  6. After aforum.isa was allowed as an ISAPI extension on the server, it is also necessary to set the correct properties for the directory where extension file is located.

    In the left pane, expand "Web Sites" to the directory where aforum.isa is located on the server, right-click on the directory, and click on Properties. See screenshot.
  7. Set the following settings in the Directory tab in the Properties (screenshot):
     
    1. "The content for this resource should come from" - select "The designated directory".
    2. Access rights:
       
      • Script source access - unchecked
      • Read - unchecked
      • Write - unchecked
      • Directory browsing - unchecked
      That is, NONE OF THOSE ACCESS RIGHTS are needed, and none are recommended for the ISAPI scripts directory.
    3. Application name: Default Application (grayed). Do not click on "Create" button. "Configuration" button should be disabled. If not - click on "Remove" button which may appear instead of "Create" button in such a case. There should be no associations of any kind set.
    4. Execute permissions: select "Scripts and Executables".
    5. Application pool: usually - DefaultAppPool (if pool settings were not customized).

  8. Open Internet explorer on the same or on other computer, and type:

    http://<server address>/<virtual directory path>/aforum.isa?req=1101

    If you have only one web site on the server, you may type:

    http://127.0.0.1/<virtual directory>/aforum.isa?req=1101 (on the same local computer), and in such a case computer may even be not connected to the network.

    You should see the web page generated by A-Forum application (screenshot). This would mean that aforum.isa has started successfully and settings are now OK.

  9. If your server has NTFS (NT file system, usually the normal case on Windows Server 2003) then you may also need to correct the local level access permissions for the directory where aforum.isa and aforum26.dll are located.

    Those access permissions apply to creating, updating, and deleting some A-Forum-specific data files on the server by A-Forum ISAPI extension itself. Data files are created in a "data" directory under the directory on the server where aforum.isa is located. Data files are created and updated on behalf of special impersonated local user account associated with the specific web site where this specific aforum.isa file is located (note that MS IIS may run more than one web site, each will have its own impersonated user account for local access to the files).

    Note that these local access permissions are not the same as network level access rights discussed above. Network level access rights control user access to aforum.isa over the network. Local level access permissions control access to local data files on the server by aforum.isa itself.

    In case of NTFS file system on the server, you need to make sure that impersonated local user account associated with your web site (Internet guest account) has sufficient create/read/write access rights for the directory where aforum.isa is located and for all inherited subdirectories created under that directory.

    If local file access rights are not sufficient, you will get a corresponding error message generated by aforum.isa itself and shown in user browser in response to the request which involves data creation/update/deletion on the server.

    To ensure sufficient local access rights, right-click on the directory where aforum.isa is located and select Permissions (screenshot).

    In the Permissions window, under Security tab, select Internet Guest Account which corresponds to your web site (like IUSR_WEBSITE_NAME) and allow Write access permissions for this account (screenshot).

    After that, it is also necessary to add some special permissions - like deleting files. To do that, click on Advanced button, and select the following permission entry in the list:

    Internet Guest Account -- Special (screenshot)

    Click on Edit button and make sure that the following specific permissions are checked (screenshot):

    • Create Files / Write Data
    • Create Folders / Append Data
    • Write Attributes
    • Write Extended Attributes
    • Delete Subfolders and Files
    • Delete
    Also, make sure that these local access permissions are inherited by nested directories under this directory. Make sure that checkbox "Allow inheritable permissions from the parent to propagate ..." is checked under the list of permission entries in the Advanced permissions settings (screenshot).

    Click OK in Advanced Security Settings window (screenshot) and click OK in Permissions window (screenshot).
NOTE. Aforum.isa, aforum26.dll, extensions of type .isa or .dll should NOT be registered, mapped, set, or even mentioned anywhere in the settings except as described above. File name extension of type .isa should NOT be registered anywhere as an application extension. It is not an application.

Back to A-Forum installation instructions