How to configure the IIS Lockdown Tool and the URLScan security tool on a computer that is running Microsoft Project Server or Microsoft Project Central (316398)


The information in this article applies to:

  • Microsoft Office Project Server 2003
  • Microsoft Project Server 2002
  • Microsoft Project 2000
This article was previously published under Q316398
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SUMMARY

This article contains information about how to configure the Microsoft Internet Information Services (IIS) Lockdown Tool and how to configure the URLScan security tool on a computer that is running Microsoft Project Server or Microsoft Project Central. This article describes how to configure the tool so that Microsoft Project Server features and Microsoft Project Central features are not disabled when you configure the Web server.

INTRODUCTION

This article describes how to configure the Microsoft Internet Information Services (IIS) Lockdown Tool and the URLScan security tool on a computer that is running Microsoft Project Server or Microsoft Project Central. This article contains information about how to configure the IIS Lockdown Tool or the URLSCAN Security Tool so that features of Microsoft Project Server and Microsoft Project Central are not disabled when you use the tools to configure the Web server.

If the IISLockdown Tool or the URLScan security tool is not configured correctly on the server, you may experience issues when you try to connect to Microsoft Project Server or to Microsoft Project Central. For example, when you try to connect to Microsoft Office Project Server 2003 after the URLScan Security tool is installed on the server, you may receive the following error message:
The page cannot be displayed

HTTP 404 - File not found
Internet Explorer


Important The IIS Lockdown Tool can significantly affect how your Web server and Web sites work. Before you deploy the IIS Lockdown Tool in a production environment, make sure that you test your configuration in a secure test environment.

MORE INFORMATION

Configure the IIS Lockdown Tool for Microsoft Project Server and for Microsoft Project Central

You can use the IIS Lockdown Tool to create and apply security templates that restrict access to IIS. Use the IIS Lockdown Tool on a computer that is running IIS 5.0 or IIS 4.0. You cannot use the IIS Lockdown Tool on a computer that is running IIS 6.0.

For more information about how to obtain the IIS Lockdown Tool, click the following article number to view the article in the Microsoft Knowledge Base:

325864 How to install and use the IIS Lockdown Wizard

Use the IIS Lockdown Tool to help secure IIS on a computer that is running Microsoft Project Central

To use the IIS Lockdown Tool to help secure IIS on a computer that is running Microsoft Project Central. To do this, follow these steps:
  1. Double-click the IISlockd.exe file to start the IIS Lockdown Tool.
  2. Click Next on the Welcome to Internet Information Services Lockdown Wizard page.
  3. Read the End User License Agreement (EULA), and if you agree, click I Agree, and then click Next.
  4. On the Select Server Template page, click Dynamic Web server (ASP enabled), click to select the View template settings check box, and then click Next.
  5. On the Internet Services page, verify that the Web service (HTTP) check box is selected, and then click Next.
  6. On the Script Maps page, verify that the Active Server Pages (.asp) check box is cleared, click to select the Internet Printing (.printer) check box, and then click Next.
  7. On the Additional Security page, click to clear the MSADC check box, and then click Next.
  8. On the URLScan page, verify that the Install URLScan filter on the server check box is selected, and then click Next.
  9. In the Ready to Apply Settings dialog box, review the settings that are displayed under Selected Changes, and then click Next.

    The changes that you specify are applied.
  10. On the Applying Security Settings page, click View Report if you want to view or save the report, and then click Next.
  11. Click Finish.

Use the IIS Lockdown Tool to help secure IIS on a computer that is running Microsoft Project Server 2002

To use the IIS Lockdown Tool to help secure IIS on a computer that is running Microsoft Project Server 2002, configure the IIS Lockdown Tool. To do this, follow these steps:
  1. Double-click the IISlockd.exe to start the IIS Lockdown Tool.
  2. Click Next on the Welcome to Internet Information Services Lockdown Wizard page.
  3. Read the End User License Agreement (EULA), and if you agree, click I Agree, and then click Next.
  4. On the Select Server Template page, click Dynamic Web server (ASP enabled), and then click to select the View template settings check box.
  5. On the Internet Services page, verify that the Web service (HTTP) check box and that the E-mail service (SMTP) check box are selected, and then click Next.
  6. On the Script Maps page, verify that the Active Server Pages (.asp)check box and the Index Server Web Interface (.idq, .htw, .ida) check boxes are cleared, click to select the Internet Printing (.printer) check box, and then click Next.
  7. On the Additional Security page, click to clear the MSADC check box and the Writing to content directories check box, and then click Next.
  8. On the URLScan page, verify that the Install URLScan filter on the server check box is selected, and then click Next.
  9. On the Ready to Apply Settings page, review the settings that are displayed under Selected Changes, and then click Next.

    The IIS Lockdown Tool applies the changes that you specify.
  10. On the Applying Security Settings page, click View Report if you want to view or save the report, and then click Next.
  11. Click Finish.

Use the IIS Lockdown Tool to help secure IIS on a computer that is running Project Server 2003

To use the IIS Lockdown Tool to help secure IIS on a Microsoft Windows 2000 Server-based computer that is running Microsoft Office Project Server 2003, configure the IIS Lockdown Tool. To do this, follow these steps:
  1. Double-click the IISlockd.exe to start the IIS Lockdown Tool.
  2. Click Next on the Welcome to Internet Information Services Lockdown Wizard page.
  3. Read the End User License Agreement (EULA). If you agree, click I Agree, and then click Next.
  4. On the Select Server Template page, click Dynamic Web server (ASP enabled), and then click to select the View template settings check box.
  5. On the Internet Services page, verify that the Web service (HTTP) check box and that the E-mail service (SMTP) check box are selected. Then, click Next.
  6. On the Script Maps page, verify that the Active Server Pages (.asp) check box and the Index Server Web Interface (.idq, .htw, .ida) check boxes are cleared. Click to select the Internet printing (.printer) check box, and then click Next.
  7. On the Additional Security page, click to clear the MSADC check box and the Writing to content directories check box. Then, click Next.
  8. On the URLScan page, verify that the Install URLScan filter on the server check box is selected, and then click Next.
  9. On the Ready to Apply Settings page, review the settings that are displayed under Selected changes, and then click Next.

    The IIS Lockdown Tool applies the changes that you specify.
  10. On the Applying Security Settings page, click View Report if you want to view or save the report, and then click Next.
You are no longer required to enable the ASPEnableParentPaths attribute in Project Server 2003. To enhance the security for the Microsoft Project Central virtual directory, disable the Enable parent paths option for the Microsoft Project Central virtual directory. To do this, follow these steps:
  1. Locate the Microsoft Project Central folder in the Microsoft Internet Information Services (IIS) Management Console.
  2. Right-click the Microsoft Project Central folder, and then click Properties.
  3. On the Directory tab, click Configuration, and then click the App Options tab.
  4. Click to clear the Enable parent paths check box.

Configure the URLScan.ini file for on a computer that is running Microsoft Project Server 2002 or Microsoft Project Central

Administrators can use the URLScan security tool to help secure their Web servers. The URLScan security tool is an Internet Server API (ISAPI) filter that is installed in IIS and screens all incoming requests to the server. The URLScan security tool filters these requests based on rules that the administrator sets in the URLScan.ini file.

Note We recommend that only experienced Web server administrators use this tool. You can configure the filters in a way that can interfere with typical Web site operation.

For more information about how to obtain and use URLScan security tool, click the following article number to view the article in the Microsoft Knowledge Base:

307608 Using URLScan on IIS

To prevent the risk of restricting access to the Microsoft Project Server Web site or to the Microsoft Project Central Web site, configure URLScan.ini file. To do this:
  1. Configure the URLScan ISAPI filter to allow for dots (".") in the URL path. To do this:
    1. Start Notepad, and then open the URLScan.ini file. The URLScan.ini file is located in the following folder:

      Drive:\%windir%\System32\Inetsrv\Urlscan\URLScan.ini

    2. On the Edit menu, click Find.
    3. In the Find What box, type AllowDotInPath, and then click Find Next.
    4. Locate the following line:

      AllowDotInPath=0

    5. Modify the line so that it reads as follows:

      AllowDotInPath=1

    6. On the File menu, click Save, and then quit Notepad.
  2. Restart IIS. To do this, click Start, click Run, type iisreset in the Open box, and then click OK.

Configure the URLScan security tool on a computer that is running Project Server 2003

  1. Configure the URLScan ISAPI filter to allow for dots (".") in the URL path. To do this:
    1. Start Notepad, and then open the URLScan.ini file. The URLScan.ini file is located in the following folder:

      Drive:\%windir%\System32\Inetsrv\Urlscan\URLScan.ini

    2. On the Edit menu, click Find.
    3. In the Find What box, type AllowDotInPath, and then click Find Next.
    4. Locate the following line:

      AllowDotInPath=0

    5. Modify the line so that it reads as follows:

      AllowDotInPath=1

    6. On the File menu, click Save.
  2. Configure the URLScan ISAPI filter to recognize ASP requests. To do this:
    1. On the Edit menu in Notepad, click Find.
    2. In the Find What box, type Deny ASP requests, and then click Find Next.
    3. In the list of extensions that appears under Deny ASP requests. locate, and then delete the .asp extension.
    4. On the File menu, click Save, and then quit Notepad.
  3. Restart IIS. To do this, click Start, click Run, type iisreset in the Open box, and then click OK.
For more information about the IIS Lockdown Tool, click the following article number to view the article in the Microsoft Knowledge Base:

325864 How to install and use the IIS Lockdown Wizard

For more information about the URLScan security tool, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/tools/urlscan.mspx?#g

Modification Type:MajorLast Reviewed:6/27/2006
Keywords:kbhowto kbConfig kbinfo KB316398 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.