Chinaunix首页 | 论坛 | 博客
  • 博客访问: 589256
  • 博文数量: 98
  • 博客积分: 4045
  • 博客等级: 上校
  • 技术积分: 1157
  • 用 户 组: 普通用户
  • 注册时间: 2006-12-31 16:56
文章分类

全部博文(98)

文章存档

2010年(7)

2009年(15)

2007年(73)

2006年(3)

我的朋友

分类: WINDOWS

2009-09-07 17:59:50

The file record some operate script and some API for dealing with IIS.

 

1, Create the certification

Here use open source: open SSL. It will guide you to make a new certification.

Method 1:

1.1    Make the key file.

openssl genrsa -des3 -out server.key 1024

1.2    Make the certificate signing request

openssl req -new -key server.key -out server.csr -config openssl.cnf

1.3    Make a new CA

openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

1.4    Underwrite the server.csr, client.csr by the CA.

Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

 

Method 2:

1.1   openssl req –nodes –days 3650 –subj /C=”country Name”/ST=”provinceName”/L=”localityName”/O=”organizationName”/OU=”organizationUnit”/CN=”commanName”/emailAddress=”emalAddress”/challengePassword=”keyPasswd” –passout pass:”caPasswd” –newkey rsa:1024 –keyout “keyFilePath.key” -out “crtFilePath.crt”

 

1.2 openssl x509 -signkey “keyFilePath.key” -out “crtFilePath.crt” -req -in “csrFilePath.csr”

 

2, Get the IIS port

“C:\\Inetpub\\AdminScripts\\adsutil.vbs ENUM W3SVC/1”

By this command you will get the http port and https port.

You should judge whether the http port is 0 by run:

“iisipsecurity.vbs http”

3, Change the http port

“c:\\adsutil.vbs set w3svc/1/serverbindings ":80:"”

If the http port set to 0, force the web interview using https,here you should call iisipsecurity.vbs.

“iisipsecurity.vbs http true”

 

If the http port is set to normal from 0, you should run:

“iisipsecurity.vbs http false”

 

4, Change the https port

“c:\\adsutil.vbs set w3svc/1/SecureBindings":443:"”

If the https port set to 0,you should run

“c:\\adsutil.vbs set w3svc/1/SecureBindings""”

If the https port is set to normal from 0, you should call the API to set the https port and bind the certification with the port.

The code is in the PA RENEW PRO.

5, Change the remote access

 Here should be deal with in double way.

IIS5 IIS6:

Call this script command to get the remote access:

“iisipsecurity.vbs get”

Call these scripts to change remote access:

“iisipsecurity.vbs set true”

“iisipsecurity.vbs set false”

IIS7

You should get the access to change IIS configuration by run:

“c:\\Windows\\System32\\inetsrv\\appcmd.exe unlock config -section:system.webServer/security/ipSecurity”

Set the remote access to true:

“c:\\Windows\\System32\\inetsrv\\appcmd.exe set config /section:ipSecurity /allowUnlisted:true”

Set the remote access to false:

“c:\\Windows\\System32\\inetsrv\\appcmd.exe set config /section:ipsecurity /-\"[ipaddress='127.0.0.1',allowed='true']\"”

“c:\\Windows\\System32\\inetsrv\\appcmd.exe set config /section:ipSecurity /allowUnlisted:false”

“c:\\Windows\\System32\\inetsrv\\appcmd.exe set config /section:ipsecurity /+\"[ipaddress='127.0.0.1',allowed='true']\"”

 

6, Stop the IIS service

int :StopIisService()

{

       IMSAdminBase    *pIMeta; 

       METADATA_HANDLE MyHandle;

    HRESULT                 hres;

   METADATA_RECORD metaRecord = {0};

       DWORD dwBuffer = 0;

      

    CoInitialize (NULL);

      

    // get a pointer to the IIS Admin Base Object

       hres = CoCreateInstance(CLSID_MSAdminBase, NULL, CLSCTX_ALL,

              IID_IMSAdminBase, (void **) &pIMeta); 

       if (FAILED(hres)) 

       {

              CoUninitialize();

        return FALSE; 

       }

    hres = pIMeta->OpenKey(METADATA_MASTER_ROOT_HANDLE, L"/LM/W3SVC",

              METADATA_PERMISSION_READ|METADATA_PERMISSION_WRITE, 20, &MyHandle);

      

       if ( FAILED (hres) )

       {

              pIMeta->CloseKey(MyHandle);

              pIMeta->SaveData();

              pIMeta->Release();

              CoUninitialize();

              return FALSE;

       }

      

       dwBuffer = MD_SERVER_COMMAND_STOP;

      

       ZeroMemory(&metaRecord, sizeof(metaRecord));

       metaRecord.dwMDIdentifier = MD_SERVER_COMMAND;

       metaRecord.dwMDAttributes = METADATA_INHERIT;

       metaRecord.dwMDUserType = IIS_MD_UT_SERVER;

       metaRecord.dwMDDataType = DWORD_METADATA;

       metaRecord.dwMDDataLen = sizeof(DWORD);

       metaRecord.pbMDData = (unsigned char*)&dwBuffer;

      

       hres = pIMeta->SetData(MyHandle, CComBSTR("/1"), &metaRecord);

      

       if(FAILED(hres))

       {

              pIMeta->CloseKey(MyHandle);

              pIMeta->SaveData();

              pIMeta->Release();

              CoUninitialize();

              return FALSE;

       }

      

       pIMeta->CloseKey(MyHandle);

       pIMeta->SaveData();

       pIMeta->Release();

       CoUninitialize();

      

       return TRUE;

 

}

7, Start the IIS service

int CIisConfig::StartIisService()

{

       IMSAdminBase    *pIMeta; 

       METADATA_HANDLE MyHandle;

    HRESULT                 hres;

   METADATA_RECORD metaRecord = {0};

       DWORD dwBuffer = 0;

       int nReStartTime = 2;

       int i = 0;

 

       for (i = 0; i < nReStartTime; i ++)

    {

              CoInitialize (NULL);

      

              // get a pointer to the IIS Admin Base Object

              hres = CoCreateInstance(CLSID_MSAdminBase, NULL, CLSCTX_ALL,

                     IID_IMSAdminBase, (void **) &pIMeta); 

              if (FAILED(hres)) 

              {

                     CoUninitialize();

                     return FALSE; 

              }

              hres = pIMeta->OpenKey(METADATA_MASTER_ROOT_HANDLE, L"/LM/W3SVC",

                     METADATA_PERMISSION_READ|METADATA_PERMISSION_WRITE, 20, &MyHandle);

             

              if ( FAILED (hres) )

              {

                     pIMeta->CloseKey(MyHandle);

                     pIMeta->SaveData();

                     pIMeta->Release();

                     CoUninitialize();

                     Sleep(500);

                     continue;

                     //return FALSE;

              }

              else

              {

                     break;

              }

       }

       if (i == nReStartTime)

       {

              return FALSE;

       }

 

       dwBuffer = MD_SERVER_COMMAND_START;

 

       ZeroMemory(&metaRecord, sizeof(metaRecord));

       metaRecord.dwMDIdentifier = MD_SERVER_COMMAND;

       metaRecord.dwMDAttributes = METADATA_INHERIT;

       metaRecord.dwMDUserType = IIS_MD_UT_SERVER;

       metaRecord.dwMDDataType = DWORD_METADATA;

       metaRecord.dwMDDataLen = sizeof(DWORD);

       metaRecord.pbMDData = (unsigned char*)&dwBuffer;

      

       hres = pIMeta->SetData(MyHandle, CComBSTR("/1"), &metaRecord);

      

       if(FAILED(hres))

       {

              pIMeta->CloseKey(MyHandle);

              pIMeta->SaveData();

              pIMeta->Release();

              CoUninitialize();

              return FALSE;

       }

      

       pIMeta->CloseKey(MyHandle);

       pIMeta->SaveData();

       pIMeta->Release();

       CoUninitialize();

      

       return TRUE;

}

 

 

ATTACH: (iisipscurity.vbs)

' Remember to enable Integrated Windows Authentication and

' disable Anonymous Access or you will get and Server 500 error.

Dim ArgObj 'Object which contains the command line argument

Dim SecObj

Dim MyIPSec

 

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Set ArgObj = WScript.Arguments

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

' Get the IIS object that holds the info for the default site.

' This could be any site root/vdir, or IIS://LocalHost/W3SVC for global

' properties.

Set SecObj = GetObject("IIS://LocalHost/W3SVC/1/Root")

' Get the IIsIPSecurity object

Set MyIPSec = SecObj.IPSecurity

 

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

If (ArgObj.Count = 1) Then

       If (ArgObj.Item(0) = "get") Then

              If (TRUE = MyIPSec.GrantByDefault) Then

                     WScript.Echo "GrantByDefault now set to TRUE."

              Else 'If (FALSE = MyIPSec.GrantByDefault) Then

                     WScript.Echo "GrantByDefault now set to FALSE."

              End If

              WScript.Quit (GENERAL_FAILURE)

       ElseIf (ArgObj.Item(0) = "http") Then

              If (TRUE = SecObj.AccessSSL) Then

                     WScript.Echo "only support https."

              Else 'If (FALSE = SecObj.AccessSSL) Then

                     WScript.Echo "support http also."

              End If

              WScript.Quit (GENERAL_FAILURE)

       End If

ElseIf (ArgObj.Count = 2) Then

       If (ArgObj.Item(0) = "set" and (ArgObj.Item(1) = "true" or ArgObj.Item(1) = "false")) Then

              If (ArgObj.Item(1) = "true") Then

                     WScript.Echo "GrantByDefault now set to TRUE."

                     MyIPSec.GrantByDefault = TRUE

              ElseIf (ArgObj.Item(1) = "false") Then

                     WScript.Echo "GrantByDefault now set to FALSE."

                     MyIPSec.GrantByDefault = FALSE

                     IPList = MyIPSec.IPGrant

                     i = UBound(IPList) + 1

                     ReDim Preserve IPList(i)

                     IPList(i) = "127.0.0.1"

                     MyIPSec.IPGrant = IPList

              End If

              'Set the info in the database

              SecObj.IPSecurity = MyIPSec

              SecObj.Setinfo

              WScript.Quit (GENERAL_FAILURE)

       ElseIf (ArgObj.Item(0) = "http" and (ArgObj.Item(1) = "true" or ArgObj.Item(1) = "false")) Then

              If (ArgObj.Item(1) = "true") Then

                     SecObj.AccessSSL = True

                     WScript.Echo "only support https."

              Else 'If (FALSE = SecObj.AccessSSL) Then

                     WScript.Echo "support http also."

                     SecObj.AccessSSL = False

              End If

              'Set the info in the database

              SecObj.Setinfo

              WScript.Quit (GENERAL_FAILURE)

       End If

End If

WScript.Echo "get         : get the remote access;"

WScript.Echo "set true    : the remote access is true;"

WScript.Echo "set false   : the remote access is false;"

WScript.Echo "http        : the status must using https or not;"

WScript.Echo "http true   : only support https;"

WScript.Echo "http false  : support http also."

阅读(1164) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~