Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 10:23 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 14 posts ] 
Author Message
PostPosted: Wed Jul 25, 2007 9:20 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
System.php (IIS settings) shows only the default web site.
Also no IP bindings, nor host headers are listed.
OA is SVN rev. 748. Thanks


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 26, 2007 9:37 am 
Have you tried running the audit directly on the machine? I believe there to be some security in regards to what data you can get remotely. If that's not the case, write back.


Top
  
Reply with quote  
PostPosted: Thu Jul 26, 2007 4:57 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
Yes, the audit runs directly on the machine from a network share (where audit.vbs and audit.config reside) and it's reported back to the OA server.
Thank you


Top
 Profile  
Reply with quote  
PostPosted: Tue Jul 31, 2007 7:59 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
Hi mykeyrb,
do you confirm having the same issue?


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 01, 2007 8:35 am 
I don't have IIS :)


Top
  
Reply with quote  
PostPosted: Wed Aug 01, 2007 9:30 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
Sorry, I didn't want to bother you, you were the first to answer, so I thought you were interested...


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 02, 2007 8:12 am 
Nope, I just hated to leave your question completely unanswered. :D

If I had more time I'd research it, but that's just not the case. That's why it's good to have people like you finding the issues :)


Top
  
Reply with quote  
PostPosted: Mon Aug 06, 2007 10:16 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
The problem is caused by the LOC 2855 in audit.vbs:

for WebSiteID = 1 to 255

Site index is a longer number than 255 (up to 10 digits, I think), so only the default web site (index=1) is audited...


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 07, 2007 7:53 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
I slightly modified IIS info section in audit.vbs to show all sites, not only the default one:

[code]

if iis = "True" then
'''''''''''''''''''''''''''
' IIS Information '
'''''''''''''''''''''''''''

comment = "IIS Info"
if verbose = "y" then
wscript.echo comment
end if

WinDir = right(WinDir,len(WinDir)-2)
full_path = "\\" & system_name & "\c$" & WinDir & "\system32\inetsrv\inetinfo.exe"
if verbose = "y" then
Wscript.Echo "IIS Version: " & objFSO.GetFileVersion(full_path)
end if

On Error Resume Next

Dim objWWW
Set objWWW = GetObject("IIS://" & system_name & "/w3svc")
For Each WebSiteID in objWWW
If IsNumeric(WebSiteID.Name) Then

s = WebSiteID.Name
p = system_name

' Initialize error checking
On Error Resume Next

' Initialize variables
Dim ArgPhysicalServer, ArgSiteIndex, ArgFilter, ArgVirtualDirectory
Dim ArgsCounter, ArgNum
Dim objWebServer, objWebRootDir, objWebLog, objWebFilter, objWebVirtualDir
Dim BindingArray, strServerBinding, strSecureBinding
Dim SecurityDescriptor, DiscretionaryAcl, IPSecurity
Dim strPath, Item, Member, VirDirCounter, Counter

' Default values
ArgNum = 0

ArgPhysicalServer = system_name
ArgSiteIndex = WebSiteID.Name

' Specify and bind to the administrative objects
Set objWebServer = GetObject("IIS://" & ArgPhysicalServer & "/w3svc/" & ArgSiteIndex)
Set objWebRootDir = GetObject("IIS://" & ArgPhysicalServer & "/w3svc/" & ArgSiteIndex & "/Root")

' Verify that the specified website exists
If Err <> 0 Then
'
else
' do enumerate for this websiteID - will end if at end of function
' ----- Web Site Tab -------
' ---------------
iis_desc = objWebServer.ServerComment
For Each Item in objWebServer.ServerBindings
strServerBinding = Item
BindingArray = Split(strServerBinding, ":", -1, 1)
if BindingArray(0) = "" Then
iis_ip = "<All Unassigned>"
else
iis_ip = BindingArray(0)
end if
iis_port = BindingArray(1)
If BindingArray(2) = "" Then
iis_host = "<None>"
Else
iis_host = BindingArray(2)
End If
form_input = "iis_3^^^" & ArgSiteIndex & "^^^" _
& iis_ip & "^^^" _
& iis_port & "^^^" _
& iis_host & "^^^"
entry form_input,comment,objTextFile,oAdd,oComment
form_input = ""
Next
For Each Item in objWebServer.SecureBindings
strSecureBinding = Item
BindingArray = Split(strSecureBinding, ":", -1, 1)
if BindingArray(0) = "" Then
iis_sec_ip = "<All Unassigned>"
else
iis_sec_ip = BindingArray(0)
end if
iis_sec_port = BindingArray(1)
Next
If strSecureBinding = "" Then
iis_sec_port = "No Secure Bindings"
End If
If objWebServer.LogType = 0 Then
iis_log_en = "Disabled"
Else
iis_log_en = "Enabled"
Set objWebLog = GetObject("IIS://" & ArgPhysicalServer & "/logging")
For Each Item in objWebLog
If objWebServer.LogPluginCLSID = Item.LogModuleID Then
iis_log_format = Item.Name
objWebLog = Item.Name
End If
Next
If objWebServer.LogFilePeriod = 0 Then
If objWebServer.LogFileTruncateSize = -1 Then
iis_log_per = "Unlimited file size"
Else
iis_log_per = "When file size reaches " & (objWebServer.LogfileTruncateSize/1048576) & " MB"
End If
End If
If objWebServer.LogFilePeriod = 1 Then
iis_log_per = "Daily"
Else
If objWebServer.LogFilePeriod = 2 Then
iis_log_per = "Weekly"
Else
If objWebServer.LogFilePeriod =3 Then
iis_log_per = "Monthly"
End If
End If
End If
iis_log_dir = objWebServer.LogFileDirectory
End If
' ----- Home Directory Tab -------
' ----------------
If objWebRootDir.HttpRedirect <> "" Then
'
Else
strPath = objWebRootDir.Path
strPath = Left(strPath, 2)
iis_path = objWebRootDir.Path
iis_dir_browsing = objWebRootDir.EnableDirBrowsing
End If
' ----- Documents Tab -------
' -----------------
If objWebRootDir.EnableDefaultDoc = False Then
iis_def_doc = "False"
Else
iis_def_doc = objWebRootDir.DefaultDoc
End If
form_input = "iis_1^^^" & WebSiteID.Name & "^^^" _
& clean(iis_desc) & "^^^" _
& iis_log_en & "^^^" _
& clean(iis_log_dir) & "^^^" _
& iis_log_format & "^^^" _
& iis_log_per & "^^^" _
& clean(iis_path) & "^^^" _
& iis_dir_browsing & "^^^" _
& clean(iis_def_doc) & "^^^" _
& iis_sec_ip & "^^^" _
& iis_sec_port & "^^^"
entry form_input,comment,objTextFile,oAdd,oComment
form_input = ""
' ------------------
' --- Enumerating Virtual Directories ----
' ------------------
VirDirCounter = 0
For Each Item in objWebRootDir
If Item.Class = "IIsWebVirtualDir" Then
ArgVirtualDirectory = Item.Name
Set objWebVirtualDir = GetObject("IIS://" & ArgPhysicalServer & "/w3svc/" & ArgSiteIndex & "/Root/" & ArgVirtualDirectory)
iis_vd_name = Item.Name
iis_vd_path = objWebVirtualDir.Path
form_input = "iis_2^^^" & ArgSiteIndex & "^^^" _
& clean(iis_vd_name) & "^^^" _
& clean(iis_vd_path) & "^^^"
entry form_input,comment,objTextFile,oAdd,oComment
form_input = ""
VirDirCounter = VirDirCounter + 1
End If
Next
end if
end if
' next Site
next

else
' End of IIS = True
end if

[/code]

Could please developers check if it's OK and upload it to SVN? Thank you


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 07, 2007 9:06 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
Little corrections to make "All unassigned" and "None" values showed:
1.
[code]
iis_ip = "All Unassigned"
[/code]
instead of
[code]
iis_ip = "<All Unassigned>"
[/code]
2.
[code]
iis_host = "None"
[/code]
instead of
[code]
iis_host = "<None>"
[/code]
3.
[code]
iis_sec_ip = "All Unassigned"
[/code]
instead of
[code]
iis_sec_ip = "<All Unassigned>"
[/code]


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 22, 2007 8:55 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
IIS ADSI provider needs to be installed to audit IIS, so actually you can audit it locally or from another IIS server only.
Have anyone a workaround to remotely audit IISx from a workstation? If I remember, the "root\MicrosoftIISv2” WMI namespace works for IIS6+ only. Thanks


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 23, 2007 12:44 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Added to SVN at 778. Thanks.
:D

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 23, 2007 6:51 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
Sorry Andrew, as I wrote in my Aug 07 post, I found that (at least in my case) the following lines need to be replaced (with <>, values are not shown in OA "IIS settings"):

iis_ip = "All Unassigned"
iis_host = "None"
iis_sec_ip = "All Unassigned"


Top
 Profile  
Reply with quote  
PostPosted: Sat Aug 25, 2007 4:35 pm 
Offline
Open-AudIT Fellow

Joined: Thu May 17, 2007 5:47 pm
Posts: 568
Location: Italy
Thank you for the SVN update, Andrew.
If someone has a solution to also remotely audit IISx info from a machine with no IIS installed, it would be very useful.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 14 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group