jorkeo - hosting geek : Windows Server 2008

Old New Series – Cannon PI

jorkeo — Thu, 07 May 2009 07:39:57 GMT

Keep watching as Cannon makes life easier for today's web developers using the Microsoft Web Platform Installer.

- jorke

Windows 7 RC download

jorkeo — Tue, 05 May 2009 14:37:20 GMT

get it now, now now, while it lasts - http://www.microsoft.com.au/windows7 its HOT HOT HOT!

Don’t for get to grab Windows Server 2008 R2 Release Candidate

- jorke

FastCGI timeout on IIS7

jorkeo — Tue, 28 Apr 2009 06:50:00 GMT

Had a couple of question this week around some issues that people were experiencing from long running PHP scripts that appear to timeout/hang and eventually stop/crash and is this problem with FastCGI or the application pool settings.

Let’s take a look at the FastCGI settings in the ApplicationHost.config

You’ll the highlighted entries, the one that causes the PHP scripts to hang and stop running is activityTimeout – simply put this value defines for FastCGI to timeout when the cgi process doesn’t talk to IIS for that amount of time specified. So if you have a script that will run longer than this, make sure you adjust it appropriately. Of course, use this sensibly.

Couple other things highlighted are environment variables for PHP with FastCGI. PHP_FCGI_MAX_REQUESTS governs how many requests will be processed by PHP before the PHP recycling process happens. PHPRC tells PHP where the PHP runtime configuration (php.ini) configuration file is located for this fastcgi process.

- jorke

“The subsystem needed to support the image type is not present"

jorkeo — Mon, 20 Apr 2009 03:49:00 GMT

You might be getting this error on server 2008 R2 or in fact any x64 system. I’ve had a bunch of people getting this particularly on running 2008 server core R2 x64.

The problem occurs when the executable you are running has not been compiled for x64 AND you haven’t installed WOW64 – yeah that’s right WOW64 is now an optional component in Windows Server 2008 R2 Core – cool eh?

so to fix this just run:

start /w ocsetup.exe ServerCore-WOW64

you will need to reboot to get your WOW64 goodness..

-jorke

Technorati Tags: wow64,server core r2

Cat Power - Tomcat on Server 2008 Core with IIS7

jorkeo — Wed, 17 Sep 2008 13:51:54 GMT

EPIC START

So this turned out to be much longer than I thought - the basic goal is to utilise two of the coolest features of Window Server 2008 - Core and IIS7. The idea is to create an ultimately low footprint web server on Microsoft Windows Web Server 2008 Core and show how that can easily support the Apache Software Foundation's Open Source Java Server - Tomcat. Ideally I don't want to logon to the console or via Remote Desktop of the server at any point - and I'll use our remote management tools to configure and install in a true 'headless' environment. My Starting point is a clean install of Windows Web Server 2008 Core on Hyper-V, not on a domain and just having had the computer name set to "servercore". Let see how I go!

Set for Remote Management

So this the one thing I must do on the console (or I can script it as part of install). I need to configure our remote management tools WinRM to allow connections from my workstation to the server. (note that you should NOT leave WinRM with Basic auth set to true in a production environment - I need to do this because the machine is not in a domain)

WinRM quickconfig
WinRM set winrm/config/service/auth @{Basic="true"}
WinRM set winrm/config/client @{TrustedHosts="jorkeo-hp"}

WinRM set winrm/config/service/auth @{Basic="true"}
WinRM set winrm/config/client @{TrustedHosts="servercore"}

Now I connect to the server from the command prompt on my workstation ("jorkeo-hp") using WinRS, and I'm going to instantiate a remote command prompt:

WinRS -r:servercore -u:Administrator -p:****** cmd.exe

Now we have our remote shell - all commands from this point forward are run here.

Install Basic IIS requirements

Normally I would use ocsetup to install everything with dependencies, but since I'm attempting a low footprint web server I want pick the exact packages I need to install without installing everything - to do this I use package manager - pkgmgr - and select the roles/modules to install.

start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-Security;IIS-BasicAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;WAS-WindowsActivationService;WAS-ProcessModel;

Installation dependencies can be found here:http://learn.iis.net/page.aspx/130/understanding-setup-in-iis-7/

Then you need to create the site under IIS7 to host your servlets.

mkdir c:\inetpub\mytomcat

C:\windows\system32\inetsrv\appcmd.exe add site /name:"mytomcat.com" /bindings:http://mytomcat.com:80
/physicalPath:"c:\inetpub\mytomcat"
SITE object "mytomcat.com" added
APP object "mytomcat.com/" added
VDIR object "mytomcat.com/" added

c:\windows\system32\inetsrv\appcmd.exe add apppool /name:mytomcat

APPPOOL object "tomcat" added

c:\windows\system32\inetsrv\appcmd.exe set site "mytomcat.com"
/applicationDefaults.applicationPool:"mytomcat"

SITE object "mytomcat.com" changed

Install JRE + Tomcat

Now we need to install the Java Runtime Environment - I just download the latest one from http://java.sun.com and install with defaults, the version I ended up with was JRE6 update 7 - the offline installation - I then ran the installer like so:

jre-6u7-windows-i586-p.exe /passive

Verified that was in place, by looking for the java directories under \Program Files

Then just downloaded the latest version of Apache Tomcat from my buddies at AussieHQ. There are a couple of ways you can deploy this, by running the installer service/downloading the file - I like to run the installer on a reference machine then copy the contents of the tomcat directory to the server - it seems to clear out all the unnecessary stuff at installation time. I've copied my contents of a reference install to c:\tomcat on servercore.

Run Tomcat as a service

Now this took aaaggess as the installation syntax is overly sensitive, case sensitive etc. So to save you the time here is my installation script line to install with all options pointing to my new installation of JRE:

tomcat6.exe //IS//Tomcat6 --Install="c:\tomcat\bin\tomcat6.exe" --StartClass=org.apache.catalina.startup.Bootstrap --StopClass=org.apache.catalina.startup.Bootstrap --StartParams=start --StopParams=stop --JvmOptions "-Dcatalina.home=c:\tomcat;-Dcatalina.base=c:\tomcat;-Djava.endorsed.dirs=c:\tomcat\common\endorsed;-Djava.io.tmpdir=c:\tomcat\temp;-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager;-Djava.util.logging.config.file=c:\tomcat\conf\logging.properties;" --Jvm="C:\Program Files\Java\jre1.6.0_07\bin\client\jvm.dll" --JavaHome="C:\Program Files\Java\jre1.6.0_07" --Classpath="c:\tomcat\bin\bootstrap.jar" --LogPath=c:\tomcat\logs --StdError=auto --StdOutput=auto --StartPath=c:\tomcat --StopPath=c:\tomcat --StartMode=jvm --StopMode=jvm

At this point I found that tomcat would fail to start

C:\tomcat\bin>net start tomcat6
The Tomcat6 service is starting.
The Tomcat6 service could not be started.

A service specific error occurred: 0.

More help is available by typing NET HELPMSG 3547.

C:\tomcat\bin>C:\tomcat\bin>tomcat6 //TS//Tomcat6
C:\tomcat\bin>

hmmm nothing... looking in tomcat\logs folder the "jakarta_service.log" file seemed to be the latest timestamp, opening that in notepad and its full of this:

2008-09-16 12:39:50] [info] Procrun (2.0.3.0) started
[2008-09-16 12:39:50] [info] Debugging Service...
[2008-09-16 12:39:50] [info] Starting service...
[2008-09-16 12:39:50] [174 javajni.c] [error] The specified module could not be found.
[2008-09-16 12:39:50] [986 prunsrv.c] [error] Failed creating java C:\Program Files\Java\jre1.6.0_07\bin\client\jvm.dll
[2008-09-16 12:39:50] [1260 prunsrv.c] [error] ServiceStart returned 1
[2008-09-16 12:39:50] [info] Debug service finished.
[2008-09-16 12:39:50] [info] Procrun finished.

which appears to be a problem finding an api to connect to, but the error is pretty vague as to what its actually trying to do..

GROAN - this is the FIRST time i have to logon to the server via RDP/Console.. remember everything else so far has been via a remote winrs console...

Log On... Fire up sysinternals Process Monitor (thank you Mr Russinovich) to see what this tomcat process is trying to talk to (after some thought, I reckon I could probably spawn this remotely with a backing file to disk and load that on another machine... but too much stuffing around..). After attaching to the tomcat process, aha - there it is:

When the tomcat process fires up it pokes around the OS looking for MSVCR71.dll - which is the a bunch of C libraries generally shipped with the Microsoft C runtime library. So all I needed to do is find that file and put it in path - hang- on.. I remembered back to my Java development days in University - pretty sure that the JRE ships with the libraries in tow... ah... looking into the JRE\bin directory of my Java Runtime Environment install, there it is, I'll copy that to my tomcat\bin folder and try again.

Ok - lets log off that server real quick - and back to our remote shell.

So I kicked off starting tomcat from the command line again.. success!

You'll see its started with the default of http listening on port 8080 - so browsing to this (hoping no random proxy in the way) - Yee ha!

Awesome, now I just have to CTRL-BREAK out of that and start the service:

C:\tomcat\bin>net start tomcat6
The Tomcat6 service is starting.
The Tomcat6 service was started successfully.

And test again - also a Screen shot to prove it:

But this is only the first step - Now I need to serve Tomcat through IIS7.

Setting up the IIS ISAPI Redirector

Download the IIS Tomcat connector - http://tomcat.apache.org/download-connectors.cgi

The connector acts as a broker between IIS and Tomcat and as far as IIS is concerned just an ISAPI filter.

For this example I've grabbed isapi_redirect-1.2.26.dll - and renamed it to isapi_redirect.dll just to make it easy.

Now this is where your configuration choice can get interesting. Depending on how you're supporting tomcat you have the choice of using the registry for storing configuration information for the ISAPI filter OR using a file. This of course depends on how you intend to host it as well. If you intend host this in a multi-tenant environment with several java sites on the same server and possibly different customers as well I would recommend using a file based approach as you can set a configuration file per site. If you are just looking after one site on the server, registry configuration is fine. One thing to remember though, is when you need to replicate the configuration to another server then you will have to make sure the registry entries follow the site.

For the purposes of this example, I'm going to attempt a multi-tenant configuration to allow the most flexibility, plus prevents me from having to play in the registry. When you need to create another site on the same server, create a new folder for the site under tomcat\conf and tomcat\logs and simply follow these steps for each new site :) (or script it)

1. Create a folder under the website root called jakarta
2. Copy the isapi_redirect.dll into the jakarta folder.
3. Create a file in the jakarta folder called isapi_redirect.properties (note that the name before the extension MUST match the dll filename)
4. Edit the isapi_redirect.properties file in notepad (server core IDE) - paste in the following:

# Configuration file for the Jakarta ISAPI Redirector

# The path to the ISAPI Redirector Extension, relative to the website
# This must be in a virtual directory with execute privileges
extension_uri=/jakarta/isapi_redirect.dll

# Full path to the log file for the ISAPI Redirector
log_file=c:\tomcat\logs\mytomcat\isapi_redirect.log

# Log level (debug, info, warn, error or trace)
log_level=INFO

# Full path to the workers.properties file
worker_file=c:\tomcat\conf\mytomcat\workers.properties

# Full path to the uriworkermap.properties file
worker_mount_file=c:\tomcat\conf\mytomcat\uriworkermap.properties

5. You can see that the log_file directive is going to a folder that doesn't exist so we need to create the folder tomcat\logs\mytomcat\ - and also the configuration folder tomcat\conf\mytomcat\ - by creating a separate folder for each site you allow the separation of site logging and configuration.
6. Now we need to create the workers.properties and uriworkermap.properties files under the tomcat\conf\tomcatsite1\ folder. Create the worker.properties file first - This controls the configuration of tomcat worker processes allows control of resources to the site - something best left to the server administrators (more info on tomcat workers) - lets create the file notepad.exe tomcat\conf\mytomcat\workers.properties - and populate with the following:

# list of workers

worker.list=mytomcat,ajp13
worker.mytomcat.type=ajp13
worker.ajp13.type=ajp13

# worker mytomcat
worker.mytomcat.host=localhost
worker.mytomcat.port=8009
worker.mytomcat.lbfactor=1

# worker ajp13
worker.ajp13.host=localhost
worker.ajp13.port=8009
worker.ajp13.lbfactor=1

# time out
worker.mytomcat.connection_pool_timeout=600
worker.mytomcat.socket_timeout=60

You can see here we are trying to make sure we keep the naming specific to the site. Save the worker.properties file, then create the uriworkermap.properties file - notepad.exe tomcat\conf\mytomcat\uriworkermap.properties - this is where we map the request to the tomcat worker process. There is a whole level of URI re-mapping you can do here, but for the moment we are just going to take everything that comes to the site is fed to tomcat - just make sure we match up with the worker specified in the workers.properties file.

# Use www.foo.org as virtual host
# /www.foo.org/myapp/*=myworker
# Normal mapping

/mytomcat.com/*=mytomcat
/mytomcat.com/=mytomcat

Save that file.

7. The last bit of hacking around in tomcat is that we need to tell it that we've setup a site for it to to be aware of. To kick this I opened the file tomcat\conf\server.xml in notepad.

Between the <Service> xml tags another <Engine> tag that describes our site needs to put into place - this is the syntax I entered:

( Note the Valves in place to dump engine logs - http access etc )

You will need to restart the tomcat service to pick up these changes - if any weirdness happens just run the service from the console to pick up any issues.

8. Now we need to tell IIS that we're using an ISAPI filter to serve the content - we just need to add the ISAPI filter via APPCMD. First allow the ISAPI filter into the CGI/ISAPI restriction policy - then we unlock the handlers config in applicationhost.config then actually add the ISAPI filter.

appcmd.exe set config -section:system.webServer/security/isapiCgiRestriction
/+"[path='c:\inetpub\mytomcat\jakarta\isapi_redirect.dll',allowed='True',description='tomcat']" /commit:apphost

c:\windows\system32\inetsrv\appcmd.exe unlock config /section:system.webserver/handlers

Unlocked section "system.webServer/handlers" at configuration path "MACHINE/WEBROOT/APPHOST".

c:\windows\system32\inetsrv\appcmd.exe set config "mytomcat.com"
-section:system.webServer/handlers
/+"[name='tomcat',path='*',verb='*',
scriptProcessor='c:\inetpub\mytomcat\jakarta\isapi_redirect.dll']"

Applied configuration changes to section "system.webServer/handlers" for "MACHIN
E/WEBROOT/APPHOST/mytomcat.com" at configuration commit path "MACHINE/WEBROOT/APPHOST/mytomcat.com"

9. One thing I almost forgot is that we need make sure that the context our site is running on has the ability to read the tomcat configuration and files. Because our application pool runs as the built in account - "Network Service" I have to ensure it can read and write in the appropriate locations around tomcat. Now I'm being a little lazy here - if I really wanted to lock it down I would create a user account, remove it from all groups and then sit with Process Monitor and find the exact settings required. But this is enough to get me over the hump. Allowing read to all of tomcat, and allowing write to tomcat\logs

cacls c:\tomcat /T /E /C /G "NETWORK SERVICE":R

cacls c:\tomcat\logs /T /E /C /G "NETWORK SERVICE":C

10. Finally we need to drop some content to serve, I'm just going to drop in the examples that ship with the default tomcat build, normally found in the tomcat\webapps\examples folder. I've just copied all the files into the root of my site and now lets browse to my site http://mytomcat.com/servlets/servlet/HelloWorldExample (local demo site) ... and:

Its working - HOORAY!

Just to verify, looking at my IIS logs you can see the requests coming through to the server:

008-09-17 00:50:32 192.168.0.2 GET /servlets/servlet/HelloWorldExample - 80 - 127.0.0.1 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-GB;+rv:1.9)+Gecko/2008052906+Firefox/3.0+(.NET+CLR+3.5.30729) JSESSIONID=A86ABA6C645C8FC922551765899D09A0 - mytomcat.com 200 0 0 511 513 194
2008-09-17 00:50:32 192.168.0.2 GET /servlets/images/code.gif - 80 - 127.0.0.1 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-GB;+rv:1.9)+Gecko/2008052906+Firefox/3.0+(.NET+CLR+3.5.30729) JSESSIONID=A86ABA6C645C8FC922551765899D09A0 http://mytomcat.com/servlets/servlet/HelloWorldExample mytomcat.com 200 0 0 519 538 17
2008-09-17 00:50:32 192.168.0.2 GET /servlets/images/return.gif - 80 - 127.0.0.1 HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+6.0;+en-GB;+rv:1.9)+Gecko/2008052906+Firefox/3.0+(.NET+CLR+3.5.30729) JSESSIONID=A86ABA6C645C8FC922551765899D09A0 http://mytomcat.com/servlets/servlet/HelloWorldExample mytomcat.com 200 0 0 1460 540 21

The request loads through the ISAPI filters, so looking at the tomcat access logs:

127.0.0.1 - - [17/Sep/2008:10:44:33 +1000] "GET /servlets/servlet/HelloWorldExample HTTP/1.1" 200 359
127.0.0.1 - - [17/Sep/2008:10:44:38 +1000] "GET /servlets/servlet/HelloWorldExample HTTP/1.1" 200 359
127.0.0.1 - - [17/Sep/2008:10:44:55 +1000] "GET /servlets/servlet/HelloWorldExample HTTP/1.1" 200 359
127.0.0.1 - - [17/Sep/2008:10:45:12 +1000] "GET /servlets/servlet/HelloWorldExample HTTP/1.1" 200 359
127.0.0.1 - - [17/Sep/2008:10:45:57 +1000] "GET /servlets/servlet/HelloWorldExample HTTP/1.1" 200 359

Further Security Lock Downs

One very important you should to for your site is to ensure that the jakarta folder is blocked from http reading, i.e. just being able to browse to it - this can be controlled by the request filtering feature that is built into IIS7. To protect the folder, very simply appcmd directive:

appcmd.exe set config "mytomcat.com/jakarta" -section:system.webServer/security/requestFiltering /+"hiddenSegments.[segment='jakarta']"

Then remember to rollback the WinRM configuration when going into production:

WinRM set winrm/config/service/auth @{Basic="false"}

EPIC DONE!

And we are done - so this is my no means an exhaustive configuration guide - merely a glimpse of how you can configure some competitive technologies with Windows Server 2008 Core and IIS7.

- jorke

p.s. (Fineprint) this whole post is totally without warranty, if you try this and it works or doesn't work its not my fault. If you girlfriend/wife/cat leaves you because of this - believe me it wasn't this - you have something else to worry about..

Technorati Tags: Server Core,Tomcat,Apache Tomcat,IIS7,Windows,Java,JSP,Servlets

Configuring NFS on Windows Server 2008 core

jorkeo — Wed, 10 Sep 2008 10:07:47 GMT

Hasn't really changed since 2003 R2, but its all over the command line. From the start:

Installation of the NFS components:

start /w ocsetup ServerForNFS-Base

Make a directory to store your content and ACL it appropriately for NFS - I don't recommend this as best practice, but I'm assuming we're in safe environment, i.e. a management / storage network. Oh and wack a file in to test with:

mkdir content
echo hello! > hello.txt
cacls content /t /e /g:"anonymous logon":C
cacls content /t /e /g:everyone:C

Now I just need to start the NFS server

nfsadmin server localhost start

Then just create the NFS share - I'm using the anonymous userid and groupid to 0 which is the root user and group:

nfsshare nfscontent=c:\content -o root rw anon=yes anonuid=0 anongid=0

And then over to our *nix machine to mount the share, first I'll just make sure I can see them, then mount and test to read the file.

[root@localhost /]# showmount -e servercore
Export list for servercore:
/nfscontent (everyone)
[root@localhost /]# mount -t nfs servercore:/nfscontent /mnt/content
[root@localhost /]# cat /mnt/content/hello.txt
Hello!
[root@localhost /]#

easy!

-jorke

Technorati Tags: NFS,SFU,nfsadmin,nfsshare

DST changes for Australia in 2008!

jorkeo — Fri, 05 Sep 2008 05:17:29 GMT

Does that mean Queensland will have daylight savings time? NOOOO - fades the curtains apparently...

Anyway the REST of Australia is making some changes in October - that's 1 month away! - so we all need to update our servers/machines/robots to cope with the time differences.

Key Action: Download the Australia 2008 Daylight Saving Planning Document

Here is the rest of the communication - Make sure you're ready:

Daylight Savings Changes – October 2008

In October this year, we will again be experiencing Daylight Savings changes in Australia. These changes can have a significant impact on business performance if not dealt with proactively. These effects can range from the incorrect time display on the clock, to calendaring problems, to financial and reputation loss if business critical services fail.

Daylight saving now commences on the first Sunday in October and ends on the first Sunday in April in Australia Eastern (New South Wales, Victoria, Australian Capital Territory and Tasmania) and Central (South Australia). This change affects Microsoft Windows, Microsoft Office Outlook and other Microsoft, third party and custom applications. Please find below some of the key things you need to know.

What is the impact of Daylight Savings changes?

Effects can range from the incorrect time display on the clock, to calendaring problems, to financial and reputation loss if business critical services fail.

The 5^th of October commences the second window of time zone harmonisation for this year, however, we expect a greater impact in October as the change is 21 days difference, whereas the adjustment earlier in the year was only 7 days.

What is affected?

- All Microsoft Windows PC, server and mobile devices in the affected time zones must be updated to ensure accuracy of internal time zone tables and correct operation of the system clock.

- Microsoft Office Outlook calendars may need to be adjusted. Client and Server-based tools are available to automate this service.

- Microsoft, third party and custom applications which schedule events at future dates should be reviewed to ensure they will operate correctly during the extended daylight saving period. Previously scheduled events may also need to be adjusted.

- Microsoft recommends that all PC and server systems are updated regardless of location to ensure consistency of operation.

What do I need to do?

Thorough planning and testing for these changes is critical to ensure the change results in minimal user impact, so to help customers prepare Microsoft has developed the Australia 2008 Daylight Saving Planning document which details the nature and impact of the DST changes, along with planning guidance to avoid user impact.

What if the systems have been previously patched?

Where servers, workstations and mobile devices have been added to the infrastructure, organisations will need to audit their environment to ensure all systems are patched according to the organisation’s Daylight Savings Plan.

Where the environment does not have a consistent Daylight Savings Time (DST) patch level, appointments may have been created with a mix of correct and incorrect DST transition dates. Furthermore, Microsoft recommends customers update all systems to ensure consistency of operation, even if none of your systems are in the affected time zones.

- jorke

Technorati Tags: DST,Daylight Savings,Australia,Timezone

SQL 2005 PHP Driver RTM'd

jorkeo — Fri, 01 Aug 2008 21:49:29 GMT

We've just shipped the released version for the SQL Server 2005 Driver extensions for PHP 5 - if you're running the CTP version make sure you update to this version.

Get the bits here: http://www.microsoft.com/downloads/details.aspx?FamilyId=61BF87E0-D031-466B-B09A-6597C21A2E2A&displaylang=en

I think the coolest thing that comes with this download is the Help file (.chm) that is part of the package and has an insane amount of detail on how to use it and how it actually works.

to get it working just drop your files into your PHP extension directory - and is based on your chosen distribution of php - make sure you add it into your php.ini as well.v

php_sqlsrv_ts.dll
php_sqlsrv.dll <-- non thread safe

go get it, and tell me how it worked for you!

-jorke

Technorati Tags: SQL 2005,PHP,SQL driver

Microsoft contributing to Open Source

jorkeo — Sat, 26 Jul 2008 02:21:22 GMT

This is why I love working for Microsoft - as Nick Hodge often says "This is not your fathers Microsoft";

Sam Ramji Keynoted at Oscon about 3 very cool things:

In short we've submitted code to the ADOdb DAL library to add support for our PHP SQL driver - AND under a Free Software Foundation license. Of course this helps people deploy onto our platform and but most of all helps those developers using PHP applications with DAL to easily have choice between which platform they wish to deploy on.

On top of that we're now part of the Apache Software Foundation and we're part of the Communications Protocol Program under the Open Specification Promise (OSP)

- jorke

Technorati Tags: ADOdb,PHP,Microsoft,Open Source,Windows Server 2008

PHP on IIS7 for Shared Hosting- AWESOME article!

jorkeo — Wed, 25 Jun 2008 08:17:32 GMT

check it out on IIS.NET - http://learn.iis.net/page.aspx/208/fastcgi-with-php/

here are a couple of excerpts from the article that I strongly recommend:

-----------

PHP Security Recommendations

The following recommendations describe how to tighten security of PHP in shared hosting environment. To make the recommended changes locate and open php.ini file and edit it as described below:

Disable remote URL's for file handling functions:
- Set allow_url_fopen=Off
- Set allow_url_include=Off
Disable register_globals:
- register_globals=Off
Restrict where PHP can read and write on a file system, e.g.:
- open_basedir="c:\inetpub\"
Disable safe mode:
- safe_mode=Off
- safe_mode_gid=Off
Limit script execution time:
- max_execution_time=30
- max_input_time=60
Limit memory usage and file sizes:
- memory_limit=16M
- upload_max_filesize=2M
- post_max_size=8M
- max_input_nesting_levels=64
Configure error messages and logging:
- display_errors=Off
- log_errors=On
- error_log="C:\path\of\your\choice"
Hide presence of PHP:
- expose_php=Off

-----------
and how to ensure you can configure your own PHP.INI for each site:
-----------

Specifying php.ini location

When PHP process starts it determines the location of configuration php.ini file by using various settings. The PHP documentation provides detailed description of the PHP start up process. Note that one of the places where PHP process searches for php.ini location is the PHPRC environment variable. If PHP process finds a php.ini file in the path specified in this environment variable then it will use it, otherwise it will revert to default location of php.ini. This environment variable can be used to allow hosting customers to use their own versions of php.ini files.

For example if there are two websites: website1 and website2; located at the following file paths: C:\WebSites\website1 and C:\WebSites\website2 then the php-cgi.exe process pools in <fastCgi> section of applicationHost.config can be configured as below:

This way owner of website1 can place their own version of php.ini into the C:\WebSites\website1, while the owner of website2 can use their own version of php.ini located in C:\WebSites\website2. This configuration also ensures that if there is no php.ini found in location specified by PHPRC environment variable then PHP will fall back to using the default php.ini file located in the same folder where php-cgi.exe is located.
-----------

Check it out in more detail

- jorke

Technorati Tags: PHP on Windows,PHP,IIS 7,FastCGI,IIS7

Installing FTP with IIS7 on 2008 Server Core

jorkeo — Thu, 05 Jun 2008 10:36:51 GMT

I had a few questions from an old colleague, Virgil, who had just built a 2008 server core machine and was having issues configuring FTP. Without asking I knew Virgil would be chasing an FTP server that would have some method of secure transport such as FTPS and pluggable authentication methods, I know this because he's an interoperable kind of guy :)

He'd already been trying to configure this with the default install of FTP that comes with Server 2008, but I recommended that he use the downloadable version from the iis.net website. Only issue here is that you have to uninstall the old FTP server before that will install, then configure the service all over again... so after about 30 minutes of furious IM conversations this is how we did it..

First we uninstalled the FTP Service that comes with 2008 :

start /w pkgmgr /uu:IIS-FTPPublishingService;IIS-FTPServer

Then downloaded the FTP publishing service for IIS 7, with the friendly name of FTP7;
- x86 - http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1619
- x64 - http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1620

and installed it:

msiexec /i ftp7_x86_rtw.msi

Once that was in we simply had add the appropriate bindings to the site, like so (Make sure you close your quotes properly or it goes NUTS!) :

c:\windows\system32\inetsrv\appcmd.exe set site /site.name:"Default Web Site" /+bindings.[protocol='ftp',bindingInformation="*:21:"]

then we simply had to set an authorised user to the server:

c:\windows\system32\inetsrv\appcmd.exe set config "Default Web Site" /sectionystem.ftpserver/security/authorization /+[accessType='Allow',permissions='Read,Write',roles='',users='ftpuser'] /commit:apphost

And we were done! (or so we thought!).... On attempting to connect to the FTP server we ended up with the error :

534-Policy requires SSL.
Win32 error: Access is denied.
Error details: SSL policy requires SSL for control channel.
534 End
Login failed.

ahh that's right - by default the FTP install is set to run as FTPS thus requiring a secure connection... to turn off this feature (it was a lab environment and didn't require secure transfer) resulted in a LOT of head scratching, eventually to save time we popped open the applicationhost.config file and and added theses lines in the <site /> tag..:

Not very elegant but served the purpose - a bit more investigation I eventually fell upon the answer using the IIS7 Administration Pack, which allowed me to generate the correct script:

c:\windows\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites /[name='Default Web Site'].ftpServer.security.ssl.controlChannelPolicy:"SslAllow" /[name='Default Web Site'].ftpServer.security.ssl.dataChannelPolicy:"SslRequire" /commit:apphost

And there we go, FTP7 configured on Windows Server 2008 Core - couldn't be easier to script...

- jorke

Technorati Tags: Windows Server 2008,IIS,FTP,FTP7,Server Core

reMIX 08 Australia

jorkeo — Wed, 30 Apr 2008 03:10:03 GMT

reMIX is back this year bigger and faster than ever. I know this is old news but I'm running a little behind at the moment.

Check out the website and Register now for a bargain price of $199 (Inc GST) - we are doing 1 day in 2 cities:

Sydney

    May 20
   Powerhouse Museum
   Harris Street, Ultimo

Melbourne

   May 22
   Melbourne Town Hall
   Cnr Swanston & Collins
   Street, Melbourne

Shanemo and delicategenius are the content head honchos and have done an awesome job of pulling together great speakers and content - checkout the session list.

I've managed to land a speaking gig right before drinks!;

"Bringing Hosters and Developers together with IIS7"* - Come learn about all the great new features in Microsoft Internet Information Services 7 for hosters and web farm managers including creating a highly customizable environment for building scalable and reliable media applications.*

* subject to change!

Many exciting things happening leading up to this, check out your chance to win free tickets, a zune or a silverlight skateboard.

- jorke

Technorati Tags: reMIX,reMIX08,Microsoft,Silverlight,IIS7,Windows Server 2008

Hosting Days Australia - Coming to a City Near you!

jorkeo — Wed, 30 Apr 2008 02:36:24 GMT

via Christian

This years Hosting Days is "Fast Tracking Your Success with FastLane" in a city somewhere close to you, unless you are in Darwin or Alice Springs or Cameron's Corner....

Phil and I have the first track, which is the fun track all about the HOW of hosting.

Go to https://partner.microsoft.com/australia/40048707 to see the agenda and register

see you there!

- jorke

Technorati Tags: Hosting Days,partners,events

Hacked Web Applications causing storm - rattling Windows...

jorkeo — Mon, 28 Apr 2008 16:01:35 GMT

For the past few days a "Cyber attack" has been taking place and according to internetnews.com :

"number of infected IIS servers at 282,000. Less than a day later, security firm F-Secure wrote its own blog entry, putting the infestation at over 500,000"

and f-secure :

"Performing a Google search results in over 510,000 modified pages."

Without pointing out the reporting inconsistencies between servers and pages .... what is actually happening here..

First of all its not at all related to the security advisory that was released last week. Nor is it in fact related to any other security issue with IIS, ASP, ASP.NET or Windows. It's really important to understand that, its all to do with dodgy and insecure development practices.

Well very simply put its an age old SQL injection attack on a web site that modifies the return code adding a hidden link to a site that downloads malware to client viewing the web page. Nothing new technology wise here, just a new method of delivery - which really should not affect those who have kept their machines up-to-date.

In this case the attackers have chosen to target ASP/ASPX based web sites that have poorly written validation methods and deliver their code via a database content management system. The result being that pages on the site will return a hidden script tag that directs to one of the sites listed in the earlier articles - which picks on particular vulnerabilities available on the client machine, not just those related to software developed by Microsoft either.

Well that's all very nice you say - but "How do I protect myself against these kind of attacks?".

The way I see it, there are three areas of responsibility where lies the ability to protect the world against those few malicious people.

1. The Developer - FIX YOUR BROKEN CODE! Seriously - check your code for possible attack vectors and test, test test. I've seen heaps of web sites and web servers compromised due to poorly written or no validation checking. Incorrect security settings deploying to high risk environments. Don't always assume you know who is going to access your app. Don't assume that app will exist with everything local to it. Catch those errors - I could go on. There is heaps of guidance around this - here is a few to start you off:

2.The Client - Keep your machine up-to-date - as Coatsy says "go to update.microsoft.com and Download the golden padlock of goodness" from Microsoft Update.

3. The System Admin / Hoster / Guy who has to run the web server - Hey I sympathise with you most (of course I would!) You have to get a site with poorly written code up and running, and now what? you have to check the thing isn't going to compromise your server? but of course the code supplied doesn't work in your standard low security settings to you need to bend the rules to allow that code to work.. Be Strong!

But you may have been too late, and you have to clean this mess up on your server - how are you going to prevent this malicious code being delivered to and from your server, while keeping everything up and running?

Stop the attack coming in

If you are using IIS7 or URLScan on IIS6.0/5.1 you can filter the request to prevent the incoming attacks. In IIS7 This is what the configuration string looks like in your server wide applicationhost.config file (based on the info in articles):

Stop it going out

This is a little trickier, but due to the awesome modularity of IIS7 (only going to look at this) you can very easily write a module that can look in all the requests scan for the URL sequence in the response and send it to null. More information on doing this is at the IIS.NET website. Hey, if I get enough comments I'll write one and post it up here!

Done and Dusted

What we all need to remember about these kind of attacks is that vulnerability in the web sites being targeted are not limited to just a particular operating system platform. SQL Injection attacks is rampant in many platform agnostic applications and its such a simple thing to prevent.

As you have probably guessed I'm pretty passionate about this subject, and when I see such misguided reports and irrational reactions to incorrect or misunderstood information, it inspires me to ensure that the truth of the issue is available. Speaking personally; In my short time at Microsoft, I have never seen such commitment behind ensuring that the Windows Operating System is the most versatile and secure operating system on earth.

- jorke

Note: Graphics "borrowed" from Microsoft Japan Security Bulletins

Technorati Tags: SQL Injection,Security Vunerability,IIS,Windows,Microsoft

Potential Security Vulnerability for NetworkService / potential new IIS exploit

jorkeo — Fri, 18 Apr 2008 11:25:39 GMT

Important heads up with regards to a potential privilege escalation issue when running under NetworkService – which we all know is the IIS default.... But also note that it requires native code or full trust .NET.

Hosting Providers with Shared Hosting configurations should pay careful attention to this and ensure that they are running a customised version of medium trust at the very least - http://msdn2.microsoft.com/en-us/library/ms998341.aspx. Also be wary of any custom ISAPI extensions - i.e do a code review.

High level summary:

Processes running under Network Service identity can elevate to Local System on XP, Win2k3, Vista and Win2k8. Additionally, on Win2k3 any process running with an identity that has SeImpersonatePrivilege can elevate to Local System, and this privilege is required by IIS worker process identity. The Elevation of Privilege requires running native user code or full-trust managed code.

Our guidance is of course to move your app move WPI away from NetworkService to a windows account. Additionally on Win2k3, our guidance includes disabling Distributed Transaction Coordinator service (to close the hole where any identity with SeImpersonatePrivilege can elevate).

More information here: http://www.microsoft.com/technet/security/advisory/951306.mspx

Let me know if you have any further questions or require advice.

- jorke

UPDATE (6:23pm 18/4/08):

Check out Ken Schaefer's Blog for the origin of this potential issue.

Technorati Tags: Security Vunerability,NetworkService,IIS,exploit