[THIN] Re: STA and the IISLOCKD tool
- From: Drazen Vidakovic <drazen@xxxxxxxxxxxxxxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Wed, 14 Aug 2002 10:54:31 +1200
Yes, I just did it 10 min ago and it works.
There is an article about that on Citrix user group from Edward R. Chu
I followed what he wrote and I have it working.
After much experimentation, I found the answer to my own question. Here it
is for any readers.
Assuming that you have a dedicated STA server and don't want to use the IIS
for any other purpose, you need to run IISLockD and choose the following items:
1) Choose the "Other" template. This basically means custom.
2) Allow only the base web service.
3) Check ALL the script maps. STA doesn't appear to use ANY scripts at all.
4) In "Additional security" check everything except the Scripts virtual
directory (STA puts a config file and a .DLL in this folder) and "writing
to content directories" (I'm guessing STA needs to write its tickets to a
folder).
5) You can install URLScan with all default settings. Like I said, STA
doesn't use any scripts so you can lock this down severely if you want.
Drazen
At 14:06 13/08/2002 -0700, you wrote:
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Anyone?
>
>Thanks,
>
>CHRIS LYNCH - MCSE, CCNA, CCA
>NETWORK ENGINEER - INFORMATION TECHNOLOGY
>NRT Incorporated, 27271 Las Ramblas, Mission Viejo, CA 92691
>Chris.lynch@xxxxxxxxxx Tel 949.367.3406
>
>
>- -----Original Message-----
>From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
>Behalf Of Chris Lynch
>Sent: Monday, August 12, 2002 4:57 PM
>To: TheThin. net
>Subject: [THIN] STA and the IISLOCKD tool
>
>
>
>
>- -----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Has anyone used the IISLOCKD tool on the Secure Ticket Authority? I
>know that the STA is internal with no outside world access, but I
>just wanted to know if anyone has gotten this to work. I have been
>asked by our Information Protection department about this, since the
>server is an IIS server, they don't want any exploited services on
>the internal network.
>
>Yeah, I know. Then don't run IIS.
>
>Thanks for any and all input,
>
>CHRIS LYNCH - MCSE, CCNA, CCA
>NETWORK ENGINEER - INFORMATION TECHNOLOGY
>NRT Incorporated, 27271 Las Ramblas, Mission Viejo, CA 92691
>Chris.lynch@xxxxxxxxxx Tel 949.367.3406
>
>- -----BEGIN PGP SIGNATURE-----
>Version: PGP 7.1
>
>iQA/AwUBPVhLUPl56xfvzmMfEQKL7QCgn3KiguTfIMhm2vVKuEM+d1HujesAoLlz
>ZEagJFw9/lLGplv48sySk7Id
>=zbts
>- -----END PGP SIGNATURE-----
>
>
>
>===================================
>This weeks Sponsor:
>ThinPrint
>- - High resolution, DRIVER FREE PRINTING with no loss of quality in
>color.
>- - Removes print spooling and rendering tasks from your terminal
>server. http://www.thinprint.com ===================================
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link.
>
>http://thethin.net/citrixlist.cfm
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 7.1
>
>iQA/AwUBPVl01Pl56xfvzmMfEQLwTwCeMf9/7wnD+tr+VU4IX/ozMWlcTKcAoOpt
>R7DPQdPX9c04N3l2iDbEVIWJ
>=YWZJ
>-----END PGP SIGNATURE-----
>
>
>
>===================================
>This weeks Sponsor:
>ThinPrint
>- High resolution, DRIVER FREE PRINTING with no loss of quality in color.
>- Removes print spooling and rendering tasks from your terminal server.
>http://www.thinprint.com
>===================================
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link.
>
>http://thethin.net/citrixlist.cfm
Drazen Vidakovic
Technical System Architect
LegislationDirect, Blue Start Print Group
Drazen.Vidakovic@xxxxxxxxxxxxxxxxxxxxxxx
Drazen.Vidakovic@xxxxxxxxxxxxxxxx
+64 4 495 2802
+64 274 530 876
===================================
This weeks Sponsor:
ThinPrint
- High resolution, DRIVER FREE PRINTING with no loss of quality in color.
- Removes print spooling and rendering tasks from your terminal server.
http://www.thinprint.com
===================================
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link.
http://thethin.net/citrixlist.cfm
Other related posts:
