Many WordPress uses prefer to host their web sites on a Linux server so that they can get rid of the index.php that get’s in to the URL by using mod_rewrite module on Linux. This is not supported on Windows Server’s IIS.

The main idea is to make the URL more simple and SEO friendly. Normally, when you setup PermaLinks in IIS, we get something like this:

http://www.yourwordpresssite.com/index.php/2009/08/02/your-blog-post/

This means that each link to the post carries index.php in the URL which is not good. Outlined below are steps that can help to achieve the same results for a WordPress site on a Windows Server running IIS.

STEP: 1

Get the URL rewriting component on the Windows Server hosting your WordPress site. If you are not in control of the server or are not the server administrator, you can request the setup of the component from them. Click here to download the component from the vendor’s site. The component is absolutely free and distributed under GNU General Public License.

STEP: 2

Once the component is downloaded, copy the wp-url-rewriting.dll file to the Windows Server’s SYSTEM32 directory. Register the component so that it is available to IIS by using the REGSVR32 WP-URL-REWRITING.DLL command from the command prompt.

Note: You may get an error that the DLL entry point was not found, but let that not bother you.

STEP: 3

Once the DLL is registered, login to your WordPress admin area and navigate to PermaLinks and change the common setting to use Custom Structure. Add /%category%/%postname%/ as the choice and Save Changes.

That’s it! We are done. WordPress should now show the URL’s without the index.php in it.

I invite everyone to share their experience or any other methods that they might have used.

ActivePerl is a complete, ready-to-install Perl distribution for Windows and includes Perl Core, Perl Package Manager, Installers, Online Documentation, Windows Version Extras, Perl for ISAPI, PerlEx, PerlScript and PerlEz.

It is recommended to have 90MB hard disk space for a typical install. To get started, download the latest version of Perl from ActiveState (http://www.activestate.com)

Once the download process has completed, double click on the program to begin the installation process.

Choose Next to continue. You will be presented with the standard license agreement.

Accept the End-User License Agreement and choose Next to continue.

You can change the installation path to match your setup from here. For this example, we have used F:\Perl. You can even choose not to install the Examples files if you want. Once the selections have been done, click Next to continue.

On the next screen in the setup wizard, verify that the following choices are selected:

·  Add Perl to the PATH environment variable

·  Create Perl file extension association

·  Create IIS script mapping for Perl

Click Next to continue to the review screen in the setup wizard.

Click Install to begin the installation process. The installation will take a few minutes and once the installation is done click Finish to complete the installation process. That’s it, Perl has been installed and integrated with IIS.

To verify that the Perl path is set correctly and available to IIS, Right Click on My Computer and select Properties.

Select the Environment Variables from the Advanced tab and verify the path listed under System Variables.

Choose OK to close the current window. We have successfully installed Perl.

Start by creating a directory into which you will extract the downloaded PHP files. In this example I’m going to use C:\PHP as my installation directory. Then extract the files from the zip into C:\PHP. Please check the PHP website for latest PHP release.

If you need to use the additional PECL modules then extract the files from the PECL Zip into the C:\PHP\ext directory.

Next locate the file ‘php.ini-recommended’ in C:\PHP and rename it to ‘php.ini’ (without the quotes of course)
 
Open the ‘php.ini’ file and find the line which reads extension_dir = “./” and change it to extension_dir = “C:\PHP\ext”. This tells PHP where the various extensions are located. If you open the default PHP.INI file which ships with the ZIP file you can see that the default path in the ‘php.ini-recommended’ file points to the wrong location, so you need to change it.

You also need to add the location of your PHP directory to the server’s PATH environment variable so that Windows knows where to look for any PHP related executables (such as the PHP extension DLL‘s). To do this Right-click on My Computer, click Properties and on the Advanced tab click Environment Variables. In the Environment Variables dialog box, under System Variables highlight the Path variable and click Edit.

Add ‘;C:\PHP’ (be sure to include the semi-colon separator) as shown here and click OK. You will need to re-boot the server for this change to take effect as system variables are loaded when the server starts up.

If you browse through the ‘php.ini’ file you will see an entry describing the ‘cgi.force_redirect’ property. You will also see a statement telling you that if you are using IIS you ‘MUST’ turn this off. However, this only applies if you are using the CGI version of PHP (i.e. php-cgi.exe) Since we are using the ISAPI version of PHP we can safely ignore this.

Configuring IIS (Only if required)

There are a few simple steps you need to take in order to get PHP working under IIS 6.0

First we need to create and then enable an appropriate Web Service Extension so that IIS will both recognize and allow PHP files to be processed by the appropriate script engine.

You can use the Internet Information Services (IIS) Manager GUI method to perform this task but there is a much quicker way of doing this; namely using the ‘iisext.vbs’ Command-Line Administration Script, which you will find in C:\Windows\system32 by default.

Assuming you are using the same directory structure as I am in this walkthrough you can simply copy and paste the following line of text and execute it at a command prompt from C:\Windows\system32 :

cscript iisext.vbs /AddFile c:\PHP\php5isapi.dll 1 PHPISAPI 1 “PHP ISAPI”

As you can see, this script creates a new Web Service Extension named “PHP ISAPI” with a status of Allowed.
 

The IIS 6.0 Command-Line Administration Scripts are very powerful and flexible tools and I would recommend using them wherever possible.

OK, now we are ready to test our PHP installation. Start by creating a simple PHP test file. Open Notepad on the server and copy the following line into a new text file: <?php phpinfo(); ?>

Save the file as index.php in the root of the test web site. Next create a new default document type of index.php on the test web site (this step is optional but it just makes browsing a bit easier)

Browse the site and you should see the standard PHP configuration details page

However, if you look carefully at the above page you will notice it is indicating that my ‘php.ini’ file is actually located in ‘C:\WINDOWS’ even though there is no such file in my C:\WINDOWS directory. This is because the ‘php5isapi.dll’ file is actually compiled with this location as its default value. A number of existing PHP and IIS tutorials suggest that you should copy the ‘php.ini’ file to the C:\WINDOWS directory – but what if you don’t want to do that?

Well, you don’t have to because PHP allows you to actually configure a custom value for the ‘php.ini’ file location. There are a number of ways to do this but perhaps the simplest is to configure the PHPRC environment variable.

To demonstrate how this works I am going to create a new folder called ‘C:\inifile’ and instruct PHP to read its configuration data from the ‘php.ini’ file in this location (in practice you may prefer to leave your ‘php.ini’ file in the C:\PHP directory)

In order to do this I need to create a new System environment variable named ‘PHPRC’ and provide the appropriate values. Right-click on My Computer, click Properties and on the Advanced tab click Environment Variables.

In the Environment Variables dialog box, under System Variables click New. In the New System Variable dialog box type PHPRC for the variable name and then enter the desired path to your ‘php.ini’ file’s location.

Then click OK and you will see that a new System environment variable has been created. In order for this to take effect you need to re-boot the server at this stage.

#Note
As an alternative, you can edit the registry and specify the location of your configuration file. The main benefit of the registry edit method is that it doesn’t require a re-boot – in testing this method I found that any changes made would take effect once the application pool serving the web site was recycled. However, choose whichever method you feel most comfortable with and which fits your requirements.

Now if we browse the site we can see that PHP is indeed looking for its ‘php.ini’ file in the ‘C:\inifile’ location which I specified previously.

And that’s it. You should now have a working installation of PHP running on IIS 6.0.

This article focuses on how some simple steps can help server administrators block hack attacks on an IIS 6.0 Web Server running on Windows 2003.

Hacking a Web Server
With the advent of Windows 2003 and IIS 6.0 there was a sharp turn in the way hosting services were being provided on Windows platform few years back. Today, web servers running on Internet Information Services 6.0 (IIS 6.0) are highly popular worldwide – thanks to the .NET and AJAX revolution for designing web applications. Unfortunately, this also makes IIS web servers a popular target amongst hacking groups and almost every day we read about the new exploits being traced out and patched. That does not mean that Windows is not as secured as Linux. In fact, it’s good that we see so many patches being released for Windows platform as it clearly shows that the vulnerabilities have been identified and blocked.

Many server administrators have a hard time coping up with patch management on multiple servers thus making it easy for hackers to find a vulnerable web server on the Internet. One good way I have found to ensure servers are patched is to use Nagios to run an external script on a remote host, in turn alerting on the big screen which servers need patches and a reboot after the patch has been applied. In other words, it is not a difficult task for an intruder to gain access to a vulnerable server if the web server is not secured and then compromise it further to an extent that there is no option left for the administrator but to do a fresh OS install and restore from backups.
Many tools are available on the Internet which allows an experienced or a beginner hacker to identify an exploit and gain access to a web server. The most common of them are:

IPP (Internet Printing Protocol) – which makes use of the IPP buffer overflow. The hacking application sends out an actual string that overflows the stack and opens up a window to execute custom shell code. It connects the CMD.EXE file to a specified port on the attacker’s side and the hacker is provided with a command shell and system access.

UNICODE and CGI-Decode – where the hacker uses the browser on his or her computer to run malicious scripts on the targeted server. The script is executed using the IUSR_<computername> account also called the “anonymous account” in IIS. Using this type of scripts a directory transversal attack can be performed to gain further access to the system.

Over these years, I’ve seen that most of the time, attacks on a IIS web server result due to poor administration, lack of patch management, bad configuration of security, etc. It is not the OS or the application to blame but the basic configuration of the server is the main culprit. I’ve outlined below a checklist with an explanation to each item. These if followed correctly would help prevent lot of web attacks on an IIS web server.

Secure the Operating System
The first step is to secure the operating system which runs the web server. Ensure that the Windows 2003 Server is running the latest service pack which includes a number of key security enhancements.

Always use NTFS File System
NTFS file system provides granular control over user permissions and lets you give users only access to what they absolutely need on a file or inside a folder.

Remove Unwanted Applications and Services
The more applications and services that you run on a server, the larger the attack surface for a potential intruder. For example, if you do not need File and Printer sharing capabilities on your shared hosting platform, disable that service.

Use Least Privileged Accounts for Service
Always use the local system account for starting services. By default Windows Server 2003 has reduced the need for service accounts in many instances, but they are still necessary for some third-party applications. Use local system accounts in this case rather than using a domain account. Using a local system account means you are containing a breach to a single server.

Rename Administrator and Disable Guest
Ensure that the default account called Guest is disabled even though this is a less privileged account. Moreover, the Administrator account is the favorite targets for hackers and most of the malicious scripts out there use this to exploit and vulnerable server. Rename the administrator account to something else so that the scripts or programs that have a check for these accounts hard-coded fail.

Disable NetBIOS over TCP/IP and SMB
NetBIOS is a broadcast-based, non-routable and insecure protocol, and it scales poorly mostly because it was designed with a flat namespace.  Web servers and Domain Name System (DNS) servers do not require NetBIOS and Server Message Block (SMB). This protocol should be disabled to reduce the threat of user enumeration.
To disable NetBIOS over TCP/IP, right click the network connection facing the Internet and select Properties. Open the Advanced TCP/IP settings and go to the WINS tab. The option for disabling NetBIOS TCP/IP should be visible now. To disable SMB, simply uncheck the File and Print Sharing for Microsoft Networks and Client for Microsoft Networks. A word of caution though – if you are using network shares to store content skip this. Only perform this if you are sure that your Web Server is a stand-alone server.

Schedule Patch Management
Make a plan for patch management and stick to it. Subscribe to Microsoft Security Notification Service (http://www.microsoft.com/technet/security/bulletin/notify.asp)  to stay updated on the latest release of patches and updates from Microsoft. Configure your server’s Automatic Update to notify you on availability of new patches if you would like to review them before installation.

Run MBSA Scan
This is one of the best way to identify security issues on your servers. Download the Microsoft Base Line Security tool and run it on the server. It will give you details of security issues with user accounts, permissions, missing patches and updates and much more.

That’s it to the basic of securing the operating system. There are more fixes which can be performed for further securing the server but they are beyond the scope of this article. Let’s now move on to securing the IIS web server.
IIS 6.0 when setup is secured by default. When we say this, it means that when a fresh installation of IIS is done, it prevents scripts from running on the web server unless specified. When IIS is first installed, it serves only HTML pages and all dynamic content is blocked by default. This means that the web server will not serve or parse dynamic pages like ASP, ASP.NET, etc. Since that is not what a web server is meant to do, the default configuration is changed to allow these extensions.

Listed below are some basic points that guide you to securing the web server further:

• Latest Patches and Updates
  Ensure that the latest patches, updates and service packs have been installed for .NET Framework. These patches and updates fix lot of issues which enhances the security of the web server.
• Isolate Operating System
  Do not run your web server from the default InetPub folder. If you have the option to partition your hard disks then use the C: drive for Operating System files and store all your client web sites on another partition. Relocate web root directories and virtual directories to a non-system partition to help protect against directory traversal attacks.
• IISLockDown Tool
  There are some benefits to this tool and there are some drawbacks, however, so use it cautiously. If your web server interacts with other servers, test the lockdown tool to make sure it is configured so that connectivity to backend services is not lost.
• Permissions for Web Content
  Ensure that Script Source Access is never enabled under a web site’s property. If this option is enabled, users can access source files. If Read is selected, source can be read; if Write is selected, source can be written to. To ensure that it is disabled, open IIS, right click the Websites folder and select Properties. Clear the check box if it is enabled and propagate it to all child websites.
• Enable Only Required Web Server Extensions
  IIS 6.0 by default does not allow any dynamic content to be parsed. To allow a dynamic page to be executed, you need to enable the relevant extension from the Web Service Extensions property page. Always ensure that “All Unknown CGI Extensions” and “All Unknown ISAPI Extensions” are disabled all the time. If WebDAV and Internet Data Connector are not required, disable that too.
• Disable Parent Paths
  This is the worst of all and thanks to Microsoft, it is disabled in IIS 6.0 by default. The Parent Paths option permits programmers to use “..” in calls to functions by allowing paths that are relative to the current directory using the ..\notation. Setting this property to True may constitute a security risk because an include path can access critical or confidential files outside the root directory of the application. Since most of the programmers and third-party readymade applications use this notation, I leave it up to you to decide if this needs to be enabled or disabled. The workaround to Parent Paths is to use the Server.MapPath option in your dynamic scripts.
• Disable Default Web Site
  If not required, stop the Default Web Site which is created when IIS 6.0 is installed or change the property of Default Web Site to run on a specific IP address along with a Host Header. Never keep it running on All Unassigned as most of the ready-made hacking packages identify a vulnerable web server from IP address rather than a domain name. If your Default Web Site is running on All Unassigned, it means that it can serve content over an IP address in the URL rather than the domain name.
• Use Application Isolation
  I like this feature in IIS 6.0 which allows you to isolate applications in application pools. By creating new application pools and assigning web sites and applications to them, you can make your server more efficient and reliable as it ensures that other applications or sites do not get affected due to a faulty application running under that pool.

Summary
All of the aforementioned IIS tips and tools are natively available in Windows. Don’t forget to try just one at a time before you test your Web accessibility. It could be disastrous if all of these were implemented at the same time making you wonder what is causing a problem in case you start having issues.

One final tip: Go to your Web server and Run “netstat –an” (without quotes) at the command line. Observe how many different IP addresses are trying to gain connectivity to your machine, mostly via port 80. If you see that you have IP addresses established at a number of higher ports, then you’ve already got a bit of investigating to do.