Scenario:

Simple file upload application using ColdFusion 8 on IIS 6 and Windows 2003 server. The application allows for large files to be uploaded to the server for backend processing. File sizes range from 10MB - 300 MB.

Problem:

File upload fails for files greater than 30MB.

Analysis:

Several options were investigated including the following:

• Maximum upload file size in ColdFusion (located in the CF administrator)
• IIS time out settings 
• IIS minbytespersec settings in the Metabase.xml file

None of these worked. We also spoke with the ISP regarding throttling on the firewall, which was not the issue.

Resolution:

The server was locked down as part of our security policy with UrlScan installed to mask certain server information. One of the settings in options in urlscan.ini is MaxAllowedContentLength which is set to 30MB by defualt. Here is an excerpt from the Technet article:

MaxAllowedContentLength=30000000
The MaxAllowedContentLength enforces a maximum value, in bytes, on the content length. It does not actually prevent the server from reading more data than what this value is set to. For example, if a client makes a chunk transfer encoded POST, this option does not track the size of the entity in the request. The default value is 30000000

Increasing this value to 300MB allowed the uploads to work correctly. The full article can be found at http://technet.microsoft.com/en-us/library/cc751376.aspx

Thanks goes to Rackspace UK technical support, even thought they didn't identify the exact problem, their input helped tremendously in finding a solution. Rackspace UK is the best dedicated hosting solution ever!

Happy Coding!

Scenario:

The web application has two components, a private upload area and a public download area. To upload a file you must be logged in via HTTP Authentication in IIS (v6 on Windows 2003). The file is uploaded to a non-web accessible uploads folder. Downloads are public and are allowed for anyone who has the unique file key that identifies a specific uploaded file. The IIS web user (the account that PHP uses) has full access to the uploads directory.

Problem:

Files that are uploaded by authorised users cannot be downloaded in the public area.

Analysis:

After close examination, it was noticed that the IIS user has no access to the uploaded files even though the user has full access to the uploads directory.

Resolution:

By default PHP uploads all files to a directory identified by the upload_tmp_dir entry in php.ini, which on Windows systems defaults to C:\Windows\Temp, when the upload is completed the file is then moved to the target directory as specified by the upload script. The problem is actually with the way Windows handles security, the uploaded file gets the permissions of the Temp directory, when copied to the final directory, it keeps the permissions of the Temp directory and not the permissions of the final directory. That is, if the file is uploaded to Temp and the IIS web user does not have permissions on the Temp folder, when the file is copied to the uploads directory the IIS web user will still NOT have permissions on the file. The solution to the problem is actually quite simple, give the IIS web user the required permissions on the directory specified by upload_tmp_dir.

I cannot take credit for this solution, however, I can't find the post that had this solution again. I will keep looking and post the link to the original post when I find it again.

Happy Coding!

I am guilty of an unforgiveable crime. I deployed an unsecured webserver and in IT that is THE ULTIMATE IN STUPIDITY! I am sorry and will not let it happen again. As a result the server was infected and became a zombie covertly attacking other servers. 

The machine was infected with the Downandup/Conficker trojan. This attacks unpatched Windows servers deploys software that prevents the machine from visiting security related websites and running security software. The software also disabled automatic updates on the server, which is a big deal! It was very difficult to remove. In the end tools from McAfee, Norton, Microsoft got rid of the infection. See a list of software that was used to clean the machine below.

So here is a little information on securing a webserver on the cheap. Even though this is not the idea solution it will prevent all but the most determined attacks. All of these solutions are software based. I would recommend a hardware firewall but again, this is the el cheapo solution.

• Ensure that automatic updates are enabled and that the machine is currently updated with the latest OS patches.
• Install a firewall. I've reviewed a few options but chose the Outpost Pro Firewall (http://www.agnitum.com/products/outpost/) which was easy to set up, extremely intuitive, had a very good learning mode and was very affordable. It also includes an antispy and web protect component. The web component is used for web surfing, since this is for a web server, no one should be browsing the net from this machine! One configuration setting that is important is to set the firewall to run in stealth mode so it makes it look like the computer simply isn't there.
• Install an antivirus program. This is optional in my opinion, if you are starting with a clean machine and have sufficiently protected it. However, it is a good idea to periodically run virus scans on the machine.

A list of the software used to remove the infection:

• http://download.microsoft.com/download/4/A/A/4AA524C6-239D-47FF-860B-5B397199CBF8/windows-kb890830-v2.6.exe (Microsoft Malicious Software Removal Tool)
• http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99
• CSI Prevx - This is a paid for tool, however, it detects an EXE file that is related to the infection that the above tools did not detect. In the free mode you can detect the file and manually delete it once you have run the products listed above.

I was having a problem viewing the event logs on my windows 2003 domain controller. The specific error message was ""Unable to complete the operation on 'Application'. Access is denied"". This was very strange because I logged in as Administrator and should be able to access everything. The solution to this was quite simple, although I don't know how this happened in the first place. The Administrator cannot be part of either Domain Guests or Guest accounts. The security policies are applied in a very peculiar order and diminish the privileges of the Administrator.