This blog contains reflections and thoughts on my work as a software engineer

søndag den 25. januar 2009

ASP.Classic on IIS7 - the story

So - my encounter with Classic ASP on IIS7  goes like this:

I got a new server set up at home. I installed Windows 2008 Standard Server and mingled with it a bit to get used to it's new user interface etc.

It didn't take long for me to install Internet Information Server. I think it went quite well but I also knew that ASP.Classic websites appearently could cause a few headaches because of security and - well - because it's ASP Classic. Need I say more?

After that I just spent three hours of doing this: Making a simple "Hello world" ASP.Classic page work - like this one:

<%Response.Write("Hello world")%>


How hard could it be? I installed IIS, winged off the right checkboxes (ASP.Classic for one) and Next'ed my way through to "You've succesfully installed blablabla". I rebooted just to be sure that everything was running OK, opened Firefox, hit my webpage and got



403: Forbidden. Access denied



"Sure enough", I thought - "security stuff on ASP.Classic in an IIS7 world". I researched a bit and found numerous examples of people having trouble. So I set up an alternative AppPool - no luck, still 403 error. I checked ISAPI extensions - everything looked good. I tried enabling everything under Authentication - no luck. Actually I was starting to be a little worried until I discovered in Windows Explorer that my default.asp document was being recognized as a Text document. "That's a bit weird" I thought and a cold chill started to build up from the back of my neck and all of a sudden it became painfully clear to me that I just made the brainfart of the Millenium:



When I created default.asp I rightclicked in my webpage folder in Windows Explorer and created a new textfile called "default.asp". However - on my old Win2000 server (and every other machine I operate on) I always uncheck the "Hide extension for known file types"



Untitled 



Thit little, bleeding checkbox is enabled per default in every Windows installation there is - I know because I always turn it off whenever I get a chance to. This time I actually created a file called "default.asp.txt" and guess what? There isn't (and never will be) any default handler for .txt files in IIS7  so it threw 403 errors at me just like it was supposed to do - I just didn't have the brain to breathe for a while and brainstorm on the errormessage thrown at me. I even tried hitting the website with /default.asp because I thought there was something awry with the default extension handler and got this odd message telling me that "default.asp" didn't exist - but even that didn't make me think twice about my "This security IIS7 hell won't get me down" bruteforce problemsolving strategy.



It took me about 2 seconds to rename default.asp.txt to default.asp and a mere 6 to 8 seconds to uncheck the "Hide extension for known filetypes" checkbox. After that everything worked like a charm. Consider this a late New Years Eve Resolution: I promise I'll never mention this to anybody paying my monthly payroll.



Regards Kristian.