Friday, May 29, 2015

Friday, May 22, 2015

Convert .htaccess deny rules to web.config

Recently I was looking for a easy way to convert a large list of spammer and hacker IP Addresses from Apache .htaccess allow/deny rules into a format I could use on our IIS Server.  I found that there is really no good way to do this but after some work and a bit of coding here is a solution.

This solution will allow you to take a large list of access rules and apply them to an IIS website.  Additionally this is done in a file so there is no need to manually add records.

Collect your List of Rules

I used the following as a general blacklist of malicious and spammer client's to block.  There are other sources or you may have your own list.  Compile all the lists into one file and don't worry about duplicates, the script later on will resolve those.

Convert the Rules to Web.config Equivalents

I have created a simple javascript tool to convert the above lists into web.config rules.  To do this go here and enter all your rules into the first text box.  Make sure you supply all rules at once so that they can be de-duped.  If the list does end up having duplicates then IIS will not start up properly.

Ensure you have the Features Installed

Next log onto your server and make sure that you have the Web Server > Security  > IP and Domain Restrictions role installed.  You may need to add it as it's not selected by default.

Apply your new Rules

Finally open up the web.config files for each of your main sites and add the generated text to the system.webServer/security/ipSecurity section. Save and reload the website to ensure it's working.  

Example Web.config File

Tuesday, May 5, 2015

Manually replace a SSL Certificates in IIS 7

Recently I was trying to update SSL Certificated on our Windows Server on IIS7 and when trying to complete the Certificate Request I was getting a cryptic error.

CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met.

In short I wasn't able to find much help on this but after much fiddling I found an alternate procedure to import SSL Certificates in PKCS#7 or  X.509 formats.

Instead of trying to import the certificate directly in IIS add it to the certificate story manual by doing the following.  Then refresh and it will show up in IIS as expected.

  1. Save the certificate and make sure it is accessible on the server.
  2. On the server open up MMC.
    1. Start > Run > MMC
  3. Add Certificates Snap-in
    1. File > Add/Remove Snap-in
    2. Select Certificates > Add > My User Account > Add
    3. Select Certificates > Add > Computer Account > Next > Finish
    4. Click Ok
  4. Check in both Current User and Local Computer for old certificates to remove
    1. Look under Personal > Certificates
    2. Remove the old certificate you are trying to replace by selecting it and pressing delete.
  5. Import the new certificate by either method
    1. Double Click it in the file browser and choose Install Certificate
    2. Under Local Computer > Personal > Right Click and select All Task > Import.
  6. Move the new certificate to the proper store
    1. Expand either Current User > Personal > Certificates or Current User > Other People > Certificates to find the new certificate.
    2. Verify the expression date so ensure you have found the new certificate.
    3. Drag the certificate into the Local Computer > Personal > Certificates store.
  7. Look up the Certificate Thumbprint
    1. Now that there certificate is in the proper location Double Click on it to view the details.
    2. Click on Details > Edit Properties and set the Common Name to the proper domain name.
    3. Ok to go back and then scroll down to find the Thumbprint and copy this to your clipboard.
  8. Import the Private Key
    1. Open an elevated Command Prompt
      1. Start > Type command > Right Click > Run As Administrator
    2. Enter the following command replacing sample Thumbprint with the value you looked up above.  Make sure to keep the quotations.
    3. certutil –repairstore my “00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f”
    4. Now go back to the Certificate loaded into the Personal store and refresh and you will see a little key icon next to it.  Without this it won't be able to sign pages in IIS.
  9. Now if you go back to IIS you will see your certificate
    1. If you don't see the new certificate then it either wasn't moved the the proper location or doesn't have the private key required to function.