It’s been a busy few weeks here in the mattrudge.net tower. Firstly a break-in at the house left me bereft of laptop, digital camera, and other devices. Secondly, while in Italy, our rental car was broken into, which relieved me of my remaining gadgets, and finally a high-level hacking decision was evidently taken to bring down the menace of my NTP server, since I was knocked off the Internet by a Denial of Service attack! For one issue I had to edit the Ubuntu Weekly Newsletter from 3G Internet on my phone!

Anyway, that’s just a moan, and nothing to do with the title of this blog post. Synchronicity is wonderful – I was just actually looking at how to change the tty resolution on a console-only Ubuntu Server, when the same question popped up on the Ubuntu Forums. Read more…

Just in case anyone was wondering, I haven’t been abducted by Linux-loving aliens. Nor have I inexplicably dropped off the face of the planet. The reasons behind my lack of recent posts are firstly – a lack of time; secondly – and happily – my Ubuntu 12.04 installation has been so unbelievably stable that it hasn’t required much tinkering or tweaking at all!

Anyway, this isn’t a technical problem, nor is it specifically Ubuntu-related, but I think it comes under the category of ubuntu with a small “u”; the philosophy of community, mutual support, and giving back when you can. That’s what I thought when I read the June 21st 2012 news release on www.pool.ntp.org. The full release can be read here. The chances are that you’re already using servers of the NTP project – even if you don’t realise it. So I decided to give a bit back and join the pool with my Ubuntu server and static IP. If you want to help out too, then it’s fairly easy to set up. Read more…

Every so often, as most system administrators know, a problem arises on a server, which is interesting, frustrating, time consuming and, ultimately, extremely satisfying to solve. I had this kind of problem recently on one of my Windows Server 2003 boxes. I installed Microsoft Data Protection Manager 2007 to provide snapshots of my other Windows servers, and also wanted this machine to serve some internal web pages. [Note: yes, I know that Microsoft's guidelines state that a DPM server should be single use, and not an application server, but we're only talking about serving 4 or 5 pages generated from a PHP script on my internal network - not exactly taxing!!]

IIS appeared to be set up correctly.  I copied in the web pages,  tried to access them from my workstation and received “Error 403.2 Forbidden – Read Access Forbidden”. I checked all the things you usually check – user permissions, file and directory permissions, IIS permissions through the MMC snap-in.  Everything seemed to be correct.

I checked forums, newsgroups and the Microsoft Knowledge Base, all of which said to check the same things. Oddly, I could view the pages if I opened Internet Explorer on the IIS machine itself, which led me on another wild goose chase of checking firewall settings.

Finally, a newsgroup post led me into the murky world of the IIS Metabase – an XML file of IIS metadata. Much of the data contained here cannot be modified from the IIS user interface snap-in. To view or modify these settings, install the Metabase Explorer from the IIS Resource Kit.

In Metabase Explorer, I expanded the LM/W3SVC/1/ROOT key and checked the AccessFlags property. This was set to 30209, which means that AccessNoRemoteRead and AccessNoRemoteScript bits were set. Resetting them to the normal value of 513 (AccessScript and AccessRead bits set true) for each virtual directory listed in Metabase Explorer, and restarting IIS solved the problem.

IIS 6 Metabase Explorer

The question is…how did these flags, which are not accessible through the standard UI, get set in the first place? Although I haven’t seen it written anywhere, I suspect it’s an undocumented feature of the DPM set-up. Given the warnings about not using the DPM server as an application server, it would appear that DPM modifies the metabase directly and hardens IIS by preventing remote reads.

After that initial few hours of frustration, my slightly expanded use of the DPM server seems to be working fine.

Reference: Microsoft IIS AccessFlags property