Patch for Dynamic IP Restrictions for IIS 7 - Beta

Dynamic IP Restrictions (DIPR) was created to give users a tool to help mitigate the effects of DOS attacks and certain brute-force password breaking attempts. The Out-Of-Band (OOB) feature description is (perhaps more elegantly) outlined on this page: http://www.iis.net/extensions/DynamicIPRestrictions. In short, it is a handy tool that is easy to configure to protect a site/server from certain attacks.

A bug was discovered in the Beta for Microsoft Dynamic IP Restrictions for IIS 7 for which a patch has been released. The bug affects users with site names longer than 22 characters. Installing the feature with a long site name and browsing to that site would result in a distinctive error in the Windows Application logs.

clip_image001

To check whether your version of DIPR beta contains this update, check the Registry. If the value for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IIS Extensions\DynIpRst\Version is 7.1.0394.0, then the installed DIPR is not updated. This value should be 7.1.0487.0 for the updated version. The fix for the DIPR beta is being distributed in 2 ways: an updated installer (.msi) for a new install and a patch (.msp) for existing installs. These are available through WebPI (the Web Platform Installer) and are also posted on Microsoft Download Center (DLC) and IIS.net (see links included below for where to get the update).

If you do not already have WebPI, I highly recommend trying it out – you can get it here: http://www.microsoft.com/web/downloads/platform.aspx. WebPI is a tool that makes it easy to see available new products or even Web applications and streamlines their installation (including any product dependencies). When you launch WebPI, it will start on the “What’s New?” page. You will either see the update patch in the “Updates” section of WebPI:

clip_image003

Or the full product install will be shown in the “Web Platform Beta Extensions” section:

clip_image005

To manually get the patch or update an existing DIPR beta install, the appropriate .msi or .msp file may be downloaded directly from the Download Center (see section, below, for links to Download Center pages). Run the file, and the installer will guide you through the installation steps. For the full install you may be required to stop WMSvc and WAS (from a command line do a net stop wmsvc and net stop was) prior to installing, such as if you have IP Security installed. Note that the patch install may require you to restart your computer. This may be post-poned to a time of your choosing, but the update may not be effective until after a restart.

Where can I download the updated Dynamic IP Restrictions for IIS 7 – Beta or the patch?

Use WebPI

http://www.microsoft.com/web/downloads/platform.aspx

Go to Microsoft Download Center

x86 full install: http://download.microsoft.com/download/E/6/A/E6AAC86C-847F-408A-8FEE-12818F607D53/dynamiciprestrictions__beta_x86.msi

x64 full install: http://download.microsoft.com/download/A/3/F/A3F92B5E-609F-49C5-82EB-6D09005DD354/dynamiciprestrictions_beta_x64.msi

x86 patch: http://download.microsoft.com/download/A/D/7/AD7DC1B4-C740-4F05-8019-F1EB72326FB2/dyniprestrictions_beta_x86.msp

x64 patch: http://download.microsoft.com/download/7/C/0/7C0EC032-7FFF-4D6B-A846-F72EDC3CE952/dyniprestrictions_beta_x64.msp

Go to IIS.net

x86 full install (patch link in page): http://www.iis.net/downloads/default.aspx?tabid=34&i=1825&g=6

x64 full install (patch link in page): http://www.iis.net/downloads/default.aspx?tabid=34&i=1826&g=6

Tips for a better experience

  • Make sure you have the download for the correct architecture and type (x86 or x64, full install or patch)
  • Back-up your configuration
    • Such as by saving a copy of applicationHost.config and administrationHost.config prior to install
  • Stop WAS and WMSvc before starting the installation (you will have to restart these services after product is installed)
    • net stop was
    • net stop wmsvc

Why does the install wizard ask to uninstall IP Security?

Installing DIPR beta using the (.msi) wizard will require you to uninstall the IP Security feature if it is installed. It is possible for both features to be installed at the same time, but this does have a performance impact, and it is recommended that only one of the 2 features be installed for this reason. WebPI will not uninstall IP Security when installing DIPR beta because it cannot verify the action with the user, and DIPR beta will not remove an installed feature without the user “OK”. IP Security may be removed after installing DIPR beta, but the IP restriction configuration and settings will be lost, so be conscious of this action.

Do I have to restart my computer?

The patch install may require you to restart your computer whether using WebPI or the .msp directly. If this is inconvenient, the restart may be postponed, but the update may not be effective until after a restart. Recycling WAS or doing an iisreset /restart may have a similar effect. Even if the patch is “actively working,” WebPI will not continue to install other features until after the restart has been completed.

No Comments