Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


May 2001

The W3who.dll ISAPI Filter

From the May 2001 Edition
of Windows Web Solutions
Ken Spencer
Windows 2000 Resource Kit
InstantDoc #20433
Windows Web Solutions
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows Web Solutions | See More Resource Kit Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

The Windows 2000 Resource Kit

The Microsoft Windows 2000 Resource Kit's W3who tool is an Internet Server API (ISAPI) filter for testing a Web site from a browser. You can call w3who.dll from an .html or Active Server Pages (ASP) file, and the tool returns an HTML stream to the browser with information about the server configuration and the browser's connection.

When you configure a server or set up security on a Web site, you need to understand how those parameters affect users who connect to the Web site. Often, making sure that you have configured the server correctly is difficult. For instance, if your site uses Basic or Integrated Windows authentication, how can you determine the security context of your users? How can you determine what privileges users have? This tool comes in handy in such situations.

You can use w3who.dll with different user logons to see the security context of each user. The tool's output displays information about the server and site as well as related information about the reference to the page. W3who.dll pulls this information from the HTTP variables that IIS sends with the HTML stream.

Setting Up the Tool
To use w3who.dll, you must set up the file in the Web site in which you want to use it, then create an .htm or .asp page to access the DLL. To set up the file in a Web site, copy w3who.dll from the Resource Kit directory (the default is C:\program files\resource kit) to the Web site or virtual directory folder you're going to test. You must place the DLL in the Web site or virtual directory you're testing because the tool reports results for the directory in which it resides.

Next, you need to configure the Web site or virtual directory. Here's an easy way to install the filter:

  1. Open the Microsoft Management Console (MMC) Internet Information Services snap-in.
  2. Right-click the Web site or virtual directory that you're testing, then select Properties.
  3. Click the Home Directory tab for a Web site or the Directory tab for a virtual directory.
  4. For the DLL to function, you must select Scripts and Executables from the Execute Permissions drop-down list, as Figure 1 shows. Click OK.

Using the Tool
To use w3who.dll, you must create a Web page to access it. The documentation shows two HTML versions to call the DLL. To set up this Web page, open Notepad or Microsoft FrontPage, and create a new file in the Web site or virtual directory you're testing. Name the file w3whotester.htm. Add the text

<a href="w3who.dll">Who are you</a>

to the file, and save it. Now, you can use the DLL.

To see the results of the test, view the test page in a browser, and click the Who are you URL. For instance, to run the test on my test system, I used the URL http://myserver/my%20stuff/w3whotester.htm. The first test I ran was on the My Stuff virtual directory with authentication set to Anonymous and Integrated Windows. This test displayed in the browser the results that Figure 2 shows.

The Access Token section at the beginning of the data shows the logon name (i.e., IUSR_MYSERVER) and the groups the user is a member of. The second section shows the environment variables that IIS sent. The Environment variables section shows information about the server (e.g., port, protocol), the user's browser, and so forth.

Next, I changed the authentication settings for the test virtual directory by removing Anonymous access. To change this setting, from the Internet Information Services snap-in, I opened the properties for the virtual directory; on the Directory Security tab, I clicked Edit to access the Authentication Methods dialog box. On this tab, I cleared the Anonymous check box and clicked OK to apply the change.

To test again, I clicked Back on the browser, then clicked the Who are you URL again. The browser displayed a new set of results, which Figure 3 shows. The Access Token section looks entirely different now. The user has changed from the Anonymous account to my username (i.e., ken). The SID following the name also changed, and the user groups that I belong to are different from those of the Anonymous account. For instance, you can see that in addition to the groups of which the Anonymous account is a member, I'm a member of the Debugger Users, NorthWindReaders, and Administrators groups.

The information following the groups is even more useful. This information shows the security privileges the account has. For instance, now the user can back up and restore files, as callout A in Figure 3 shows, and shut down the system, as callout B in Figure 3 shows. The only change in the Environment variables section is the AUTH_TYPE variable, which now shows a value of Negotiate. This value indicates that I've used Integrated Windows authentication instead of Anonymous access. (For Anonymous access, this setting is blank, as Figure 2 shows.) Using this tool with different accounts can show you a wealth of information about what your Web users can do.

Security and Groups
As these simple examples illustrate, w3who.dll can provide you with a lot of information about a site. For instance, let's say that you set up a new site. You're going to let users access that site through their Active Directory (AD) accounts, but you're going to restrict access to users of a certain AD group. You can easily test this setup by creating a couple of new accounts, placing them in this group, then using w3who.dll while you're logged on as one of these accounts. The security token will reveal what the users can do.

Note that users who are members of many groups have varying permissions. For instance, although I might be part of the new group, I also have Administrator privileges because I'm part of the Administrators group on that server. In addition, if you changed your execute permissions during the test, remember to reset them when your testing is finished.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
VMware and the Future of Virtualization

What's next for virtualization and business IT? Windows IT Pro senior editor Jeff James speaks with VMware President and CEO Diane Greene on the future of virtualization technology. ...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

WinInfo Short Takes: Week of September 8, 2008

An often irreverent look at some of the week's other news, including the long-awaited back to school season, Microsoft's first Seinfeld/Gates ad, some EU insights, another Netbook improvement, Opera silliness, and much, much more ...
IIS and Web Administration Whitepapers The Five Secrets to Controlling Your SharePoint Environment

Extended Validation SSL Certificates
Related Events Check out our list of Free Email Newsletters!
IIS and Web Administration eBooks Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security
Related IIS and Web Administration Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

IT Connections
Dive into the new Microsoft platforms and products you implement and support with the experts from Microsoft, TechNet Magazine, Windows ITPro and industry gurus. There are 70+ sessions and interactive panels with networking opportunities.

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes and add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Get SQL Server 2008 at WinConnections
Don’t miss Microsoft Exchange and Windows Connections conferences, the premier events for Microsoft IT Professionals in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.



Interested in Email Encryption?
Read about the advantages of identity-based encryption in this free report.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing