5 Replies Latest reply on May 22, 2020 2:37 PM by Bob Anderson

    IIS web.config scan fails

    Samir Budhdeo
      Share This:

      Hi folks,

       

      I have a bunch of IIS websites, most of which are under virtual directories or virtual websites.  My issue is with the dependency mapping and not being able to link DBs.  I've updated all TKUs to the latest (May 2020)...

       

      • Latest TKU:TKU-2020-05-1-ADDM-11.3+1366 active
      • Latest EDP:EDP-2020-05-1-ADDM-11.3+12 active
      • Latest Storage:TKU-Storage-2020-04-2-ADDM-12.0+54 active

       

      In my tw_svc_eca_patterns.log file I can see the following:

       

      E01-139761074493184: 2020-05-20 10:41:58,560: engine.pattern.Microsoft.IIS_Extended.IISWebserver_WebApp_SC_RDBMS_Link: INFO: Microsoft IIS Web Application / on SecretServerOld - C:\inetpub\wwwroot\SecretServer\web.config file is invalid. Stopping...

      E01-139761074493184: 2020-05-20 10:41:58,572: engine.pattern.Microsoft.IIS_Extended.IISWebserver_WebApp_SC_RDBMS_Link: INFO: Microsoft IIS Web Application /SecretServer on Secret Server - C:\inetpub\wwwroot\SecretServer\web.config file is invalid. Stopping...

      E01-139761074493184: 2020-05-20 10:41:58,581: engine.pattern.Microsoft.IIS_Extended.IISWebserver_WebApp_SC_RDBMS_Link: INFO: Microsoft IIS Web Application / on Secret Server - C:\inetpub\wwwroot\SecretServer\web.config file is invalid. Stopping...

       

      I do see a successful getFileInfo via the scan  C:\inetpub\wwwroot\SecretServer\web.config and that is also referenced in the error. This is just one example of many websites.  Is there anything that can be done to correct it?

       

      The particular server in question is Windows Server 2019, and BMC Discovery v11.3

       

      Thank you!

      Sam

        • 1. Re: IIS web.config scan fails
          Bob Anderson

          Do you have passwords embedded in the web.config file?

           

          If so, my guess is that you are falling victim to the SensitiveData filters corrupting the web.config file.

          Administration -> Discovery -> SensitiveDataFilters (files tab)

           

          Some of the SensitiveData filters, when replacing the password value with some hash value, also replaces the 'end-tag' of the xml, rendering the xml invalid for parsing with the xpath.openDocument() and xpath.evalutate() functions

           

          You may need to modifiy your sensitive data filters to account for this, or remove the passwords from the file

          • 2. Re: IIS web.config scan fails
            Samir Budhdeo

            Hi Bob, yes most web.config's have a password in the string.  As a test I deleted the filters from the "Sensitive Data Filters" section, re-ran the scan and received this message.

             

            E02-140664801916672: 2020-05-20 14:58:59,791: engine.pattern.Microsoft.IIS_Extended.IISWebserver_WebApp_SC_RDBMS_Link: INFO: Microsoft IIS Web Application /SecretServer on Secret Server - Could not obtain connection names. Stopping...

            E02-140664801916672: 2020-05-20 14:58:59,838: engine.pattern.Microsoft.IIS_Extended.IISWebserver_WebApp_SC_RDBMS_Link: INFO: Microsoft IIS Web Application / on Secret Server - Could not obtain connection names. Stopping...

            E02-140664801916672: 2020-05-20 14:58:59,882: engine.pattern.Microsoft.IIS_Extended.IISWebserver_WebApp_SC_RDBMS_Link: INFO: Microsoft IIS Web Application / on SecretServerOld - Could not obtain connection names. Stopping...

             

            Any thoughts on that one?

             

            Thank you

            • 3. Re: IIS web.config scan fails
              Bob Anderson

              I dont think this is an error.  Discovery cannot find what it is looking for in the config file.

               

              What is happening is a SoftwareComponent of type 'Microsoft IIS Web Application' was created with a flag _create_database_links flag set to true, but it could not find any appropriate 'connectionStrings' or 'appSettings' tags in the xml file.

               

              hth

               

              Bob

              • 4. Re: IIS web.config scan fails
                Samir Budhdeo

                Thank you Bob, disabling the sensitive filters did greatly improve some scans.

                • 5. Re: IIS web.config scan fails
                  Bob Anderson

                  Generally, I do not recomment disabling the Sensitive Data Filters.

                   

                  I would work on adding another filter at the top of the list that properly matches your password data without matching the xml end tag.

                   

                  Use the RegexCoach The Regex Coach - interactive regular expressions , or some other online regular expression tester like, https://regex101.com/  to help work out the expression actually needed.

                   

                  With Discovery 11.x, the regular expression 'File' filters are these:

                  (?i)password[ \t]*=[ \t]*"([^"\n]*)"

                  (?i)password[ \t]*=[ \t]*([^"\n]\S*)    <----- this one tende to be too greedy, consuming the end-tag as well

                  (?i)password[ \t]*:[ \t]*(\S+)

                  (?i)<password>(.*)</password>

                   

                  With Discovery 12.0, these filters have been adjusted and may work better in your case. The regular epxression 'File' filters are these:

                  (?i)password[ \t]*=[ \t]*"([^"\n]*)"

                  (?i)password[ \t]*=[ \t]*'([^'\n]*)'

                  (?i)(?<=[;"'])[ \t]*password[ \t]*=[ \t]*([^"'\n\t ][^\s;"']*)[ \t]*(?=[;"'])

                  (?i)(?<!;)[ \t]*password[ \t]*=[ \t]*(?!SensitiveValue)([^"'\n\t ]\S*)

                  (?i)password[ \t]*:[ \t]*(\S+)

                  (?i)<password>(.*)</password>

                   

                   

                  1 of 1 people found this helpful