<![CDATA[ Where is the documentation for running MODX on Windows Server, with IIS? - My Forums]]> https://forums.modx.com/thread/?thread=103040 <![CDATA[Where is the documentation for running MODX on Windows Server, with IIS?]]> https://forums.modx.com/thread/103040/where-is-the-documentation-for-running-modx-on-windows-server-with-iis#dis-post-554733 mysql 5.0.95 on a separate server accessed remotely, no known issues
New web server: (The DESTINATION)
php 7.1.7, no known issues
Windows Server 2016 IIS 8.5
old server (THE SOURCE):
centos 6; php 5.3 modx 2.5.1.

BUT, I am currently focused on an installation on DESTINATION and done as a fresh install of 2.5.8.

1. What to put in web.config for "friendly URLs"? I got something out of IIS's URL rewrite and Import.
2. What is the right mitigation for the configuration check... if it matters, the site is using running using a Active Directory domain user and its own application pool with this user set on it.

1. Your site is vulnerable to hackers who could do a lot of damage to the site. Please make your config file read only! It is located at D:\<site directory>\www/core/config/config.inc.php

MITIGATION: Added "Deny" on Write to core/config/config.inc.php. Windows would not let me deny modify without also including the read&execute and list.
This satisfied the MODX check.

Installer still present but led to this:
1b: Core folder is accessible by web
MODX detected that your core folder is (partially) accessible to the public. This is not recommended and a security risk. If your MODX installation is running on a Apache webserver you should at least set up the .htaccess file inside the core folder D:\<site directory>\www/core/. This can be easily done by renaming the existing ht.access example file there to .htaccess.
MITIGATION: Want to get a 403 error for this: https://<site directory>/core/docs/changelog.txt
MITIGATION: I tried to deny read access to core via deny read permissions. Stopped the entire manager from working. Thus I removed it.
MITIGATION: I still have to drill through the hardening guide, but am having difficulty understanding it.

If you setup everything correctly, browsing e.g. to the Changelog should give you a 403 (permission denied) or better a 404 (not found). If you can see the changelog there in the browser, something is still wrong and you need to reconfigure or call an expert to solve this.
]]> jpetersdt Oct 23, 2017, 07:38 PM https://forums.modx.com/thread/103040/where-is-the-documentation-for-running-modx-on-windows-server-with-iis#dis-post-554733