November 2010 (1)
August 2010 (1)
July 2010 (1)
June 2010 (3)
July 2009 (3)
June 2009 (1)
May 2009 (1)
February 2009 (1)
January 2009 (1)
November 2008 (3)
October 2008 (4)
September 2008 (9)
August 2008 (6)
July 2008 (3)
June 2008 (3)
January 2008 (1)
November 2007 (2)
October 2007 (6)
September 2007 (5)
August 2007 (22)
July 2007 (6)
June 2007 (1)
May 2007 (3)
April 2007 (27)
March 2007 (8)
February 2007 (6)
September 2006 (2)
August 2006 (4)
July 2006 (9)
June 2006 (17)
May 2006 (20)
April 2006 (12)
March 2006 (9)
February 2006 (4)
January 2006 (3)
December 2005 (2)
November 2005 (4)
October 2005 (5)
September 2005 (37)
August 2005 (83)
July 2005 (6)

Active Directory / LDAP (0)
ASP.Net (19)
Blackberry Development (4)
c# (34)
c++ (3)
Code Camp (1)
Excel (1)
Exchange (3)
Front Page 2003 (6)
FTP User Editor (4)
HTML / CSS / DHTML (8)
IIS (146)
IIS - Log Parser (7)
IIS / FTP (12)
IIS / Tools / Administration (42)
IIS / Tools / Authentication (6)
IIS / Tools / Compression (8)
IIS / Tools / Crash & Hang (12)
IIS / Tools / ISAPI Filters (17)
IIS / Tools / Log Files (17)
IIS / Tools / Scripts (28)
IIS / Tools / Security (9)
IIS / Tools / SSL (6)
IIS 7 (3)
Internet Information Server (1)
Me (Chris Crowe) (6)
MIME Types (1)
Misc (72)
Oulook Express (2)
Silverlight (1)
SQL Server (27)
SQL Server CTE (1)
Vista (15)
Vista Gadgets (8)
Visual Studio (11)
Voice over BroadBand (1)
Windows (33)
Windows Powershell (3)
Windows Sharepoint Services (0)
Windows Sharepoint Services (15)
Windows Vista (14)
Wine Cellar (1)
WMI (8)
IIS / Tools / Security (9) blog.crowe.co.nz.Models.Category

IIS / Tools / Security

Enabling SSL on IIS 7.0 Using Self-Signed Certificates

Scott Guthrie has an article on using Self Signed Certificates with IIS and how to enable it in under 30 seconds.

Here is a primer...

SSL enables browsers to communicate with a web-server over a secure channel that prevents eavesdropping, tampering and message forgery.  You should always use SSL for login pages where users are entering usernames/passwords, as well as for all other sensitive pages on sites (for example: account pages that show financial or personal information). 

Configuring SSL on Windows with previous versions of IIS has been a pain.  Figuring out how to install and manage a certificate, and then associate it with a web-site, is something I bet most web developers don't know how to enable.

The good news is that IIS 7.0 makes it radically easier to configure and enable SSL.  IIS 7.0 also now has built-in support for creating "Self Signed Certificates" that enable you to easily create test/personal certificates that you can use to quickly SSL enable a site for development or test purposes. 

Using IIS 7.0 you can SSL enable an existing web site in under 30 seconds.  The below tutorial demonstrates how to-do this.

For the rest of the article see his article at http://weblogs.asp.net/scottgu/archive/2007/04/06/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates.aspx

 


Microsoft releases a new download center for IIS (everything in one place)

DownloadCENTER for IIS.net has been released! 

The DownloadCENTER at IIS.net, is a community hotspot for discovering, sharing, reviewing and promoting IIS-related solutions in a single place.  Dozens of existing downloads, for all versions of IIS – both from Microsoft and the community – are already available in DownloadCENTER today. 

This new feature of IIS.net is particularly relevant with the release of IIS7 in Windows Vista.  The latest release of Microsoft’s Web server has a completely modular architecture which features over forty pluggable components that can be easily added, removed or even replaced with custom implementations. 

This powerful extensibility support is available to both .NET and C/C++ developers.  In the future, DownloadCENTER is expected to house a large number of IIS7 extensions submitted by not only the IIS team but the developers and partner ISVs of the IIS community as well.

To learn more about the DownloadCenter, read IIS Product Unit Manager, Bill Staples’ blog post about it or check it out yourself today!

 


IIS Applications - don't remove it from the Root of your web site....

IIS Applications

An IIS application is any file that is executed within a defined set of directories in your Web site. When you create an application, you use the Internet Information Services snap-in to designate the application's starting-point directory (also called an application root) in your Web site. Every file and directory under the starting-point directory in your Web site is considered part of the application until another starting-point directory is found. You thus use directory boundaries to define the scope of an application.

If you remove the IIS Application from the web site properties dialog you will find that you can not connect to your web site at all and you will not get any errors and trying to identify the problem could be quite difficult.

Using a packet sniffer I received the following information when I made a request to my web site:

 

If you open IE 6 and enter the URL the following will be displayed.

 

If you then click refresh IE just sits there in an endless loop....

Errors

  • Nothing is logged in the Web Site Log file
  • Nothing is logged in the Event Log
  • Nothing is logged in the HTTPERR log file

Obviously the fix is to recreate the IIS Application by simply clicking on the Create button on the Home Directory tab. 

As soon as you do this your web site will work again, but this could be something that could catch someone out.

An interesting side affect of this is if you then create a virtual directory (make sure the IIS Application is created for the Virtual Directory, but not the root) you can access the virtual directory but not the root of the site. Is this security by obsecurity?


Trying to administer Front Page Server Extensions results in you being prompted to Log on

When you use the fully qualified domain name (FQDN) to administer a web site that is configured to use Host Headers on a computer that is running Windows XP SP2 or Windows 2003 Server SP1, you may receive an authentication dialog that will not accept any credentials that you enter.

This can be seen by right clicking a web site and try to configure the Front Page Server Extensions which will open.

This can be cuased by Windows XP SP2 and Windows Server 2003 SP1 which include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN that you use does not match the local computer name which if using host headers probably does not.
 

To work around this you could disable the loopback check

Follow these steps:
1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. Right-click Lsa, point to New, and then click DWORD Value.
4. Type DisableLoopbackCheck, and then press ENTER.
5. Right-click DisableLoopbackCheck, and then click Modify.
6. In the Value data box, type 1, and then click OK.
7. Quit Registry Editor, and then restart your computer.
 

Do you want to stay up on the security vulnerabilities in a number of different products - More than 5500 products!

Secunia monitors vulnerabilities in more than 5500 products

The following are the IIS 6 vulnerabilities since 2003 as of September 22, 2005

Below is the list of vulnerabilities for Apache 2 since 2003 as of September 22, 2005 (just a bit more than IIS 6)

For more details see : http://secunia.com/


IIS Security Planning Tool

The IIS Security Planning Tool helps administrators deploy IIS with security that's appropriate for the server's role. It uses a simple HTML interface to determine what services the server will provide, and recommends the deployment and installation options that will allow it to provide them securely.

For more details see:
http://www.microsoft.com/downloads/details.aspx?FamilyID=166d3102-f5a8-49a2-b779-153b7f59bcd3&DisplayLang=en


IIS - [Commercial] RADIUS authentication for IIS 6 in native mode

RADIUS is one of the most widely used distributed security/authentication protocols in use today. It originally gained popularity with ISP's, where it got its name (Remote Authentication Dial In User Service). Because of its inherent architectural advantages, it has become widely used in other network environments, including wireless and the general corporate intranet. The RADIUS client-server architecture provides an open and scalable solution that is broadly supported by a large vendor base. RADIUS provides a widely accepted standard protocol anywhere network access servers (NAS) must authenticate users prior to granting access to a protected network.

For more details see http://www.tcpdata.com/radiis_overview.shtml


Preventing Log Evasion in IIS

One of the most important functions a Web site has is the ability to track who is visiting it, where they are coming from, and what they are doing. While logs themselves may not always be the most accurate measurement of what's going on, they do provide a high level overview useful for tracking common user functions and tasks. There are instances when certain types of data aren't logged such as referrers, cookies, user agents, and POST data. Logging can also be used to track abnormal behavior including malicious requests sent by a potential attacker trying to break into your site. These logs can be extremely valuable in identifying if an attack was successful or not, as well as some of the exact commands that an attacker may have executed.

For more details see the full article at http://www.webappsec.org/projects/articles/082905.shtml


IIS - URL Scan Security Tool 2.5

UrlScan is a security tool that screens all incoming requests to the server by filtering the requests based on rules that are set by the administrator.

Filtering requests helps secure the server by ensuring that only valid requests are processed.

UrlScan helps protect Web servers because most malicious attacks share a common characteristic they involve the use of a request that is unusual in some way.

For instance, the request might be extremely long, request an unusual action, be encoded using an alternate character set, or include character sequences that are rarely seen in legitimate requests.

By filtering unusual requests, UrlScan helps prevent such requests from reaching the server and potentially causing damage.

Note : Only version 2.5 and later are compatible with IIS 6

For more details see - http://www.microsoft.com/technet/security/tools/urlscan.mspx

To analyze the log files that are produced by UrlScan you can use Log Parse; for more details see - http://blog.crowe.co.nz/archive/2005/08/08/169.aspx