IIS / Tools / Security

Enabling SSL on IIS 7.0 Using Self-Signed Certificates

Chris Crowe — Mon, 16 Apr 2007 02:08:49 GMT

Scott Guthrie has an article on using Self Signed Certificates with IIS and how to enable it in under 30 seconds.

Here is a primer...

SSL enables browsers to communicate with a web-server over a secure channel that prevents eavesdropping, tampering and message forgery. You should always use SSL for login pages where users are entering usernames/passwords, as well as for all other sensitive pages on sites (for example: account pages that show financial or personal information).

Configuring SSL on Windows with previous versions of IIS has been a pain. Figuring out how to install and manage a certificate, and then associate it with a web-site, is something I bet most web developers don't know how to enable.

The good news is that IIS 7.0 makes it radically easier to configure and enable SSL. IIS 7.0 also now has built-in support for creating "Self Signed Certificates" that enable you to easily create test/personal certificates that you can use to quickly SSL enable a site for development or test purposes.

Using IIS 7.0 you can SSL enable an existing web site in under 30 seconds. The below tutorial demonstrates how to-do this.

For the rest of the article see his article at http://weblogs.asp.net/scottgu/archive/2007/04/06/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates.aspx

Microsoft releases a new download center for IIS (everything in one place)

Chris Crowe — Wed, 31 Jan 2007 23:36:00 GMT

DownloadCENTER for IIS.net has been released!

The DownloadCENTER at IIS.net, is a community hotspot for discovering, sharing, reviewing and promoting IIS-related solutions in a single place. Dozens of existing downloads, for all versions of IIS – both from Microsoft and the community – are already available in DownloadCENTER today.

This new feature of IIS.net is particularly relevant with the release of IIS7 in Windows Vista. The latest release of Microsoft’s Web server has a completely modular architecture which features over forty pluggable components that can be easily added, removed or even replaced with custom implementations.

This powerful extensibility support is available to both .NET and C/C++ developers. In the future, DownloadCENTER is expected to house a large number of IIS7 extensions submitted by not only the IIS team but the developers and partner ISVs of the IIS community as well.

To learn more about the DownloadCenter, read IIS Product Unit Manager, Bill Staples’ blog post about it or check it out yourself today!

IIS Applications - don't remove it from the Root of your web site....

Chris Crowe — Thu, 09 Mar 2006 15:15:00 GMT

IIS Applications

An IIS application is any file that is executed within a defined set of directories in your Web site. When you create an application, you use the Internet Information Services snap-in to designate the application's starting-point directory (also called an application root) in your Web site. Every file and directory under the starting-point directory in your Web site is considered part of the application until another starting-point directory is found. You thus use directory boundaries to define the scope of an application.

If you remove the IIS Application from the web site properties dialog you will find that you can not connect to your web site at all and you will not get any errors and trying to identify the problem could be quite difficult.

Using a packet sniffer I received the following information when I made a request to my web site:

If you open IE 6 and enter the URL the following will be displayed.

If you then click refresh IE just sits there in an endless loop....

Errors

Nothing is logged in the Web Site Log file
Nothing is logged in the Event Log
Nothing is logged in the HTTPERR log file

Obviously the fix is to recreate the IIS Application by simply clicking on the Create button on the Home Directory tab.

As soon as you do this your web site will work again, but this could be something that could catch someone out.

An interesting side affect of this is if you then create a virtual directory (make sure the IIS Application is created for the Virtual Directory, but not the root) you can access the virtual directory but not the root of the site. Is this security by obsecurity?

Trying to administer Front Page Server Extensions results in you being prompted to Log on

Chris Crowe — Tue, 08 Nov 2005 23:51:00 GMT

When you use the fully qualified domain name (FQDN) to administer a web site that is configured to use Host Headers on a computer that is running Windows XP SP2 or Windows 2003 Server SP1, you may receive an authentication dialog that will not accept any credentials that you enter.

This can be seen by right clicking a web site and try to configure the Front Page Server Extensions which will open.

This can be cuased by Windows XP SP2 and Windows Server 2003 SP1 which include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN that you use does not match the local computer name which if using host headers probably does not.

To work around this you could disable the loopback check

Follow these steps:

1.	Click Start, click Run, type regedit, and then click OK.
2.	In Registry Editor, locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3.	Right-click Lsa, point to New, and then click DWORD Value.
4.	Type DisableLoopbackCheck, and then press ENTER.
5.	Right-click DisableLoopbackCheck, and then click Modify.
6.	In the Value data box, type 1, and then click OK.
7.	Quit Registry Editor, and then restart your computer.

Do you want to stay up on the security vulnerabilities in a number of different products - More than 5500 products!

Chris Crowe [IIS MVP] — Wed, 21 Sep 2005 15:38:00 GMT

Secunia monitors vulnerabilities in more than 5500 products

The following are the IIS 6 vulnerabilities since 2003 as of September 22, 2005

Below is the list of vulnerabilities for Apache 2 since 2003 as of September 22, 2005 (just a bit more than IIS 6)

For more details see : http://secunia.com/

IIS Security Planning Tool

Chris Crowe [IIS MVP] — Mon, 12 Sep 2005 18:20:00 GMT

The IIS Security Planning Tool helps administrators deploy IIS with security that's appropriate for the server's role. It uses a simple HTML interface to determine what services the server will provide, and recommends the deployment and installation options that will allow it to provide them securely.

For more details see:
http://www.microsoft.com/downloads/details.aspx?FamilyID=166d3102-f5a8-49a2-b779-153b7f59bcd3&DisplayLang=en

IIS - [Commercial] RADIUS authentication for IIS 6 in native mode

Chris Crowe [IIS MVP] — Mon, 29 Aug 2005 02:22:00 GMT

RADIUS is one of the most widely used distributed security/authentication protocols in use today. It originally gained popularity with ISP's, where it got its name (Remote Authentication Dial In User Service). Because of its inherent architectural advantages, it has become widely used in other network environments, including wireless and the general corporate intranet. The RADIUS client-server architecture provides an open and scalable solution that is broadly supported by a large vendor base. RADIUS provides a widely accepted standard protocol anywhere network access servers (NAS) must authenticate users prior to granting access to a protected network.

For more details see http://www.tcpdata.com/radiis_overview.shtml

Preventing Log Evasion in IIS

Chris Crowe [IIS MVP] — Sun, 28 Aug 2005 13:24:00 GMT

One of the most important functions a Web site has is the ability to track who is visiting it, where they are coming from, and what they are doing. While logs themselves may not always be the most accurate measurement of what's going on, they do provide a high level overview useful for tracking common user functions and tasks. There are instances when certain types of data aren't logged such as referrers, cookies, user agents, and POST data. Logging can also be used to track abnormal behavior including malicious requests sent by a potential attacker trying to break into your site. These logs can be extremely valuable in identifying if an attack was successful or not, as well as some of the exact commands that an attacker may have executed.

For more details see the full article at http://www.webappsec.org/projects/articles/082905.shtml

IIS - URL Scan Security Tool 2.5

Chris Crowe [IIS MVP] — Sun, 07 Aug 2005 06:37:00 GMT

UrlScan is a security tool that screens all incoming requests to the server by filtering the requests based on rules that are set by the administrator.

Filtering requests helps secure the server by ensuring that only valid requests are processed.

UrlScan helps protect Web servers because most malicious attacks share a common characteristic they involve the use of a request that is unusual in some way.

For instance, the request might be extremely long, request an unusual action, be encoded using an alternate character set, or include character sequences that are rarely seen in legitimate requests.

By filtering unusual requests, UrlScan helps prevent such requests from reaching the server and potentially causing damage.

Note : Only version 2.5 and later are compatible with IIS 6

For more details see - http://www.microsoft.com/technet/security/tools/urlscan.mspx

To analyze the log files that are produced by UrlScan you can use Log Parse; for more details see - http://blog.crowe.co.nz/archive/2005/08/08/169.aspx