Adios!! I am done.

It's been a looooooooooooong time!  in fact it has been a decade long since I've been awarded as MVP.
Life is short, how many 10 years you think you will have in your life ?
Just in case.. the profile got taken down !!


Let's see, I started ...way back from IIS 4 if you recalled and all the way up to 7.5.  What's the latest version now? haha!
Getting old/tired/lazy/blur/etc.... it's been a pretty good experience in this MVP program at least  the first 5 :), the remaining years!! NO comment, it has changed so much until I don't see much values in it. Two things I appreciated the most - Direct PG interaction & MSDN subscription.... the rest are... you know not much. Of coz, good program lead and peers.

Anyway, it is time to retire from the program.
Yet, still a long way before I can actually retire and enjoy life!

Ciao

Security Alerts - June 2010

It is patch Tuesday :) and this month we've got 3 bulletins (Severity: Important) related to IIS.

MS10-039: Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554)
http://www.microsoft.com/technet/security/bulletin/ms10-039.mspx

MS10-040: Vulnerability in Internet Information Services Could Allow Remote Code Execution (982666)
http://www.microsoft.com/technet/security/bulletin/ms10-040.mspx

MS10-041: Vulnerability in Microsoft .NET Framework Could Allow Tampering (981343)
http://www.microsoft.com/technet/security/bulletin/ms10-041.mspx

MS10-24 reset SMTP Configuration

If you have patched MS10-24 recently, you will encounter SMTP configuration option being reset or revert to default after the patch. Hence, please backup the IIS metabase before patchin the node, for more info - read this KB article.

Heads up - Microsoft IIS File Extension Processing Security Bypass Vulnerability

Update - 30th Dec
MSRC response to the vulnerability claim.

http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx
IIS team is working on a patch for this so called inconsistency feature :)

>>
Well, this was reported on Christmas Eve :) regarding file extension bypass on IIS 5.x/6.x.
Read the vulnerability details here, have yet to test it myself, but after reading the doc, this is not as bad I would expected.

I mean if you have #1 allow upload, #2 allow execution on the upload path, #3 the worker processing hosting the app has high privileges, then with or without this bypass IMHO not much different :)

Of coz, you may argue that validation is done at upload page, say scanning the file extension, etc. In this case, ya it will 'slip' through the validation, yet you can also put in more validations? I mean like scan the content before writing the file? scan for <% ?? scan for  filetype, header ? bla bla.... ha! I'm not a coder, but this can be done right?

Anyway, from sysadmin side, what you can do is make sure logging is there, even if something really happen, you can trace the culprit; disable Scripts and Executables web permission on the path; grant write access only to trusted user and etc. If you have anonymous write access, you are waiting to get p@wned sooner or later :) 

Lastly the moral of the story is - a good defense in depth is not solely depending on the product itself, i.e no bug, no exploit/etc, you will need to assess your business requirement, budget/etc, have good sense of overall setup, understand best practices, lock down as much as you can :) say port, service, access levels/etc. Give the user as much pain as you can :) while not causing any lost of business productivity

Cya and have a happy holiday.

Security Alerts - December 2009

Recently, Microsoft released the December security bulletin, and one of the patches related to IIS. Meant to blog about this earlier but Nazim from IIS team beat me to it :) Been seeing lot of discussions online and patch management related mailing list. So in short, if you are seeing issue on W2k3 IIS 6 after applying the fix via KB973919, you need to repatch SP2 as described in KB2009746.

Update 17th Dec 2009
More details about the fix @ iis.net
http://forums.iis.net/t/1163341.aspx
And it's been confirmed that MS has repackaged the fix, read more here.

More updates 22th Dec 2009
MS Support team released a simple VBS script to check if you have 'broken' sp2 IIS box, get it here.
Also if you getting the fix via Windows Update, the logic now doesn't install the patch if you have a broken sp2 machine.

Warning: Authorization - Cannot verify access to path (C:\inetpub\wwwroot\).

I'm sure you have seen the below warning message many times with IIS 7+

The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has Read access to the physical path. Then test these settings again.

Now, you are getting this message, when you clicked on the 'Test Connection' button while you adding new site or virtual directory. I have seen quite many posts regarding this misleading message :)

First of all, this is not an error but warning message instead, next the warning message is pretty self explained, and no need to be extra alarm about it. Anyway, in short because the default application pool identity is NetworkService account, which is a built-in account + default authentication mode is pass-through, hence IIS can't verify 'simulate' or verify the access when you clicked the button. Hmm.... ha! well that's exactly what's written in the warning message :) haha! if you put in a custom account, IIS will take it and access using the account SID, for built-in account, 'things' will kick in at run time. Next, if the resource is readible by user, NetworkService account should have no issue reading the file as well.

Anyway, if you do experience access problem later when you test to access the content path, IIS log file - request status code + sub status code is your best friend, if it is permission related you should be getting 401.3 error. You can also get procmon to help troubleshooting access related errors.

IIS DebugDiag x64 is out

Previously, the x86 version you are able to debug 32bit worker processes running on 32/64bit OSes, with this release - you can now debug a full 64bit worker processes.
Here's the link at Microsoft download, and addtional note for x64 release

Notes about the x64 release:
- Installing both x68 an x64 releases on the same x64 OS is not supported.
- To debug x86 processes running on x64 OS, use the x86 release

Note - the DebugDiag download at IIS.net has not refreshed yet, also it is still using ver1.1 which was released years ago.

WebDav Encoding Vulnerability - Fixed

Today, Microsoft released patch update for IIS 5.0/5.1/6.0 WebDav encoding issues with "/" character discovered last month, you can get the hotfix here.

Security Alert - Vulnerability in Internet Information Services Could Allow Elevation of Privilege

Two days ago, a new vulnerability was found in WebDav for IIS, although few have make a big deal out of it, personally I think the impact is 'quite' minimum or at least zero in my environment coz I got no WebDav at all :) LOL... anyway - here is the security advisory from Microsoft. To know more about the vulnerability, you should read this blog post, beside the same basic info you will find over at Microsoft site, it also got a few diagrams to illustrate about the vulnerability and gives you some background about the attack.

The attack is via old folder traversal bug found in previous exploits, the %c0%af which is the encoded UTF-8 for "/" will pass-through the urlscan filter reason being it is a valid chars even though by default % is blocked by urlscan. Anyway - per the detail. IIS 7 is not affected by this and if I remembered correctly (read it somewhere) WebDav in IIS 7 also doesn't allow anonymous write request. However if you are on IIS5.0, 5.1 and 6.0 with WebDav enabled + anonymous access + write permission for anonymous user then you are subjected to this exploit. Come to think about it - if you allowed write permissions for anonymous user :) you are basically waiting to get p@wned!!

Tomorrow !

Share you vision about the future you like to see!!
http://www.intel.com/tomorrow/

Sponsored by Intel of coz :)

Posted Thu, May 14 2009 by qbernard | no comments
Filed under:
Token Kidnapping - Fixed

A year ago... Cesar Cerrudo presented a serious vulnerability via evalvation of privilege involving the NetworkService or LocalService account specific to IIS worker process. Although Microsoft addressed this in April last year, but it was more towards workaround to get rid of the actual issue, and today after a long wait, and some serious testings, Microsoft releases a security bulletin update to close this gap, I have yet to test this :) busy again !!! and you should test it out in lab env before any production deployment, this KB detailed all the impacted files detail.

And read the blogs over at MSRC and SRD for more information about this issue.

ANEW MVP!

You know what.... for the past many years this very same day - I will get an email from Microsoft telling me that - Congrats, we are pleased to award you... as MVP from 200X to 200X. And each time I double check the source header, go to the award site to make sure that it is not a prank, since you know it is April's Fool today :)

Anyway, I got renewed, still hang around iis.net or directaccess newsgroups and been really busy. Hopefully somewhere in Q2 will have more time for newsgroups/forums.

Cya.

Top 8 - Web 2.0 Security Threats

Got this from a mailing list - the top 8 security threats in Web 2.0 applications.

1. Insufficient Authentication Controls
2. Cross Site Scripting (XSS)
3. Cross Site Request Forgery (CSRF)
4. Phishing
5. Information Leakage
6. Injection Flaws
7. Information Integrity
8. Insufficient Anti-automation

Get the full detail here, what do you think? In my case, #2 and #6 are the two major challenges in my environment.

IIS Insider - Zzz...

Errr.... 2 yrs ago I told you I wrote the last ever IIS Insider column for MS!!! Chris Adam back then even put up a notice to inform everyone.
Believe me, the URL is valid back then.... after MS site reorg, yeah! happen every quarter you know :) so it got 'integrated' with 'technet', last I heard it was making it way to iis.net, and yet nothing happen since then. The Sep 2006 issue is missing now! the last archive is Aug 2006

Anyway, I felt that one of the Q&A is very useful :) and lucky, I kept the edited manual scripts, so I have repost it here.

Posted Thu, Jan 22 2009 by qbernard | 2 comment(s)
Filed under: ,
IIS Insider - September 2006 Issue - Repost

IIS Insider: September 2006
By Bernard Cheah,

IIS Insider is a monthly column designed to answer your questions on how to troubleshoot and make the most of Microsoft Internet Information Services (IIS).

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real companies, organizations, products, domain names, e-mail addresses, logos, persons, places, or events are intended or should be inferred.

Smart Host Authentication

FTP Login Error - Home Directory Inaccessible

Finding URL with Long Processing Time

 

Smart Host Authentication

 Q:   I'm using Smart Host to relay all messages to a dedicated Exchange server. The Exchange server is outside of the DMZ and it required authentication before accepting any mail for relay. What can I do?

 A:   Good question. Before we look at the solution, let's understand more about Smart Host. what is Smart Host?
As per Microsoft documentation: Smart Host - You can route all outgoing messages for remote domains through a smart host instead of sending them directly to the domain. This enables you to route messages over a connection that may be more direct or less costly than other routes. The smart host is similar to the route domain option for remote domains. The difference is that once a smart host is designated, all outgoing messages are routed to that server. With a route domain, only messages for the remote domain are routed to a specific server.

Next, It is also important to understand that there are two types of connection authentications when it comes to SMTP requests: inbound and outbound. Inbound refers to when a client authenticates itself to the local SMTP server before the client is able to relay mail messages to local SMTP server. While outbound authentication refers to the local SMTP server authenticating with the remote SMTP server before the remote SMTP server accepts any of its message. Relaying message via Smart Host is considered an outbound connection - and that's why you would need to configure outbound authentication.

To correctly set this up on IIS 6.0, here's what you do:

  • 1. Open IIS MMC.
  • 2. Right click on the SMTP Virtual Server (the one that forwards to Smart Host), select Properties.
  • 3. Click on ‘Delivery' Tab, then click on the ‘Outbound Security' button  
  • 4. What you do now depends on your Smart Host setup. If it's Microsoft Exchange and within an Active Directory domain, you can configure ‘Integrated Windows Authentication' to prevent clear text authentication. In my case, it was to iMail server, hence I can only depend on ‘Basic Authentication'. Of course, to secure the communication, you can apply TLS encryption with SSL certificate.
  • 5. You select the relevant radio button for desired authentication scheme and enter the logon user credentials. In my case - as shown in Figure 1.1 - that will be ‘relayuser@mydomain.com'.
  • 6. Click ‘OK' twice to apply the changes.
  • 7. Restart IIS SMTP service.

To monitor whether or not the authentication takes place, look at the IIS SMTP log file. The  default is ‘Anonymous' access, meaning no authentication is needed for outbound connection. With outbound authentication enabled, IIS SMTP will authenticate with the Smart Host before forwarding mail messages to the server. 

 

FTP Login Error - Home Directory Inaccessible

Q:   I have been running FTP user isolation with AD (Active Directory) integration for more than a year, and now suddenly all users can't login and they get ‘home directory inaccessible' error message. Please help!

A:  Typically, this error is related to NTFS permissions not being configured properly. This is common - as the error message appears after the logon event (which technically means that the user is logged on but can not proceed to its home directory). Again, please verify that the user directory has the correct ACLs and that the user does have permissions on the folder. You can also get Filemon from www.sysinternals.com to help trace the permission-related issue.

If you have triple-verified the permissions setting and found nothing wrong, I would suggest you review your server log book (if you have one) regarding recent server changes, You can check against the IIS FTP log file to find out when the problem first occurred. If you have enabled security auditing to capture the logon event, you can check the event log and see if you can find anything related event error and then further troubleshoot from there. Enabling logon security auditing is part good security practices, more detail at ‘Enabling Security Auditing'.

Finally, I remembered once I helped a poster with same error message like yours. We exchanged couple of posts, and figure that it was due to the AD integration connection user account - this is the account FTP uses to access Active Directory information. You need to specify this account when using the FTP site creation wizard.

In the above case, the FTP site was running, but the FTP AD user account password had been changed. In this case, you would still see the same exact error message, but it makes little sense because it gives you no hints about the error. How we found out is that I asked if there were any recent changes, and he recalled that the AD account password has been changed! That's how I learned about this - and I believed you would see more information in the event logs indicating that user failed to log on, could not access home directory as well as logon failed due to bad username or password.

Before I could give the poster some advice, he came up with his own solution: delete the FTP site and recreate a new site!
Ok, what he did was drastic - there was no need to recreate the entire site. It didn't seem that way to him,.
However, since once the ftp site was created, there was no way he could change the AD connection account or password.

Well, that's true. The IIS MMC - FTP UI does not support such change, but remember that every setting in IIS is stored in a metabase. So you can change it at metabase level. Here are two metabase keys which control the FTP AD configuration: 

ADConnectionsUserName and ADConnectionsPassword

As usual, you will configure the keys via ADSUtil.vbs
When you read the value:
C:\Inetpub\AdminScripts>adsutil.vbs get msftpsvc/XX/adconnectionsusername

Where XX is the FTP site ID and you get back the value as:
Adconnectionsusername            : (String) "myAD\ftpuser"

Now, the actual steps to reset the AD connection user password:

  • 1) Go to the command prompt.
  • 2) Navigate to AdminScripts folder, for example "cd\Inetpub\AdminScripts"
  • 3) Enter the following command:
    C:\Inetpub\AdminScripts>adsutil.vbs set msftpsvc/1735/adconnectionspassword myftppwd2111
    Adconnectionspassword           : (String) "**********"

    The above command will reset the FTP Site id 1735 with new AD user password as "myftppwd2111". 
  • 4) Next, enter "net stop msftpsvc" to stop FTP service
  • 5) And "net start msftpsvc" to restart the FTP service.
  • 6) Exit the command prompt window.

After the above steps, try logon to FTP with the AD user account, the user should be able to logon and redirected to his/her home folder. To summarize, the error is due to FTP service unable to get information from Active directory, in my scenario it was due to the AD account password changed issue. There are many other possible reasons as well, for example - the configured account being deleted/locked out, or FTP service is unable to connect to the Domain controller and etc. Enabling the security logon auditing in this case would help narrow down the possible cause of this issue.

 

Finding URL with Long Processing Time

Q:   I am managing servers with around 100 websites in each of them. A few of those websites are so poorly written that some pages almost consume more than 60% of the CPU. I developed a script that monitors worker processes on the server and, once one of them consumes more that a specific limit (say 50%) it can figure out which site (using the IISApp.vbs command) and then send an email notification to the webmaster. Is there a way to figure which website's page was taking a long time to process?

A:   Excellent question! I myself had been haunted by this problem since IIS 3.0 - and I learned it the hard way. I'm sure the developers will say that "it is a hardware problem, if not your server configuration". Why? They always felt that there's no way that their application is the culprit, because it runs fine in the development server. To pinpoint what requests take the most resource time is not hard - the hardest part is to prove to them that "this is the stack trace and your component is hooking the CPU" or something like that. Of course, this would need some knowledge in debugging the web application and understanding Windows internal architecture.

Anyway, assume you are using IIS5 or IIS 6. To dive in and do a debug via Debug Diagnostic, you need to know which dllhost.exe or w3wp.exe to attach the debugger. And to answer your question, how do you figure out the URL or request with the highest resource time? This is simple, and you can do it without any tool.

Start by enabling the ‘Time-taken' field in the W3C extended log file. This field time-stamps the processing time of a particular request. For example:

 #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

2006-07-25 05:45:21 W3SVC1 127.0.0.1 GET /test.asp - 80 - 127.0.0.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) - - localhost 200 0 0 246 254 13310

 In the above example, the request to test.asp took 13310ms, which is 13 seconds plus. Now, what if you have a very complicated web application with a large amount of dynamic content? How do you parse the log with hundred of megabytes?

No worries. In my previous setup, I had websites that generated 1GB of log files each day. It would take me days if I had to parse it manually. You can count on an automated log analyzer to help you - and there are many commercial or open source log analyzers available. While most of them give you fancy analysis and nice diagrams, I don't like any of those (only the folks in marketing departments seem to love those reports). For me - and most other system administrators - the key is to have a fast, precise and tiny tool that I can carry anywhere I go. I don't want to wait for 3 hours for the analyzer to complete it reports before I can interpret them. So long story short - I used Log Parser from Microsoft and I love it!

This is one tiny tool that does magic for IIS administrator like you. I'm not going to tell you all the amazing stories about this tool, you can read it over the net. So how do we use Log parser to find the top 10 requests that consume most of the resource time?  Simple, you run this query:

 ---Ch02Top10WebRequests.sql---
SELECT 
    TOP 10 
    STRCAT(EXTRACT_PATH(cs-uri-stem),'/') AS RequestPath, 
    EXTRACT_FILENAME(cs-uri-stem) AS RequestedFile, 
    COUNT(*) AS Hits, 
    MAX(time-taken) AS MaxTime, 
    AVG(time-taken) AS AvgTime, 
    AVG(sc-bytes) AS AvgBytesSent
FROM %source% TO %destination%
GROUP BY cs-uri-stem
ORDER BY MaxTime, TotalHits DESC
---Ch02Top10WebRequests.sql---

<Shameless plug>the above is actually from the chapter 2 of Microsoft Log Parser book (to which I have contributed). </Shameless plug>

So what does it query? Quite straight forward, if you understand standard SQL queries. Anyway, the script looks for the top 10 long running queries from a particular ‘source', And gives you the number of hits, requests the URL and file name, the maximum and average time spent as well as average bytes sent. Pretty cool huh!  How do run it? You do the following:

C:\LogParser\Samples>Logparser.exe file:Ch02Top10WebRequests.sql?source="<//localhost/w3svc/1>"+destination="Top10WebRequests.txt" -o:NAT

This script is designed to let you query against any source! In the example, we parse all log files from website ID 1, you can change it to a folder with your log files, other log source, etc. And I redirect the output to Top10Webrequest.txt file. See Figure 3.1 for the output.

  RequestedPath RequestedFile Hits  MaxTime AvgTime AvgBytesSent
------------- ------------- ----- ------- ------- ------------
/reg/       reg.asp       821   80212   40212   1200
/expand/      incoming.asp  4095  39322   29322   20322
/processing/  cust_up.asp   3900  33293   30233   2932
/kiv/         stock.html    8032  32002   31922   370921
/expand/      detail.asp    6293  30092   29392   39223
/processing/  cust_add.asp  200   15082   13978   2011
/processing/  inv_tune.asp  2099  13021   12911   8232
/kiv/         elite.aspx    5822  11929   9218    932
/       news.asp      10003 8922    6832    2111
/html/       abs.html      4022  7990    5820    29201

 Figure 3.1 - Log Parser Sample Output

What can you tell from the above?  Simple - you have a ‘reg.asp' file with average processing time of 40secs and maximum time of 80secs! Wow! That's more than a minute. From here, you can then review the coding in the script to see if you can fine tune the script, by changing its logic, database queries and etc.

To learn more about the amazing Log Parser, I encourage you to read this recent blog posting from Microsoft and don't forget to get the book - this is the only book available for the tool, so visit www.logparser.com and find out more.

Ok, back to business. What's next!  What if you find nothing wrong with the ‘reg.asp'. Everything is straight forward inside this ‘registration' page. It captures user input and updates it to database via a DB component.

What the above script does is just identify the long running web requests you have, but it is unable to give you what is really going on inside the process thread. To go in deeper, you might need to debug the application if you found nothing wrong with the script (and you have reviewed the script thoroughly). Hence, let me introduce our next ‘star' from Microsoft - Debug Diagnostic! This is the debugging tool that will hook on to your worker process and capture its process threads and memory dump in order to give you a complete look of what's going on inside the IIS worker process.

I hope I have answered your question, and it is way beyond the scope of this answer to give you more detail about DebugDiag here. Nevertheless, if you are interested, you can read it in the previous issue of IIS Insider, watch the webcast at IIS.Net, recent knowledge based articles of DebugDiag, and etc.

Oh well, time to say bye bye again! Ciao!

Posted Wed, Jan 21 2009 by qbernard | no comments
Filed under: ,
Ping Ping Ping!!!

Yo yo yo.. happy 2009. Oops! 2 weeks late.. wtf

Good news - Alive and kicking!!! !@$!#@%#@%
Bad news - Freaking busy with work and life

It is getting tougher with the current economy climate... is it bottom yet ? or the market still sinking slowly ? No worries, I'm NOOB when it comes to investment, so I'm not directly 'impacted', yet all businesses are not spare, and now - cost saving/cutting/reduction/friendly/inovation/etc are in my daily task lists, everything is about $$$.
Hehehe.. yet deeds should be done at all time, so I urge you all to do this 'small & little' things to help those in need.

And back to the blogging... why I stop for so long? LOL!
1. Those fanatics here! have done a very good job, so I got nothing to share <- bad excuse 
2. Busy <- lame excuse!! it should be tsk tsk 'lazy'.

Oh btw - still learning about IIS 7.0 ? it is time for IIS 7.5 if you are up for it!! get it via W2k8 R2 and Win7.

IIS KBs - June 2008

950573 FIX: Application domains restart unexpectedly in Internet Information Services 7.0
954874 IIS binds to all IP addresses on a server when you install IIS 7.0 on Windows Server 2008
954872 How to create and manage configuration backups in Internet Information Services 7.0
954756 You experience issues when you host a Web application that contains lots of ASP files in IIS
954857 The Windows Process Activation Service and the World Wide Web Publishing Service are set to a Stopped state after you install the .NET Framework 3.5 on a Windows Vista-based computer
954873 You may experience slow performance when you use Integrated Windows authentication together with the Kerberos authentication protocol in IIS 7.0
954847 IIS 6.0 returns path information that is incorrect when you use the WebDAV PROPFIND method
954755 How to configure intermediate certificates on a computer that is running IIS for server authentication
954856 BUG: You cannot install or uninstall a component in IIS 7.0
954875 An error message is displayed when you try to create a new application pool in Internet Information Services 7.0
954839 Events 4505 and 4506 are logged in the Security log when you turn on the metabase auditing feature in Internet Information Services 6.0
954841 Error message when you browse IIS 6.0 content in Internet Explorer: "The data is invalid"

Posted Wed, Jul 30 2008 by qbernard | no comments
Filed under: ,
How to Detect, Identify and Defend against SQL Injection?

SQL Injection has been around for many years :) and you probably get over 3 million results when you googled the term. so why is it so HOT now? Well, not so long ago some folks (don't ask me who!!, go read) were claiming that it was an IIS exploit, etc. Hence, all IIS web servers are subjected to this exploit, but the fact is that it has nothing to do with IIS, it is Web application related, so if you have a web/database application that running on Apache or even IBM Websphere, etc, you are subjected to the attack as well when user inputs are not properly validated. In short, the attack uses these input as the command window/line to issue specify command to the database that "not suppose" to happen via the application interface. For example, user can easily manipulate the database scheme and data, or user can even gain further access via the database system to the actual operating system level access.

Anyway, Microsoft just released a security advisory on how to detect via a free scanner from HP, how to protect at IIS level via URLSCAN 3.0 :) take note that this is still beta and how to identify it at coding level via Microsoft Source Code Analyzer for SQL Injection, take note this analyzer only works for ASP.

While the above is useful and helpful, you probably want to educate your developers on secure coding by implementing proper input validation before the input is process by the web or database system. The advisory contains a lot more information about the attack technique, best practices and more. So make sure you forward the details to your developers!!!

IIS KBs - May 2008

Well, for last month we got zero new IIS KB articles, yet few are related to IIS in certain way.

941850 When you try to access files on a WebDAV site that uses only Digest authentication, the process may fail on a Windows Vista-based computer
942039 FIX: Visual Studio 2005 incorrectly creates a subfolder and moves a Web project to the newly created folder

Improving Web Service Security: WCF

The Microsoft Patterns & Practices team just published a beta copy of Improving Web Service Security for WCF or code name Indigo last week. This is another great playbook from the team that gives us many great guides and practices in using Microsoft technologies. If you are into Indigo, this is a must read :)

Here's the chapter outlines:
Chapter 01 - Security Fundamentals for Web Services
Chapter 02 - Threats and Countermeasures for Web Services
Chapter 03 - Security Design Guidelines for Web Services
Chapter 04 - WCF Security Fundamentals
Chapter 05 - Authentication, Authorization and Identities in WCF
Chapter 06 - Impersonation and Delegation in WCF
Chapter 07 - Message and Transport Security in WCF
Chapter 08 - WCF Bindings Fundamentals
Chapter 09 - Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)
Chapter 10 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)
Chapter 11 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)
Chapter 12 - Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)
Chapter 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
Chapter 14 - Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
Chapter 15 - Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Don't forget to check out more publications at the project directory (tag = patterns & practices) of the site for more practices and guildlines written by Microsoft and external experts from time to time.

More Posts Next page »