December 2005 - Posts
Thought you might like to know that Intel will scrap the old logo as well as the slogan in coming weeks :)
Soon, you will see a new branding everywhere... no more 'intel inside', coz it will be replaced by 'Intel. Leap ahead' as the phrase word. Refer this article for more detail. Why do I like to share this with you? Coz, I'm 'inside' :p and got my new badge today!
This should be my last post of this year! I wish everyone a happy new year and best wishes in the year 2006.
Came across this cool program that able to detect what underlying web server you are running. The best part of httprint - is that it does not relies on the server banner string, but rather a set of unique server signatures to identify the web server. Masking tools like ServerMask for IIS and Mod_Security for Apache which help obfuscate the banner strings are unable to escape from this finger printing scan :) I spent 1 hour testing it this morning, it's pretty handy and tiny as well. However, the accuracy of the tool is still questionable... here's what I have tested
| www.microsoft.com |
80 |
|
Microsoft-IIS/6.0 |
|
Microsoft-IIS/6.0 |
| www.port80software.com |
80 |
|
Yes we are using ServerMask! |
|
Microsoft-IIS/5.1, Microsoft-IIS/5.0 ASP.NET, Microsoft-IIS/4.0 |
| www.intel.com |
80 |
|
IA Web Server/1.0 |
|
Microsoft-IIS/5.1, Microsoft-IIS/5.0 ASP.NET |
| www.linux.org |
80 |
|
Apache/2.2.0 (Fedora) |
|
Apache/2.0.x |
| www.ibm.com |
80 |
|
IBM_HTTP_Server |
|
Lotus-Domino/6.x |
| localhost |
80 |
|
- |
|
Microsoft-IIS/5.0, Microsoft-IIS/5.0 ASP.NET, Microsoft-IIS/4.0, Microsoft-IIS/URLScan |
| www.google.com.my |
80 |
|
GWS/2.1 |
|
GWS/2.1 Google Web Server |
If I'm not mistaken, Port80software and Intel are running on IIS6.0. For localhost entry, I'm actually using XP Pro with IIS 5.1 but it was reported as IIS5.0/blabla. I hide the banner using Urlscan :) Nevertheless, this tool has higher accuracy rate in term of underlying OS level detail.
By now, you should have read many blog postings or security advisory from various bodies that discussed about the new .dll exploit discovered by Inge Heriksen. Fairly new guy in IIS domain (afaik), an expert of coz. I came to noticed Inge few months ago in one of my blog comment. This is a very interesting discovery where it applies to XP Pro IIS 5.1 only. I'm curious of why IIS 5.0 is not affected, I could understand why IIS 6.0 is not, because of its new kernel mode driver, worker process model, etc. but IIS5.1 is using the same IIS 5.0 architecture. Could it be security fixes, service packs, bla bla ??? don't know... too lazy to think now. Anyway, Microsoft has been informed about this, but yet to make any statement.
Let's look at the exploit, in order to make this work, you need to make a malformed HTTP request with special char like "~" to a "scripts & executables" folder. Typical "scripts & executables" folder include _vti_bin (FrontPage bin folder), _sharepoint (sharepoint related), scripts (predefined for executable), etc. I read some comment about removing FrontPage extension, this will not block all possible exploit as it can be done on other executable folder. So how do you stop this? obviously at the moment this is temporary workaround to block the possible malformed requests. And I assumed you know what is Urlscan and you have already got it installed :) if not, better get it installed asap. This is a perfect isapi filter designed for IIS 5.0/4.0 server, it applies to HTTP requests only and it is has almost zero performance impact while filtering unwanted requests based the rules you specified in the urlscan.ini file. Specifically in this case, we need to block possible executable extension request + the "~" character. So first, open the urlscan.ini via notepad - default path "%windir%/system32/inetsrv/urlscan", go to [DenyExtensions] section add in ".dll", by default it blocks .exe, .com, bat, cmd, etc. You could put in all possible extension? are there more? .cpl ? etc? mm... or If you are like me, I preferred to use [AllowExtensions] to ensure only those extensions I configured are allowed to served by IIS, by default [DenyExtensions] is applied, you need to change the UseAllowExtensions=1 at the [Options] section to instructs Urlscan to enforce [AllowExtensions] section. Next, just to restrict further, add in "~" at the [DenyUrlSequences] section. Save the ini file and restart IIS services to apply the changes immediately.
Will FTPS be included in IIS 7.0 ? Well, I hope for yes! and YES, Microsoft did look at the request and completed the development, but will it make it through as part of the IIS 7? No one can tell now. There were time that Microsoft was asking customer that 'is this a must ?' well - I forwarded quite a few users' queries to them directly. I'm hoping to collect some feedbacks here ! so, do you want to see this feature included in the IIS FTP server?
So what's the deal between FTPS and SFTP ? I will let the expert explains to you :) Just noticed that Alun Jones has started blogging last month! Shame on me! how could I not aware of that? d*mn!!! He is the only FTP guru I know, smart and brilliant guy as well.
Kinda late :) Been very busy with work + my father not feeling well. Anyway, here's the new IIS KBs in Nov' 05.
906100 The SMTP Virtual Server snap-in does not appear in IIS Manager Console
892847 FIX: IIS 6.0 incorrectly binds to ports when IP addresses are added to the IP inclusion list
I have the honor to be the last IIS Insider author for the year 2005 :p Here's what I have covered this month:
Understanding IIS FTP Log File Entries
Troubleshooting IIS SMTP
IIS HTTP GET and POST Limits
I just noticed that IIS webcasts page has a new look + RSS feed :)
Well, so you might not like my feed now :( ha! anyway, I will still continue to do so each month. The new interface look nicer, however the formating are not standard, e.g. the webcast title and the font size of the detail page. But if you look at mine, it's all the same :) And also they have got the RSS feed name wrong :) - ISS webcasts ?? ISS ????? kekekekkeee.... Chris, can you ping the content team?
TechNet Webcast: Deciphering the Tools of the Trade: A Review of IIS Stress Testing Toolsets (Level 200)
Thursday, December 01, 2005 11:30 AM Pacific Time (US & Canada)
Are you new to Microsoft Internet Information Services (IIS)? Have you been assigned to deploy 200 Web servers in the next year, but you don't want to configure all of those servers individually? You can easily use IIS Manager to create a set of sites and virtual directories, as well as enable security for all of them. In the past, the Microsoft Web Application Stress tool was used to apply load to a Web server to simulate the true usage of Web applications. This webcast outlines how IIS Manager tools work and helps administrators and developers determine the right tool for a given environment.
TechNet Webcast: A Technical Introduction to the Microsoft Solutions for Hosting
Wednesday, December 07, 2005 9:00 AM Pacific Time (US & Canada)
Learn how to grow your business quickly and cost-efficiently with the Microsoft Solutions for Hosting! The solutions provide a set of tools, scripts, code samples and tested recommended architectures to help you efficiently deploy and operate hosted services on the Windows platform. They were developed to deal with the operational challenges faced daily by hosting companies, and take into account best practices and learnings acquired from across the industry.
TechNet Webcast: Using the Security Configuration Wizard Effectively with IIS 6.0 and Windows Server 2003 and Service Pack 1 (Part 1 of 2) (Level 200)
Wednesday, December 07, 2005 11:30 AM Pacific Time (US & Canada)
In this two-part series, you learn about the updated Security Configuration Wizard (SCW) that ships as part of the Microsoft Windows Server 2003 Service Pack 1. This first session describes SCW's built-in capability to tighten security across all Web sites on a single server. The discussion highlights how the SCW is designed and how to use it to reduce the attack surface of your Web server. This configuration, which can be stored for later use, is vital for helping Web application servers achieve higher availability with less opportunity for service failures.
TechNet Webcast: Using the Security Configuration Wizard Effectively with IIS 6.0 and Windows Server 2003 and Service Pack 1 (Part 2 of 2) (Level 200)
Wednesday, December 14, 2005 11:30 AM Pacific Time (US & Canada)
This second half of our webcast series shows how the Microsoft Windows Server 2003 Security Configuration Wizard (SCW) stores the configuration used to tighten security on the Web server. The SCW can help Web administrators and developers ensure that Internet Information Server Web servers start with a similar configuration. This session shows how to create a standard SCW configuration file and extend it to make other Web servers behave the same. This presentation also explains how to roll back changes introduced by the SCW to ensure safe recovery.