Server: Microsoft-IIS/7.0\r\n : Community Info

WebDav Encoding Vulnerability - Fixed

qbernard — Wed, 10 Jun 2009 05:32:00 GMT

Today, Microsoft released patch update for IIS 5.0/5.1/6.0 WebDav encoding issues with "/" character discovered last month , you can get the hotfix here ....(read more)

Security Alert - Vulnerability in Internet Information Services Could Allow Elevation of Privilege

qbernard — Tue, 19 May 2009 23:04:00 GMT

Two days ago, a new vulnerability was found in WebDav for IIS, although few have make a big deal out of it, personally I think the impact is 'quite' minimum or at least zero in my environment coz I got no WebDav at all :) LOL... anyway - here...(read more)

ANEW MVP!

qbernard — Wed, 01 Apr 2009 13:42:00 GMT

You know what.... for the past many years this very same day - I will get an email from Microsoft telling me that - Congrats, we are pleased to award you... as MVP from 200X to 200X. And each time I double check the source header, go to the award site...(read more)

Top 8 - Web 2.0 Security Threats

qbernard — Wed, 18 Feb 2009 06:08:00 GMT

Got this from a mailing list - the top 8 security threats in Web 2.0 applications. 1. Insufficient Authentication Controls 2. Cross Site Scripting (XSS) 3. Cross Site Request Forgery (CSRF) 4. Phishing 5. Information Leakage 6. Injection Flaws 7. Information...(read more)

Improving Web Service Security: WCF

qbernard — Wed, 11 Jun 2008 10:19:00 GMT

The Microsoft Patterns & Practices team just published a beta copy of Improving Web Service Security for WCF or code name Indigo last week. This is another great playbook from the team that gives us many great guides and practices in using Microsoft technologies. If you are into Indigo, this is a must read :)

Here's the chapter outlines:
Chapter 01 - Security Fundamentals for Web Services
Chapter 02 - Threats and Countermeasures for Web Services
Chapter 03 - Security Design Guidelines for Web Services
Chapter 04 - WCF Security Fundamentals
Chapter 05 - Authentication, Authorization and Identities in WCF
Chapter 06 - Impersonation and Delegation in WCF
Chapter 07 - Message and Transport Security in WCF
Chapter 08 - WCF Bindings Fundamentals
Chapter 09 - Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)
Chapter 10 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)
Chapter 11 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)
Chapter 12 - Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)
Chapter 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
Chapter 14 - Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
Chapter 15 - Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Don't forget to check out more publications at the project directory (tag = patterns & practices) of the site for more practices and guildlines written by Microsoft and external experts from time to time.

IIS KBs - April 2008

qbernard — Mon, 26 May 2008 05:15:00 GMT

949516 Error message when you use the "IMSAdminBase::CopyKey" method as a part of the IIS 6.0 Compatibility components in IIS 7.0: "Exception from HRESULT: 0x80070003"
950735 Error message when you use the Configure Web Synchronization Wizard to configure the virtual directory against a server that is running IIS 7.0: "IIS was not found on the Web Server. Please specify a computer name that has IIS installed"

IIS 7 Shared Hosting Summary

qbernard — Wed, 14 May 2008 08:47:00 GMT

Damn! I love this blog post from Thomas, and you can easily noticed that IIS team has put lot of effort in shared hosting environment, from shared to delegated configuration, and all the way to process model improvements. The dynamicIdleThreshold for example is a fantastic feature for shared hosting, at first I got confused (while working on the IIS 7.0 Reskit Book) with the formula implementation, then Bill hooked me up with Fabio - the main guy behind the logic to give me the full picture about the idea/logic/formula about it. It actually took me a while to understand :) LOL, getting old...

Anyway, another related feature is called Process Gating, well this is not new and was actually in IIS 6.0, but not many know about it. Process gating grants you the ability to specify the maximum worker processes that allow to run concurrently in a machine, this prevent that too many worker processess running and eventually slow down / kill the entire server especially in high density hosting setup. Similar to number of web sites a particular box can support, you need to perform stress testing and trend analysis to understand the usage model,etc before deciding on the reasonable numbers of worker processes to limit and prevent too many worker processess choking the server.

How it works....
Similar to IIS 6.0, IIS 7.0 always performs a demand start for Web application, worker processes only invokes by Windows Process Activation Service (WAS) when the application pool receives the first incoming request. Before WAS initializes the new worker process, it first checks the total number of current running worker processes. If the total amount of worker processes (current + new one) is more than the maximum worker processes allowed, then the new worker process is not started and IIS keeps the request in the queue and wait until the number of worker processes drop below the limit and starts the new worker process.

How to configure....
There is no user interface to enable demandStartThreshold in RTM releases. But with the IIS 7.0 Admin Pack, I think it should be listed as one config item in the new configuration editor, my Vista box is not with me now, so can't verify this. Anyway, you can always configure this via AppCmd.exe. For example, to limit a total of 100 worker processes for a particular IIS 7.0 web server, try

appcmd set config /section:webLimits /demandStartThreshold:100

Upon successfully executing the command syntax, you will see the output shown as below.
Applied configuration changes to section "system.applicationHost/webLimits" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"

When WAS detects that it hits the demandStartThreshold limit, it writes a warning entry into the System event log. Take note that by default, process gating feature is not enabled, in the sense that the default total number of worker processes allowed is 2147483647 processes, which technically equivalent to no limit.

IIS FTP PassivePortRange

qbernard — Wed, 14 May 2008 08:33:00 GMT

Years ago, I wrote the KB on passive port range at MSKB site -
How To Configure PassivePortRange In IIS
http://support.microsoft.com/?id=555022

Lazy to update the article for IIS 7.0 FTP detail, and I'm not going to add that here :)
Coz you can get it from Microsoft Support Team -
http://blogs.msdn.com/webtopics/archive/2008/05/14/limiting-passive-ftp-port-range-on-iis-7-0-iis-6-0-iis-5-0.aspx

One thing I recalled during testing in the past is that port range only valid from 5001 to 65535.

Security Alerts - April 2008 (Special)

qbernard — Wed, 23 Apr 2008 16:49:00 GMT

Microsoft revised two security bulletins yesterday. One of which is related to .Net Framework published last year, not major update or new fixes but rather doc updates on changes related to releases of WinXP SP3.

On the other hand, in the recent Hack in the Box conference in Dubai, a new exploit in system account access token has been released to the public. This is related to the native design of current Windows access token in which entire OS is subjected to the vulnerability, and of coz IIS is part of it. Microsoft has released a new security advisory last week, take note that all Windows OSes are affected, ranging from XP, W2k3 and all the way to Vista and W2k8. The current mitigation is to stop using default built-in application pool identity and assign custom account identity for the worker processes.

Security Alerts - April 2008

qbernard — Tue, 22 Apr 2008 16:20:00 GMT

Oh well, been busy and no time to post this back then. In the routine patch Tuesday this month, Microsoft released 8 security bulletins with 5 of which in critical severity and one specific bulletin is related to IIS in a way. The 08-022 actually replaced the old fixes in 2006.

Summary: This security update resolves a privately reported vulnerability in the VBScript and JScript scripting engines in Windows. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

For more information, refer this. Take note that all existing Windows Scripting Engine 5.1/5.5/5.6 on W2k/XP/W2k3 are affected, while Vista/W2k8 are not affected.

Security Alerts - March 2008 (Special)

qbernard — Wed, 26 Mar 2008 05:09:00 GMT

Today, Microsoft released a major revision for a vulneribility reported last year on .Net Framework. If you running framework version 1.0, 1.1 and 2.0. Please apply the fix asap.

Take note that even you are running 3.0, it is essentially using .Net Framework 2.0 runtime with extra bonus feature like WPF, WCF, etc. Hence, review the bulletin and take appropriate action.

Security Alerts - March 2008

qbernard — Thu, 13 Mar 2008 02:23:00 GMT

In this month security bulletin, although all critical fixes are related to MS Office, one of the bulletin is related to Office Web Component and hence if you utilizing OWC in your web application, you need to apply the patch asap. Details:

Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103)
http://support.microsoft.com/?id=933103

Affected software: Office2k (SP3), OfficeXP (SP3), VS.NET 2k2 (SP1), VS.NET 2k3 (SP1)
server: Biztalk 2k + 2k2, Commerce 2k, ISA 2k (SP1)

Take note that Office2k3 SP2/SP3 are not affected.

IIS 7 Released !!!!

qbernard — Thu, 28 Feb 2008 07:32:00 GMT

It is official now :) lazy to type.... head over to Bill Staples blog post for more info :)
Together with many great stuff from IIS team, including the new FTP component, FPSE, and Web Playlist :) (errr.. related to media server if you are in to media streaming)

Last but not least..... the IIS 7 Resource Kit book, well - this one still with the printing company :) should be at your major book store next month. I have the opportunity to write along with many IIS Gurus including Brett Hill, Mike Volodarsky and lot more. Be sure you get a copy asap!.

Security Alerts - February 2008

qbernard — Wed, 13 Feb 2008 02:34:00 GMT

In this month security bulletin, there are two important bulletins related to IIS, depend on your environment setup, though it is rated as important, you might want to patch it asap. Here's the bulletin details.

Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831)
http://www.microsoft.com/technet/security/bulletin/ms08-005.mspx

Take note that for 08-005, it affects IIS 5.0, 5.1, 6.0 and even 7.0 :) (except if you got Vista SP1 or W2k8 RTM), per the bulletin article, IIS 6.0 the vulnerability point is via MSFTPSVC and NNTPSVC.

Vulnerability in Internet Information Services Could Allow Remote Code Execution (942830)
http://www.microsoft.com/technet/security/bulletin/ms08-006.mspx

For 08-006, affected IIS version include IIS 5.1 and 6.0. IIS 5.0 running on W2k SP4 is not affected, same apply to Vista and W2k8. The exploit works via on ASP component.

It is worth mention that, together with two bulletins - IIS 6.0 patches/fixes are still relatively low :) I mean you can count it with one hand ? 1, 2, 3, 4! I lost track a bit as this doesn't happen from time to time so not sure when is the last one. Anyway, per search result. IIS 6.0 related - we got 4. The two above + MS06-034 and MS04-030.

There's no critical bulletin for IIS 6.0 up to date and per information from Microsoft, the latest two vulnerabilities are discovered in-house, and not by the bad guys out there.

Microsoft Web Deployment Tool aka IIS 7 Migration Tool with bonus features.

qbernard — Thu, 24 Jan 2008 04:24:00 GMT

After a lonnnnng wait !! Today, the IIS team releases the new web deployment tool technical preview 1 :) The deployment tool called msdeploy.exe is essentially a migration toolkit similar with the one the shipped for IIS 6.0. However, the team spent extra effort and includes few extra features in the tool and called 'web deployment tool'. The new tool supports content sync per site or per server (IIS 6 migration tool only support one site per migration and config only), supports SSL cert migration (in IIS 6, you need to manually export the cert and import again in the destination server), etc. It also serves a backup tool where you can archive both content and config and restore the website when needed. It works with IIS 6 and IIS 7, so you can have any combination sync setup for both, say IIS 6-IIS6, IIS6-IIS7, IIS7-IIS7, etc.Take note that due to the changes in IIS 7.0, frontpage and webdav as standalone components are not supported in the deployment tool. For FTP, it does not support migration to the new out-of-band IIS 7 ftp package and etc.

The Web deployment team also started blogging with the release of the tool + new forum section for the tool discussion. You can also download the walkthrough guides from the team. I just quickly glance through the guides, at first it is quite confusing, maybe I was rushing :) This is a pure command line tool - NO GUI :( and with similar concept of AppCmd, Not the syntax format but the general concept of verb action against object. When you unzip the walkthrough, you will few docs + 2 folders (Offline and Remote). Offline walkthroughs demonstrates how you sync the content manually (copy to destination and sync), while remote allow you to sync content + config realtime to a destination server. I also found the msdeploy_readme.html inside the installation path quite useful as it detailed the current known issues and workaround for it.

This is tech preview release and Microsot does not recommended for production usage, so try it out and interact with the product team directly via the blog space or discussion forum at IIS.net. Finally, get the tool here - 32bit - x86_msdeploy.msi, 64bit - amd64_msdeploy.msi (zzzz. amd64? sigh! should be x64_msdeploy.msi)

IIS FTP and IE 7 (No user folder redirection)

qbernard — Mon, 08 Oct 2007 05:21:00 GMT

Remember about this blog I posted last year... and many users still complaining about the new IE 7 behavior changes when connecting to IIS FTP.
It is confirmed now - as per this latest KB, this is new design changed in IE 7 :) and you are recommended to use Windows Explorer instead as per Microsoft's suggestion. Mm.. lucky I'm not much of an IE 7 fans for FTP, for you guys that hated this change, I suggest your head over to IE team blog and bang them again :)

IIS KBs - September 2007 (New IIS 7 Status Code)

qbernard — Mon, 08 Oct 2007 04:52:00 GMT

After a month of silent :) where no new KBs for IIS in previous month. September KB updates bring you lot of new status code in IIS 7.0, covering more detail than I previously posted. Here's the KB list for Sep 2007.

942037 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 403.18 – Forbidden"
942052 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.4 - Not Found"
942030 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 500.15 – Direct request for global.asa are not allowed"
942035 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 403.3 – Forbidden"
942048 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 403.19 - Forbidden"
942075 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.12 – URL_HAS_HIGH_BIT_CHARS"
942069 Error message when you try to browse a Web page that is hosted on IIS 7.0: "HTTP Error 403.5 - Forbidden"
942070 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 403.4 - Forbidden"
942047 Error message when you try to visit a Web page that is hosted on IIS 7.0: "HTTP Error 404.8 – HIDDEN_NAMESPACE"
942043 Error message when you try to visit a Web page that is hosted on IIS 7.0: "HTTP Error 401.2 - Unauthorized"
942062 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 403.14 - Forbidden"
942045 Error message when you try to browse a Web page that is hosted on IIS 7.0: "HTTP Error 404.7 – FILE_EXTENSION_DENIED"
942041 Error message when you try to open a Web page that is hosted on IIS 7.0: "HTTP Error 404.0 - Not Found"
942044 Error message when you try to run a Web application that is hosted on IIS 7.0: "HTTP Error 401.1 - Not Found"
942058 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 501.0 – Not Implemented"
942056 Error message when you visit a Web site that is hosted on Internet Information Services (IIS) 7.0: "HTTP Error 412 – Precondition failed"
942064 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 403.12 - Client Certificate Denied"
942073 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.14 – URL_TOO_LONG"
942031 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 500.0 – Internal Server Error"
942060 Make sure that IIS 7.0 configuration files contain no encrypted properties before you use the Sysprep tool to deploy a Windows Vista image
942068 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 403.6 - IP Address Rejected"
942042 Error message when you try to browse a Web page that is hosted on a server that is running IIS 7.0: "HTTP Error 401.3 - Unauthorized"
942046 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.6 – VERB_DENIED"
942066 Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 403.8 - Forbidden"
942049 Error message when you try to visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.9 – File Attribute Hidden"
942858 BUG: Error message when you try to upload a file from a Windows Vista client to a server that is running IIS 6.0: "Cannot read from source file or disk"
942054 Error message when you use a certain method in an MCF Web application that is hosted on IIS: "Value does not fall within the expected range"
942029 Error message when you try to use the Exchange Server ActiveSync Web Administration tool to delete a partnership or to perform a Remote Wipe operation in Exchange Server 2003 Service Pack 2: "(401) Unauthorized"

Windows Server 2008 - Release Candidate 0

qbernard — Tue, 25 Sep 2007 05:27:00 GMT

RC0 is out ! I'm downloading it now..... Zzzz... but may take days from my location :(
Anyway, can't wait to test drive it! The release page however does not shows the direct download links, you can search it at MS Download. You will see 5 flavors of W2k8 SKUs...namely
- Web server
- Standard
- Enterprise
- Datacenter
- Itanium - Yes :) Intel :p

For more updates on IIS 7 in this release, head over to Mai-Lan's blog.

IIS Admin Blog - Paul Lynch

qbernard — Sat, 08 Sep 2007 14:22:00 GMT

Paul is one of the IIS MVP that used to take care of IIS-Resources.com with me. IIS-Resources.com has been down, while I still have not heard any news from Jeffery (the owner), I certainly hope he is doing well, I mean for those that are close to Jeffery, you should know he was having some pretty bad health issue, in and out of hospital many times. Unfortunately I lost his mobile number, hence no way to reach him now.

Anyway, been busy as usual :) This post is just to update you that Paul has started to blog about his experience with IIS.... ya he is one of the few IIS guys that loves PHP + MySQL which I'm a totally noob for those two techs.

Book - Introducing Windows Server 2008

qbernard — Mon, 30 Jul 2007 08:06:00 GMT

Want to learn more about Windows Server 2008 or formerly known as Longhorn? then grab the latest book Introducing Windows Server 2008 from Mitch. Mitch is one of the regular author for Windows + IIS books and a Microsoft MVP for many years.

You can also get the introduction about IIS 7 via this free sample chapter.