Server: Microsoft-IIS/7.0\r\n : IIS

Security Alerts - December 2009

qbernard — Fri, 11 Dec 2009 03:36:00 GMT

Recently, Microsoft released the December security bulletin , and one of the patches related to IIS. Meant to blog about this earlier but Nazim from IIS team beat me to it :) Been seeing lot of discussions online and patch management related mailing list...(read more)

Warning: Authorization - Cannot verify access to path (C:\inetpub\wwwroot\).

qbernard — Wed, 04 Nov 2009 09:51:00 GMT

I'm sure you have seen the below warning message many times with IIS 7+ The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built...(read more)

IIS DebugDiag x64 is out

qbernard — Fri, 30 Oct 2009 09:07:00 GMT

Previously, the x86 version you are able to debug 32bit worker processes running on 32/64bit OSes, with this release - you can now debug a full 64bit worker processes. Here's the link at Microsoft download, and addtional note for x64 release Notes...(read more)

Token Kidnapping - Fixed

qbernard — Tue, 14 Apr 2009 14:09:00 GMT

A year ago... Cesar Cerrudo presented a serious vulnerability via evalvation of privilege involving the NetworkService or LocalService account specific to IIS worker process. Although Microsoft addressed this in April last year, but it was more towards...(read more)

IIS Insider - Zzz...

qbernard — Thu, 22 Jan 2009 05:17:00 GMT

Errr.... 2 yrs ago I told you I wrote the last ever IIS Insider column for MS!!! Chris Adam back then even put up a notice to inform everyone. Believe me, the URL is valid back then.... after MS site reorg, yeah! happen every quarter you know :) so it...(read more)

IIS Insider - September 2006 Issue - Repost

qbernard — Wed, 21 Jan 2009 00:32:00 GMT

IIS Insider: September 2006 By Bernard Cheah, IIS Insider is a monthly column designed to answer your questions on how to troubleshoot and make the most of Microsoft Internet Information Services (IIS). The example companies, organizations, products,...(read more)

IIS KBs - June 2008

qbernard — Wed, 30 Jul 2008 06:10:00 GMT

950573 FIX: Application domains restart unexpectedly in Internet Information Services 7.0 954874 IIS binds to all IP addresses on a server when you install IIS 7.0 on Windows Server 2008 954872 How to create and manage configuration backups in Internet...(read more)

How to Detect, Identify and Defend against SQL Injection?

qbernard — Wed, 25 Jun 2008 12:40:00 GMT

SQL Injection has been around for many years :) and you probably get over 3 million results when you googled the term. so why is it so HOT now? Well, not so long ago some folks (don't ask me who!!, go read) were claiming that it was an IIS exploit, etc. Hence, all IIS web servers are subjected to this exploit, but the fact is that it has nothing to do with IIS, it is Web application related, so if you have a web/database application that running on Apache or even IBM Websphere, etc, you are subjected to the attack as well when user inputs are not properly validated. In short, the attack uses these input as the command window/line to issue specify command to the database that "not suppose" to happen via the application interface. For example, user can easily manipulate the database scheme and data, or user can even gain further access via the database system to the actual operating system level access.

Anyway, Microsoft just released a security advisory on how to detect via a free scanner from HP, how to protect at IIS level via URLSCAN 3.0 :) take note that this is still beta and how to identify it at coding level via Microsoft Source Code Analyzer for SQL Injection, take note this analyzer only works for ASP.

While the above is useful and helpful, you probably want to educate your developers on secure coding by implementing proper input validation before the input is process by the web or database system. The advisory contains a lot more information about the attack technique, best practices and more. So make sure you forward the details to your developers!!!