Server: Microsoft-IIS/7.0\r\n : IIS News

IIS DebugDiag x64 is out

qbernard — Fri, 30 Oct 2009 09:07:00 GMT

Previously, the x86 version you are able to debug 32bit worker processes running on 32/64bit OSes, with this release - you can now debug a full 64bit worker processes. Here's the link at Microsoft download, and addtional note for x64 release Notes...(read more)

Security Alert - Vulnerability in Internet Information Services Could Allow Elevation of Privilege

qbernard — Tue, 19 May 2009 23:04:00 GMT

Two days ago, a new vulnerability was found in WebDav for IIS, although few have make a big deal out of it, personally I think the impact is 'quite' minimum or at least zero in my environment coz I got no WebDav at all :) LOL... anyway - here...(read more)

Token Kidnapping - Fixed

qbernard — Tue, 14 Apr 2009 14:09:00 GMT

A year ago... Cesar Cerrudo presented a serious vulnerability via evalvation of privilege involving the NetworkService or LocalService account specific to IIS worker process. Although Microsoft addressed this in April last year, but it was more towards...(read more)

Top 8 - Web 2.0 Security Threats

qbernard — Wed, 18 Feb 2009 06:08:00 GMT

Got this from a mailing list - the top 8 security threats in Web 2.0 applications. 1. Insufficient Authentication Controls 2. Cross Site Scripting (XSS) 3. Cross Site Request Forgery (CSRF) 4. Phishing 5. Information Leakage 6. Injection Flaws 7. Information...(read more)

IIS Insider - Zzz...

qbernard — Thu, 22 Jan 2009 05:17:00 GMT

Errr.... 2 yrs ago I told you I wrote the last ever IIS Insider column for MS!!! Chris Adam back then even put up a notice to inform everyone. Believe me, the URL is valid back then.... after MS site reorg, yeah! happen every quarter you know :) so it...(read more)

IIS Insider - September 2006 Issue - Repost

qbernard — Wed, 21 Jan 2009 00:32:00 GMT

IIS Insider: September 2006 By Bernard Cheah, IIS Insider is a monthly column designed to answer your questions on how to troubleshoot and make the most of Microsoft Internet Information Services (IIS). The example companies, organizations, products,...(read more)

Ping Ping Ping!!!

qbernard — Mon, 12 Jan 2009 23:58:00 GMT

Yo yo yo.. happy 2009. Oops! 2 weeks late.. wtf Good news - Alive and kicking!!! !@$!#@%#@% Bad news - Freaking busy with work and life It is getting tougher with the current economy climate... is it bottom yet ? or the market still sinking slowly ? No...(read more)

How to Detect, Identify and Defend against SQL Injection?

qbernard — Wed, 25 Jun 2008 12:40:00 GMT

SQL Injection has been around for many years :) and you probably get over 3 million results when you googled the term. so why is it so HOT now? Well, not so long ago some folks (don't ask me who!!, go read) were claiming that it was an IIS exploit, etc. Hence, all IIS web servers are subjected to this exploit, but the fact is that it has nothing to do with IIS, it is Web application related, so if you have a web/database application that running on Apache or even IBM Websphere, etc, you are subjected to the attack as well when user inputs are not properly validated. In short, the attack uses these input as the command window/line to issue specify command to the database that "not suppose" to happen via the application interface. For example, user can easily manipulate the database scheme and data, or user can even gain further access via the database system to the actual operating system level access.

Anyway, Microsoft just released a security advisory on how to detect via a free scanner from HP, how to protect at IIS level via URLSCAN 3.0 :) take note that this is still beta and how to identify it at coding level via Microsoft Source Code Analyzer for SQL Injection, take note this analyzer only works for ASP.

While the above is useful and helpful, you probably want to educate your developers on secure coding by implementing proper input validation before the input is process by the web or database system. The advisory contains a lot more information about the attack technique, best practices and more. So make sure you forward the details to your developers!!!

IIS KBs - May 2008

qbernard — Wed, 11 Jun 2008 10:54:00 GMT

Well, for last month we got zero new IIS KB articles, yet few are related to IIS in certain way.

941850 When you try to access files on a WebDAV site that uses only Digest authentication, the process may fail on a Windows Vista-based computer
942039 FIX: Visual Studio 2005 incorrectly creates a subfolder and moves a Web project to the newly created folder

Improving Web Service Security: WCF

qbernard — Wed, 11 Jun 2008 10:19:00 GMT

The Microsoft Patterns & Practices team just published a beta copy of Improving Web Service Security for WCF or code name Indigo last week. This is another great playbook from the team that gives us many great guides and practices in using Microsoft technologies. If you are into Indigo, this is a must read :)

Here's the chapter outlines:
Chapter 01 - Security Fundamentals for Web Services
Chapter 02 - Threats and Countermeasures for Web Services
Chapter 03 - Security Design Guidelines for Web Services
Chapter 04 - WCF Security Fundamentals
Chapter 05 - Authentication, Authorization and Identities in WCF
Chapter 06 - Impersonation and Delegation in WCF
Chapter 07 - Message and Transport Security in WCF
Chapter 08 - WCF Bindings Fundamentals
Chapter 09 - Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)
Chapter 10 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)
Chapter 11 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)
Chapter 12 - Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)
Chapter 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
Chapter 14 - Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
Chapter 15 - Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Don't forget to check out more publications at the project directory (tag = patterns & practices) of the site for more practices and guildlines written by Microsoft and external experts from time to time.

IIS 7 Shared Hosting Summary

qbernard — Wed, 14 May 2008 08:47:00 GMT

Damn! I love this blog post from Thomas, and you can easily noticed that IIS team has put lot of effort in shared hosting environment, from shared to delegated configuration, and all the way to process model improvements. The dynamicIdleThreshold for example is a fantastic feature for shared hosting, at first I got confused (while working on the IIS 7.0 Reskit Book) with the formula implementation, then Bill hooked me up with Fabio - the main guy behind the logic to give me the full picture about the idea/logic/formula about it. It actually took me a while to understand :) LOL, getting old...

Anyway, another related feature is called Process Gating, well this is not new and was actually in IIS 6.0, but not many know about it. Process gating grants you the ability to specify the maximum worker processes that allow to run concurrently in a machine, this prevent that too many worker processess running and eventually slow down / kill the entire server especially in high density hosting setup. Similar to number of web sites a particular box can support, you need to perform stress testing and trend analysis to understand the usage model,etc before deciding on the reasonable numbers of worker processes to limit and prevent too many worker processess choking the server.

How it works....
Similar to IIS 6.0, IIS 7.0 always performs a demand start for Web application, worker processes only invokes by Windows Process Activation Service (WAS) when the application pool receives the first incoming request. Before WAS initializes the new worker process, it first checks the total number of current running worker processes. If the total amount of worker processes (current + new one) is more than the maximum worker processes allowed, then the new worker process is not started and IIS keeps the request in the queue and wait until the number of worker processes drop below the limit and starts the new worker process.

How to configure....
There is no user interface to enable demandStartThreshold in RTM releases. But with the IIS 7.0 Admin Pack, I think it should be listed as one config item in the new configuration editor, my Vista box is not with me now, so can't verify this. Anyway, you can always configure this via AppCmd.exe. For example, to limit a total of 100 worker processes for a particular IIS 7.0 web server, try

appcmd set config /section:webLimits /demandStartThreshold:100

Upon successfully executing the command syntax, you will see the output shown as below.
Applied configuration changes to section "system.applicationHost/webLimits" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"

When WAS detects that it hits the demandStartThreshold limit, it writes a warning entry into the System event log. Take note that by default, process gating feature is not enabled, in the sense that the default total number of worker processes allowed is 2147483647 processes, which technically equivalent to no limit.

IIS FTP PassivePortRange

qbernard — Wed, 14 May 2008 08:33:00 GMT

Years ago, I wrote the KB on passive port range at MSKB site -
How To Configure PassivePortRange In IIS
http://support.microsoft.com/?id=555022

Lazy to update the article for IIS 7.0 FTP detail, and I'm not going to add that here :)
Coz you can get it from Microsoft Support Team -
http://blogs.msdn.com/webtopics/archive/2008/05/14/limiting-passive-ftp-port-range-on-iis-7-0-iis-6-0-iis-5-0.aspx

One thing I recalled during testing in the past is that port range only valid from 5001 to 65535.

Security Alerts - April 2008 (Special)

qbernard — Wed, 23 Apr 2008 16:49:00 GMT

Microsoft revised two security bulletins yesterday. One of which is related to .Net Framework published last year, not major update or new fixes but rather doc updates on changes related to releases of WinXP SP3.

On the other hand, in the recent Hack in the Box conference in Dubai, a new exploit in system account access token has been released to the public. This is related to the native design of current Windows access token in which entire OS is subjected to the vulnerability, and of coz IIS is part of it. Microsoft has released a new security advisory last week, take note that all Windows OSes are affected, ranging from XP, W2k3 and all the way to Vista and W2k8. The current mitigation is to stop using default built-in application pool identity and assign custom account identity for the worker processes.

IIS KBs - March 2008

qbernard — Tue, 22 Apr 2008 16:30:00 GMT

948801 If an SMTP connector set the Outbound Security option to "Integrated Windows Authentication," the SMTP connector does not work in the IIS Metabase when you restore an Exchange Server 2003 server by using a Disaster Recovery mode
949455 System Center Operations Manager 2007 Reporting installation fails on a Windows Server 2008 computer if IIS 6.0 Management Compatibility is not installed

Security Alerts - April 2008

qbernard — Tue, 22 Apr 2008 16:20:00 GMT

Oh well, been busy and no time to post this back then. In the routine patch Tuesday this month, Microsoft released 8 security bulletins with 5 of which in critical severity and one specific bulletin is related to IIS in a way. The 08-022 actually replaced the old fixes in 2006.

Summary: This security update resolves a privately reported vulnerability in the VBScript and JScript scripting engines in Windows. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

For more information, refer this. Take note that all existing Windows Scripting Engine 5.1/5.5/5.6 on W2k/XP/W2k3 are affected, while Vista/W2k8 are not affected.

Security Alerts - March 2008 (Special)

qbernard — Wed, 26 Mar 2008 05:09:00 GMT

Today, Microsoft released a major revision for a vulneribility reported last year on .Net Framework. If you running framework version 1.0, 1.1 and 2.0. Please apply the fix asap.

Take note that even you are running 3.0, it is essentially using .Net Framework 2.0 runtime with extra bonus feature like WPF, WCF, etc. Hence, review the bulletin and take appropriate action.

IIS 7.0 Administration Pack!

qbernard — Fri, 21 Mar 2008 02:33:00 GMT

Wow, what can I say? The IIS product team is really spending lot of effort you give you the best experience for IIS 7.0. Today, they released technical preview one for the brand new administration pack! you can take this as UI addon to various configuration in IIS 7.0 with some added features for you to get more out of IIS 7.0

Here's what you going to get if you installed it.

ASP.NET -
ASP.NET features - Authorization + Error pages for your .net authorization and custom error pages

IIS -
Request Filtering - the enchanced URLSCAN in IIS 7.0, this is the UI for you to configure it.
FastCGI - the UI for iisfcgi.dll configuration. this feature is at server level not site.
IIS Reports - fancy graphical chart for your site activities reports. you will need log parser installed for this to work.

Managment -
Configuration Editor - power full config file editor, much better than metabase explorer, allow you to search to entir hierarchy config tree, config locking etc.
IIS Database Manager - one stop UI for you to manage all db connection in IIS 7.0, explorer type of navigation, let you manage db objects, etc.

Read the official Admin Pack walkthrough/doc
and of coz. download it here...... x86, x64.

IIS KBs - February 2008

qbernard — Tue, 18 Mar 2008 06:34:00 GMT

949348 How to specify a custom location for the isolated configuration file in Internet Information Services 7.0
949349 Error message when you use Server Manager in IIS 7.0 to open a feature configuration page: "Cannot add duplicate collection entry"
949353 The Managed Pipeline Mode setting is not available after you configure an application pool to use the .NET Framework 1.1 in IIS 7.0
949350 You receive an HTTP 500 error message or a blank page appears when you request an ASP.NET resource or WCF resource that is hosted on a server that is running IIS 7.0
949351 You may receive an error message when you use an ASP.NET feature configuration page in IIS 7.0
949076 Opera browsers may crash if they use TLS to connect to an IIS 7.0 Web server that is running Windows Vista or Windows Server 2008

More IIS 7 Downloads

qbernard — Thu, 13 Mar 2008 02:41:00 GMT

It is hot! with the official release of W2k8 / IIS 7.0, Microsoft has released more goodies for you to experience the new IIS 7.0 revolution, latest releases including the IIS 7.0 Manager or Remote Manager for Vista/XP/Win2k3, as well as the long awaiting WebDav extension for W2k8. And of coz, the best place to look for all IIS 7.0 related download is at iis.net, or get the latest release info via this RSS feed (feed not working yet).

Security Alerts - March 2008

qbernard — Thu, 13 Mar 2008 02:23:00 GMT

In this month security bulletin, although all critical fixes are related to MS Office, one of the bulletin is related to Office Web Component and hence if you utilizing OWC in your web application, you need to apply the patch asap. Details:

Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103)
http://support.microsoft.com/?id=933103

Affected software: Office2k (SP3), OfficeXP (SP3), VS.NET 2k2 (SP1), VS.NET 2k3 (SP1)
server: Biztalk 2k + 2k2, Commerce 2k, ISA 2k (SP1)

Take note that Office2k3 SP2/SP3 are not affected.