Browse by Tags
All Tags »
IIS6 (
RSS)
We recently released fixes for the publicly disclosed FTP vulnerabilities. One of the after-effects of applying this update will be that recursive list commands to IIS FTP 5.x, 6.0 will return the non-recursive listing. To make it clear, this feature does not exist on IIS FTP 7.x either, and that is why I did not include those versions in the previous statement. For those that will miss this feature, there is a workaround on Robert McMurray’s blog . Read More...
Microsoft has released security bulletin MS09-053 that will address the FTP vulnerabilities that were publicly disclosed a couple of weeks ago. The information in this bulletin supercedes the previous advisory. Read More...
There have been two recently publicly disclosed vulnerabilities for FTP 5, FTP 5.1 and FTP 6. Wade has gone through great detail to explain what platforms are affected by each vulnerability in his blog post . Microsoft has released and refreshed an advisory that covers the details, mitigations and workarounds for the vulnerability. The Microsoft Security Research and Defense team has a blog about the exploit details for the original vulnerability. Here is the summary including both vulnerabilities: Affected platforms: Windows Server 2000, Windows XP and Windows Server 2003, Windows Vista (FTP 6 only), Windows Server 2008 (FTP 6 only). Non-affected platforms: Windows 7, Windows Server 2008 R2. Windows Server 2008 and Windows Vista ships with FTP 6 by default and is affected by only one of the two disclosed vulnerabilites. The vulnerabilities does not affect FTP 7 or FTP 7.5 that ships out-of-band fro Windows Vista or Windows Server 2008. Windows 7 and Windows Server 2008 R2 are entirely...
The public exposure of another vulnerability in the FTP stack has caused a revision in the Microsoft advisory. Please refer the advisory @ http://www.microsoft.com/technet/security/advisory/975191.mspx to get updated information on exposure and impact of vulnerabilities. I have previously discussed this information in an earlier blog post and have updated this post as well. Microsoft Security Response Center (MSRC) has a revised blog as well. The one thing I want to clarify before hand is that in the Mitigations section it mentions that FTP is not installed by default on Windows 2000, Windows XP and Windows Server 2003. Please add Windows Vista and above to this list as well. This is probably obvious to most, but I wanted to call it out anyway. Also there has been a lot of confusion about FTP versions and what is affected. Refer to Wade's blog post on the topic to help clarify things. Read More...
Recently, I came across an issue where the customer faced an FIPS (Federal Information Processing Standards) related error on the .aspx pages which had debug=”true”. His ASP.net application was hosted on IIS7 running on Windows Server 2008 SP2. And, he was able to reproduce the issue using a very simple page. The error message was: Looking at the error, we know that there are articles like KB 911722 and a good blog - Enforcing FIPS Certified Cryptography which discuss the same issue. In Windows Server...( read more ) Read More...
Last week I posted the following blog which showed how to use Process Monitor to troubleshoot service startup issues. http://blogs.msdn.com/webtopics/archive/2009/06/16/troubleshooting-service-startup-issues-with-process-monitor.aspx To continue on that topic, I ran across another issue recently where Process Monitor was again very helpful in troubleshooting. Problem – When browsing ASP pages, we were getting below error in the browser. Browsing any HTML page worked fine. HTTP Error 401.3 - Unauthorized...( read more ) Read More...
Many things can cause a service, like IIS’s World Wide Web Publishing Service, to fail on startup. When troubleshooting such an issue, Process Monitor can be an invaluable tool. What Process Monitor does is monitor all File and Registry access on the system in real-time. The latest version of process monitor can be obtained here . Most of the time, we use this tool to troubleshoot Access Denied related issues. In those scenarios, Process Monitor shows exactly what user account tried to access what...( read more ) Read More...
This is just a quick blog to mention a forgotten tool. The managed stack explorer can be run on an IIS 6.0 Server running ASP.NET 2.0 to investigate the managed call stacks. Looking at the call stacks when an ASP.NET application is not responding may help identify what the requests are doing. Setting up the tool Download the Managed Stack Explorer from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=80cf81f7-d710-47e3-8b95-5a6555a230c2&displaylang=en Run the MSI and install to...( read more ) Read More...
Today, we released the FastCGI for IIS 6.0 RTM on Microsoft Download Center. It was quite a journey - come read about the RTM release and the history of what it took us to get there at http://mvolo.com/blogs/serverside/archive/2007/11/12/FastCGI-for-IIS-6.0-is-released-on-Download-Center.aspx . Read More...
Everybody knows that IIS FastCGI is a great way to run PHP applications on IIS. We've been making great strides at delivering a solid production experience for hosting PHP on IIS, for both IIS7 on Windows Vista/Windows Server 2008 and IIS6 / IIS5.1 on Windows Server 2003 and Windows XP. So, if you are looking to give FastCGI a try, where should you start? With all the coverage this work has been receiving, its starting to get out of hand. Get all the information you absolutely need to know to get started at: http://mvolo.com/blogs/serverside/archive/2007/10/09/IIS-FastCGI-and-PHP_3A00_-What-you-absolutely-need-to-know-to-host-PHP-applications-on-IIS-6-and-IIS-7.aspx . Read More...
More Posts
Next page »