Browse by Tags
All Tags »
Security (
RSS)
I spent some time last week investigating a puzzling issue raised in the SQL Server Driver for PHP forums: Need help with PDO::quote() and PDOStatement::bindValue and PDO::execute using new SQLSRVR 2.0 driver . At the heart of the issue was this question: Should you use the PDO::quote method to quote a parameter if you are also using the PDOStatement::bindValue or the PDOStatement::bindParam method to bind the parameter? My answer is no, you shouldn’t. I’ll explain why not, but I wonder...( read more ) Read More...
...( read more ) Read More...
IIS security guy Nazim Lala has just blogged about a IIS 6 security issue, related to the use of Semi-colon (;) in a URL. It's not much of an issue if your IIS 6 server is properly configured. Good example of how Best practices can make your day. For more technical info do read the blog and check your servers for anything like that. It's always good to double check than to suffer right... Have fun... Hopefully see you in new year!!! Update: Info also present on MSRC Team Blog...( read more ) Read More...
Last week I posted the following blog which showed how to use Process Monitor to troubleshoot service startup issues. http://blogs.msdn.com/webtopics/archive/2009/06/16/troubleshooting-service-startup-issues-with-process-monitor.aspx To continue on that topic, I ran across another issue recently where Process Monitor was again very helpful in troubleshooting. Problem – When browsing ASP pages, we were getting below error in the browser. Browsing any HTML page worked fine. HTTP Error 401.3 - Unauthorized...( read more ) Read More...
Many things can cause a service, like IIS’s World Wide Web Publishing Service, to fail on startup. When troubleshooting such an issue, Process Monitor can be an invaluable tool. What Process Monitor does is monitor all File and Registry access on the system in real-time. The latest version of process monitor can be obtained here . Most of the time, we use this tool to troubleshoot Access Denied related issues. In those scenarios, Process Monitor shows exactly what user account tried to access what...( read more ) Read More...
Dynamic IP Restrictions (DIPR) was created to give users a tool to help mitigate the effects of DOS attacks and certain brute-force password breaking attempts. The Out-Of-Band (OOB) feature description is (perhaps more elegantly) outlined on this page: http://www.iis.net/extensions/DynamicIPRestrictions . In short, it is a handy tool that is easy to configure to protect a site/server from certain attacks. A bug was discovered in the Beta for Microsoft Dynamic IP Restrictions for IIS 7 for which a patch has been released. The bug affects users with site names longer than 22 characters. Installing the feature with a long site name and browsing to that site would result in a distinctive error in the Windows Application logs. To check whether your version of DIPR beta contains this update, check the Registry. If the value for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IIS Extensions\DynIpRst\Version is 7.1.0394.0, then the installed DIPR is not updated. This value should be 7.1.0487.0 for the updated...
This topic has been covered many times both by Microsoft and non-Microsoft employees. However, I’ve recently been asked what the main features of IIS 7 are and have seen a great deal of misinformation about IIS security on twitter, blog posts and forums. I think, therefore, the issue deserves yet another look. In this post, I’m going to go over security in the past for IIS and then move on to talk about security features in IIS 7. These are not in any particular order. This post is not meant to diminish the many thoughtful works already created by others – both complimentary and critical. This is just meant to bring the subject back up for discussion again in hopes that you can be properly equipped with the decision making information you may need. Ghosts of IIS Security Past The reason for so much misinformation about the current state of security in IIS is likely due to the earned reputation the product had in versions previous to IIS 6.0. A quick search on the web for IIS 5 security...
Today IIS team has released the Dynamic IP Restrictions Extension for IIS 7.0 - Beta. The Dynamic IP Restrictions Extension provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be...( read more ) Read More...
I was working with one of the customer on Urlscan and their requirement was to install Urlscan on Windows Server 2003 64-bit to hide Server's identity. Basically in Urlscan.ini , we can configure "RemoveServerHeader=1" to server's identity from HTTP Header. As Urlscan 2.5 has urlscan.dll in 32-bit, we weren't able to get it work on Windows 2003 64-bit and the only option was to switch IIS worker process to run in 32-bit mode ( Enable32bitAppOnWin64 ). But they wanted to run it in 64-bit. So we downloaded latest Urlscan 3.1 64-bit and installed it on Windows Server 2003 64-bit. Download URLSCAN 3.1 from following locations: Download the x86 version from Microsoft Download Center here . Download the x64 version from Microsoft Download Center here . Once you download desired URLSCAN, you can double click .msi to to install Urlscan and here is how it looks: By Default Urlscan keeps all the files in "% systemroot%\system32\inetsrv\urlscan " folder on Windows 2003...
Every time I talk with customers in meetings or at conferences I’m struck by how many cool amazing new capabilities IIS7 has. I can go on for literally hours talking about the new features and benefits, and showing demos. And with each new IIS7 Extension , the list of new features just gets bigger and bigger. A few months ago I realized we didn’t have the top list of features written up anywhere, and so we started the process of distilling down the list to the top 10. We almost made it! We ended up with the top 12 reasons you should get IIS7 today. Check them out here: http://www.iis.net/getstarted Over the next few weeks we’ll be adding a cool demo for each of the reasons to show the features in action. Be sure to check back soon! Read More...
More Posts
Next page »