BillS IIS Blog : Security

Why IIS7? Top 12 cool features…

bills — Fri, 21 Nov 2008 04:13:45 GMT

Every time I talk with customers in meetings or at conferences I’m struck by how many cool amazing new capabilities IIS7 has. I can go on for literally hours talking about the new features and benefits, and showing demos. And with each new IIS7 Extension, the list of new features just gets bigger and bigger. A few months ago I realized we didn’t have the top list of features written up anywhere, and so we started the process of distilling down the list to the top 10. We almost made it! We ended up with the top 12 reasons you should get IIS7 today. Check them out here:

http://www.iis.net/getstarted

Over the next few weeks we’ll be adding a cool demo for each of the reasons to show the features in action. Be sure to check back soon!

Find New IIS7 Extensions at http://www.iis.net/extensions/

bills — Tue, 11 Nov 2008 22:55:00 GMT

I’m happy to announce that IIS7 Extensions have found their home at http://www.iis.net/extensions

Every since IIS7 shipped 9 months ago, the IIS team has been cranking away adding new features to the platform. Last time I blogged about how we do this, I realized we didn’t have a single place to learn about all of them, so I kicked off an effort within the team to create this. Now that the pages are up, it is amazing to see how many new capabilities are already available on top of IIS7…which all by itself had more new features than any other IIS release in the history of the product. It is a testament to not only the ingenuity and hard work of the IIS team, but a real validation that IIS7 is not just a Web server, it is a server platform. All of these new features are built on top of public extensibility points that any developer can use, and provide a seamless runtime, configuration and administration experience that looks and feels like they were built into the product to begin with! Here they are:

Landing page: http://www.iis.net/extensions

http://www.iis.net/AdministrationPack

http://www.iis.net/ApplicationRequestRouting

http://www.iis.net/BitRateThrottling

http://www.iis.net/DatabaseManager

http://www.iis.net/FTP

http://www.iis.net/IISManager

http://www.iis.net/PowerShell

http://www.iis.net/SmoothStreaming

http://www.iis.net/URLRewrite

http://www.iis.net/UrlScan

http://www.iis.net/WebDeploymentTool

http://www.iis.net/WebPlaylists

http://www.iis.net/WebDAV

Check out the more than a dozen new features available today! Over the next few weeks we’ll be adding video demos of each feature and more new content. Stay tuned for many cool new features to come!

SQL Injection Attacks on IIS Web Servers

bills — Sat, 26 Apr 2008 04:33:14 GMT

You may have seen recent reports that have surfaced stating that web sites running on Microsoft’s Internet Information Services (IIS) 6.0 have been compromised. These reports allude to a possible vulnerability in IIS or issues related to Security Advisory 951306 which was released last week.

Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies.

Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform. More information on SQL injection attacks can be found here and here.

Guidance from Microsoft for web application development best practices can also be found on this MSDN page. Best practices guidelines that developers may follow to mitigate SQL injection, can be located here. As we continue to make progress in our investigation on this attack, we will provide updated guidance and information on the IIS.net site. For the latest information on this issue, please subscribe or visit the IIS security forum.

For end-users, the investigation also shows no indication of an un-patched vulnerability in IIS, SQL Server, Internet Explorer or any other Microsoft client software, so we recommend customers apply the latest updates to be protected from these attacks.

To further protect themselves from reported attacks, we encourage all customers to apply our most recent security updates to help ensure that their computers are protected from attempted criminal attacks. For more information about security updates, visit: www.microsoft.com/protect.

Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov