Nazim's IIS Security Blog
All things security ...
Sign In
|
Join
|
Help
Home
RSS
Atom
Comments RSS
Search
Tags
ASP(x)
Dynamic IP Restriction
FTP
HTTP
IIS5X
IIS6
IIS7
RequestFiltering
SQL injection
UrlScan
WebDAV
Windows Security
Navigation
Home
Get Started
Learn
Downloads
Blogs
Forums
Archives
December 2009 (3)
October 2009 (2)
September 2009 (3)
June 2009 (2)
May 2009 (1)
April 2009 (1)
March 2009 (1)
October 2008 (2)
August 2008 (1)
June 2008 (4)
May 2008 (1)
April 2008 (2)
Recent Posts
8
Comments
Public disclosure of IIS security issue with semi-colons in URL
by
naziml
IIS has been alerted to the claim of a new security issue in IIS 6 and I wanted to explain the issue and our position on it. The issue in question affects only IIS 6 (Windows Server 2003) and arises when you send a URL with a semi-colon in it. IIS 6 uses...
4
Comments
Issues installing KB 973917 on Windows Server 2003
by
naziml
Some customers have reported issues of application pools unable to start after applying KB 973917 on Windows Server 2003 to add support for Extended Protection in Windows Authentication . The root cause of this issue is machines being in an unsupported...
1
Comments
Extended Protection for Windows Authentication in IIS
by
naziml
We have just released a non-security update that allows administrators of IIS websites that use Integrated Windows Authentication (IWA) to protect against credential relaying. The feature is called “Extended Protection” and needs to be applied at multiple...
0
Comments
FTP recursive list after applying MS09-053
by
naziml
We recently released fixes for the publicly disclosed FTP vulnerabilities. One of the after-effects of applying this update will be that recursive list commands to IIS FTP 5.x, 6.0 will return the non-recursive listing. To make it clear, this feature...
Tags:
IIS6
IIS7
IIS5X
FTP
1
Comments
Fixes released for FTP vulnerabilities
by
naziml
Microsoft has released security bulletin MS09-053 that will address the FTP vulnerabilities that were publicly disclosed a couple of weeks ago. The information in this bulletin supercedes the previous advisory.
Tags:
IIS6
IIS7
Windows Security
IIS5X
FTP
1
Comments
Securing your FTP Server 101
by
naziml
I have to admit that FTP has always been a second-class citizen for the IIS security team, and we usually put all our efforts into the HTTP platform. There has always been a notion that our old FTP server (FTP 6.0-) was never really popular due to lack...
1
Comments
[Updated] IIS FTP server vulnerabilities for FTP 5.x and FTP 6
by
naziml
There have been two recently publicly disclosed vulnerabilities for FTP 5, FTP 5.1 and FTP 6. Wade has gone through great detail to explain what platforms are affected by each vulnerability in his blog post . Microsoft has released and refreshed an advisory...
Tags:
IIS6
IIS7
Windows Security
IIS5X
FTP
0
Comments
Updated advisory for FTP Vulnerability on IIS
by
naziml
The public exposure of another vulnerability in the FTP stack has caused a revision in the Microsoft advisory. Please refer the advisory @ http://www.microsoft.com/technet/security/advisory/975191.mspx to get updated information on exposure and impact...
Tags:
IIS6
IIS7
Windows Security
IIS5X
FTP
0
Comments
Update for WebDAV vulnerability on IIS 5.x and IIS 6
by
naziml
We now have a security update available to address the WebDAV extension vulnerability reported earlier. All customers affected should apply the update even if they have mitigated the issue through a workaround. The background here is that we had an encoding...
Tags:
IIS6
Windows Security
IIS5X
WebDAV
0
Comments
Update Released for Dynamic IP Restrictions Beta
by
naziml
We had a couple of forum threads that reported an issue in the Beta module for Dynamic IP Restrictions . Since we are doing a significant amount of change for Beta 2, we wanted to unblock customers affected by this issue be releasing a patch. So here...
Tags:
IIS7
Dynamic IP Restriction
HTTP
1
Comments
WebDAV Authentication Bypass on IIS 5.0, 5.1 and 6.0
by
naziml
Microsoft has released advisory 971492 about an Elevation of Privilege issue with the WebDAV extension for IIS 5.0, 5.1 and 6.0. These versions of IIS reside on Windows Server 2000, Windows XP and Windows Server 2003 respectively. The advisory contains...
Tags:
IIS6
IIS7
IIS5X
WebDAV
0
Comments
Token Kidnapping fixed
by
naziml
I had gone into a little detail about explaining token kidnapping in an earlier post . Despite all the difficulties involved in fixing this, MS has released a comprehensive patch that addresses all the issues in MS09-012 . This was a monumental effort...
Tags:
IIS6
Windows Security
3
Comments
Script to lock down IIS paths
by
naziml
In IIS 7 we have request filtering available to help with locking down files and directories that you don't want to serve out. This is useful for resources (like configuration) that you want your IIS worker process to have access to, but not serve it...
Tags:
RequestFiltering
IIS6
IIS7
IIS5X
HTTP
23
Comments
Script to install UrlScan v3.0 as a site filter.
by
naziml
Although using WIX to create an MSI to do this task is a cleaner approach, it is too heavy duty for me. I do this often enough to warrant creating a script for it, so I though I would share it out. To use it you would run: InstallUrlScanAtSite.js -siteid...
Tags:
UrlScan
IIS6
IIS7
IIS5X
HTTP
47
Comments
Token Kidnapping in Windows
by
naziml
Microsoft has just released MS09-012 to address this issue in it’s entirety. Get further details here . You have probably heard about the Token Kidnapping vulnerability in Windows and read Microsoft's security advisory on it and are wondering why there...
Tags:
IIS6
Windows Security
HTTP
More Posts
Next page »