Tom Woolums' Blog - All Comments

HttpModules i IIS 7.x

Mr. Frost — Mon, 16 Nov 2009 10:31:11 GMT

HttpModules i IIS 7.x

re: Check Out PHP on IIS 7

robtheailean — Sat, 30 May 2009 08:19:44 GMT

Pinback link 1 wants to run a "Remote Devices..." which Symantec EP sees as a internet attack.

What is the problem - and is it "Malware"

re: The Services Behind Internet Information Services 7.0

Cassie_CampBell — Mon, 20 Apr 2009 08:34:27 GMT

i want to know, what is the vulnerable in microsoft IIS version 7.0 web server?????????????

Microsoft Internet Information Services

Confluence: Configipedia — Fri, 13 Mar 2009 11:13:01 GMT

Product Description Microsoft Internet Information Services (IIS, formerly called Internet Information Server) is a set of Internetbased services for servers using Microsoft Windows....

re: IIS 7.0 HTTP Request Processing

JaroDunajsky — Fri, 16 Jan 2009 19:59:02 GMT

Nice attempt to visually document the request flow! It shows the flow when http request arrives but there is no worker process started yet to handle it. The sequence is not exactly happening the way outlined in the diagram above (from 12/16/2008). Tom is going to update the diagram later.

For easier understanding it would be better to show 3 diagrams. One diagram for service startup when W3SVC configures HTTP.sys with information about sites and app-pool mappings. Second diagram for processing first HTTP request when worker process to handle requests is not yet available. The third diagram for the simplest case when worker process is already running when request arrives.

re: IIS 7.0 Configuration Store Hierarchy

tomwoolums — Thu, 15 Jan 2009 23:20:10 GMT

Thanks for the feedback. I updated the diagram to include the Root Web config file. Good catch!

re: IIS 7.0 Application Pools

Anonymous — Wed, 24 Dec 2008 06:59:11 GMT

Ya.. It's right

re: IIS 7.0 Configuration Store Hierarchy

Anonymous — Thu, 18 Dec 2008 07:19:51 GMT

In this heirarchy where does the C:\windows\microsoft.net\framework\<version>\confgi\web.config fit it. I was thiking the heirarchy was machineconfig-->web.config -->applicationhost.config

is it in correct ?

re: IIS 7.0 Defaults Dialog page

robmcm — Wed, 17 Dec 2008 23:46:55 GMT

In response to the comment by "Anonymous", ActivePERL is not from Microsoft, it is from a 3rd-party company named ActiveState (see www.activestate.com); Microsoft does not install any version of PERL.

Also - Microsoft's strategy is definitively not to "kill all other companies web software products"; in fact, with IIS 7 Microsoft tried to make the product easier for 3rd-party developers to develop applications for IIS than ever before. For example, Microsoft's adoption of FastCGI in IIS enables a variety of other dynamic programming technologies from other companies (e.g. PHP, PERL, etc.) If you were to take a look at the “Downloads” section on the www.iis.net web site, you would see that a growing community of 3rd-party developers is creating applications for IIS 7.

All of that being said - because of the introduction of the integrated pipeline in IIS 7, some legacy IIS 5 and IIS 6 applications might have some migration issues, but the detailed error messages in IIS 7 will list the problem and the possible migration resolutions. If you want to host your IIS 5 or IIS 6 application on IIS 7 and you don't want to migrate your application, you can run the application in an application pool that has been configured to use "Classic" mode.

re: IIS 7.0 HTTP Request Processing

Anonymous — Tue, 16 Dec 2008 22:19:42 GMT

This shows the path an initial request takes and is very informative. Could you also post a picture with the flow of subsequent requests.

re: IIS 7.0 Configuration Store Hierarchy

bills — Tue, 16 Dec 2008 03:01:45 GMT

very cool - I love pictures as a way to learn! welcome to blogosphere, great to have you here!

re: Protection from SQL Injection

bholyfield — Tue, 02 Sep 2008 06:09:05 GMT

URLScan is a great defense mechanism for web server attacks, but I have found that it is not flexible enough to defend against web application-level attacks like SQL Injection. The group I work with just released a free module for IIS (called SPF) that provides a flexible mechanism for blocking malicious requests. It provides coverage options for Query Strings, POST data and Cookies (where as URL Scan is limited to just Query Strings). It also supports use of regular expressions to define malicious input sequences.

SPF for IIS is available for free and can be downloaded from our website: www.gdssecurity.com/.../tools

You can also find out more about it from the following Blog post: www.gdssecurity.com/.../iis-secure-parameter-filter-spf-released

re: Protection from SQL Injection

Anonymous — Mon, 01 Sep 2008 07:24:21 GMT

Thanks guys. Very helpful.

re: Protection from SQL Injection

Anonymous — Sat, 30 Aug 2008 23:55:47 GMT

If a site is written correctly SQL injection should not be an issue at all. The basic steps that should be taken include...

1. Always use parameterised Queries or Stored Procedures.

2. The SQL login used by the scripts in the site should only have access to do what is required and nothing more. For example if the site user only requires access to limited sub-set of stored procedures, ensure that these stored procedures are all it can access.

All the user input validation in the world cannot fully protect against SQL injection. However if you religiously follow these 2 basic basic principals it will.

Basically the only reason SQL injection works, is because sites dynamically create arbitrary SQL using hard coded strings combined with user entered data and pass. The problem here is that there's always the possibility that the user entered data can contain SQL commands.

If instead you use parameterised queries then the user entered data is only ever treated as data, never SQL commands, so basically it can contain whatever it likes and it wont be harmful.