Wade Hilmo Posts

Aug 01, 2012

  Last week, we released the final version of our Dynamic IP Restrictions module for IIS 7.x .  The feature is also built into IIS 8.0, which is included with Windows 8 and Windows Server 2012. At the highest level,...

1 comments

May 01, 2012

In my last post , I gave a bit of background on the Application Warm-Up module , now called Application Initialization. This week, I would like to go into more detail as to what the Application Initialization module does, and...

5 comments

Apr 16, 2012

“IIS is a demand-driven web server, i.e. IIS does things only when asked for…” This was the start of a blog post back in late 2009 announcing the beta for the IIS 7.5 Application Warm-Up module.  The idea behind this module...

3 comments

Apr 20, 2011

Recently, the question came up about why it is not possible for IIS to handle a URL that contains a ‘%’ character that is not part of an escape sequence.  The resulting discussion produced some informative references to the...

1 comments

Sep 03, 2009

It’s been a busy few days on the IIS Security Team. Earlier this week, a vulnerability was found in the IIS FTP server. We have been working with security teams across Microsoft to research the issue and formulate a response to...

6 comments

Apr 13, 2009

We've had a few people on our forums asking about running Perl on IIS 7. This led to some discussion on the team about getting it to work with FastCGI. The team has been doing a lot of great work with the Web Platform Installer...

18 comments

Dec 18, 2008

2008 has been a busy year for attackers exploiting SQL Injection vulnerabilities in web applications. Once again, I am finding questions about this subject in my inbox. Earlier today, I found myself reviewing the material that...

5 comments

Dec 18, 2008

This article is specific to IIS 6 and earlier. If you are using IIS 7.0 or later, please see this article . The IIS team has created an add-on tool for IIS called UrlScan that is able to filter HTTP requests. If a request is found...

5 comments

Dec 18, 2008

This article is specific to IIS 7 and later. If you are using IIS 6.0 or earlier, please see this article . Starting with version 7.0, IIS has a built-in feature that is able to filter HTTP requests. If a request is found to have...

3 comments

Oct 31, 2008

Earlier this year, it came to our attention that our customers were being subjected to a SQL Injection attack . In response to that, we updated the venerable UrlScan filter and released version 3.0 with new features that provide...

16 comments

Jun 24, 2008

The IIS team has some street smarts when it comes to security. We learned quite a few lessons the hard way back in 2001 with the outbreak of the CodeRed worm.  One of the lesser known facts about the Code Red worm is that...

42 comments

Mar 02, 2007

So here it is, my first ever blog post. I am not new to posting about IIS on the internet. A quick newsgroup search reminds me that I've posted to around 900 threads related to IIS. The first time was on June 10, 1997, where I...

15 comments