Archives
-
Public disclosure of IIS security issue with semi-colons in URL
IIS has been alerted to the claim of a new security issue in IIS 6 and I wanted to explain the issue and our position on it.
-
Issues installing KB 973917 on Windows Server 2003
Some customers have reported issues of application pools unable to start after applying KB 973917 on Windows Server 2003 to add support for Extended Protection in Windows Authentication. The root cause of this issue is machines being in an unsupported state where SP1 version of IIS binaries exist on an SP2 installation. Product support has released KB 2009746 on how to resolve this issue. The summary of the resolution is to reinstall SP2 to such machines to update all IIS binaries to the SP2 version.
-
Extended Protection for Windows Authentication in IIS
We have just released a non-security update that allows administrators of IIS websites that use Integrated Windows Authentication (IWA) to protect against credential relaying. The feature is called “Extended Protection” and needs to be applied at multiple layers for it to be usable from IIS. An update to a previous Microsoft Advisory 973811 now adds the IIS fixes to the list of components that support Extended Protection. This non-security update is provided for IIS 6.0 on Windows Server 2003 and above.
-
FTP recursive list after applying MS09-053
We recently released fixes for the publicly disclosed FTP vulnerabilities. One of the after-effects of applying this update will be that recursive list commands to IIS FTP 5.x, 6.0 will return the non-recursive listing. To make it clear, this feature does not exist on IIS FTP 7.x either, and that is why I did not include those versions in the previous statement. For those that will miss this feature, there is a workaround on Robert McMurray’s blog.
-
Fixes released for FTP vulnerabilities
Microsoft has released security bulletin MS09-053 that will address the FTP vulnerabilities that were publicly disclosed a couple of weeks ago. The information in this bulletin supercedes the previous advisory.
-
Securing your FTP Server 101
I have to admit that FTP has always been a second-class citizen for the IIS security team, and we usually put all our efforts into the HTTP platform. There has always been a notion that our old FTP server (FTP 6.0-) was never really popular due to lack of features. With the recent FTP vulnerabilities it became evident that we were wrong on multiple counts, and so it seems like this is a good time to do a securing your FTP server 101 blog.
-
[Updated] IIS FTP server vulnerabilities for FTP 5.x and FTP 6
There have been two recently publicly disclosed vulnerabilities for FTP 5, FTP 5.1 and FTP 6. Wade has gone through great detail to explain what platforms are affected by each vulnerability in his blog post. Microsoft has released and refreshed an advisory that covers the details, mitigations and workarounds for the vulnerability. The Microsoft Security Research and Defense team has a blog about the exploit details for the original vulnerability. Here is the summary including both vulnerabilities:
-
Updated advisory for FTP Vulnerability on IIS
The public exposure of another vulnerability in the FTP stack has caused a revision in the Microsoft advisory. Please refer the advisory @ http://www.microsoft.com/technet/security/advisory/975191.mspx to get updated information on exposure and impact of vulnerabilities. I have previously discussed this information in an earlier blog post and have updated this post as well. Microsoft Security Response Center (MSRC) has a revised blog as well.
-
Update for WebDAV vulnerability on IIS 5.x and IIS 6
We now have a security update available to address the WebDAV extension vulnerability reported earlier. All customers affected should apply the update even if they have mitigated the issue through a workaround.
-
Update Released for Dynamic IP Restrictions Beta
We had a couple of forum threads that reported an issue in the Beta module for Dynamic IP Restrictions. Since we are doing a significant amount of change for Beta 2, we wanted to unblock customers affected by this issue be releasing a patch. So here it is:
-
WebDAV Authentication Bypass on IIS 5.0, 5.1 and 6.0
Microsoft has released advisory 971492 about an Elevation of Privilege issue with the WebDAV extension for IIS 5.0, 5.1 and 6.0. These versions of IIS reside on Windows Server 2000, Windows XP and Windows Server 2003 respectively. The advisory contains relevant information for who is affected and what the mitigations and workarounds are. The Microsoft Security Response Center (MSRC) has also release a blog outlining our response and the Security Research & Defense team has a blog outlining technical details.
-
Token Kidnapping fixed
I had gone into a little detail about explaining token kidnapping in an earlier post. Despite all the difficulties involved in fixing this, MS has released a comprehensive patch that addresses all the issues in MS09-012. This was a monumental effort, so kudos to all the teams involved in coordinating and getting this out the door.
-
Script to lock down IIS paths
In IIS 7 we have request filtering available to help with locking down files and directories that you don't want to serve out. This is useful for resources (like configuration) that you want your IIS worker process to have access to, but not serve it out to clients. Things like web.config files fall in to this bucket, and default IIS 7 request filtering configuration denies serving out this extension. However on IIS 6, you don't have request filtering functionality built into the IIS platform. You would need to install stand-alone tools like UrlScan.