Contents tagged with IIS 7
-
Blocking SQL Injection with IIS Request Filtering
SQL Injection became a favorite hacking technique in 2007. Despite being widely documented for so many years it continues to evolve and be utilized. Because SQL Injection is such a well known attack vector, I am always surprised when as sysadmin I come across someone’s site that has been compromised by it. In most instances the site was compromised because of not properly validating user data entered on web forms. Classic ASP sites using inline SQL queries with hardcoded query string parameters are especially vulnerable. Fortunately regardless of a site’s potential programming weaknesses it can still be protected. In this walkthrough I will cover how to protect your site from SQL Injection using IIS Request Filtering.
-
Managing IIS Logs with GZipStream
Depending on how many sites your Windows web server is hosting maintaining IIS logs can be a challenge. IIS logs provide valuable insight into the traffic your sites are experiencing as well as detailed SEO metrics and performance data. A typical web server will have just enough free disk space for future growth needs but ultimately will be limited by the capacity of drives in the server. If left unmonitored IIS logs can quickly fill any remaining disk space on the server. There are a few 3rd party tools that are good at compressing log files when they are under one parent folder but when the log files are in different locations such as on a WebsitePanel server I support an alternative solution is needed. In this walkthrough I will demonstrate how I solved this challenge using asp.net and GZipStream.
-
3 Steps to Securing FTP on IIS 8
The FTP protocol is some 43 years old now. Yet it continues to be one of the most widely used file transfer technologies available. Over the years it has been shown to be vulnerable to brute force attacks, packet capture, and other attack vectors. Fortunately with IIS 8 on Windows Server 2012 your FTP server doesn’t have to be vulnerable. It goes without saying that FTP Authentication and Authorization are the most fundamental methods to secure your server. Here are three additional things you can do to increase the security of your server’s FTP service and minimize its attack footprint.
-
Preventing Automated Attacks with IIS Dynamic IP Restrictions
Another one of the great built-in features of IIS 8 is Dynamic IP Restrictions (DIPR). With a few simple configuration steps you can quickly set limits for blocking IP addresses based on the number of concurrent requests or frequency of requests over a period time. With these parameters in place IIS will take over blocking requests unattended thereby making your server more secure.
-
Solving SQL Server High CPU with IIS Request Filtering
The other day I was troubleshooting 100% CPU utilization on a SQL Server 2008 database server. The server had 100 or so databases of varying sizes however none were larger than a few hundred MB and each database had a corresponding web site on a separate web server. Since the server hosted quite a few databases the high CPU needed to be resolved quickly because it was causing issues for everyone. High CPU on a database server can often be symptomatic of a issues occurring outside the server. In this case the real issue was in fact being caused by a SQL Injection attack on a web server.
-
Installing IIS on Windows Server 2012 with Web PI
Thanks to Microsoft’s Web Platform Installer (Web PI) installing IIS has never been so easy. Before using Web PI to install IIS became available, you had to use the Server Manager to install the Web Server (IIS) role and then select various Role Services that you need to be enabled. Depending on your level of expertise this could be a challenging task with lots scrolling back and forth and click upon click to get things just right, but now you can have IIS deployed with just 3 clicks of your mouse.
-
Enhancing Log Parser Reports with Charts
When you need quick analysis of your traffic logs you won’t find an better tool than Microsoft’s free Log Parser. With Log Parser you can read a variety of log files including the Registry and Windows event logs. It’s ease of use comes from using SQL queries against your log file. You can get your data even faster by using multiple log parser queries in a batch file.
-
Easy MySQL Backups and Restores Using phpMyAdmin
Thanks to the Web Platform Installer deploying a site with Wordpress and MySQL is a breeze. There are a few tools to maintain your MySQL databases and MySQL Workbench is an obvious choice. However if you are working remotely and only have access to a web browser then a free tool called phpMyAdmin is great solution.
-
Using Application_BeginRequest for a 301 Redirect
Redirecting visitors on your site from one page to another is handled by using either a 301 redirect or a 302 redirect. The numbers 301 and 302 refer to the http status code that is returned by the web server to your browser. They may seem similar but they are quite different. A 302 indicates a temporary change and a 301 indicates a permanent change. This difference is important to understand and will impact how search engines see content changes on your site. There are a number of ways to implement a 301 redirect on your web site. Some are easier than others to configure and will depend on the version of IIS you are using. Here’s the story of how I recently had to use the global.asax and Application_BeginRequest to do a 301 redirect.
-
Using Wildcard SSL Certificates on IIS 7
The other day I was helping someone who was trying to configure a wildcard certificate on their Windows Cloud Server. Their server was running Windows 2008 R2 server using IIS 7. The were technically savvy and knew how to configure site’s on their own and install a regular SSL certificate but they were stuck trying to get a wildcard certificate configured properly.