Nazim's Security Blog

Yes, it has been a while since Beta was released, but Beta 2 is finally released! You can download Dynamic IP Restrictions Beta 2 from the links below.

Microsoft has just released a fix for the Extended Protection for Windows Authentication feature in IIS. The details about the issue are in security bulletin MS10-040.

We have had quite a few conversations about SQL injection on my blog, including Filtering SQL Injection from Classic ASP and Using Rules Configuration in UrlScan 3.0 to filter SQL injection. One of the shortcomings that we talked about was that UrlScan is not as flexible as some users want it to be since it does not have the ability to use regular expressions. Well the story changes quite a bit with IIS URL Rewrite module, that is capable of doing request and response rewriting based on regular expressions. For those weighing between URL Rewrite and UrlScan, URL Rewrite has more flexibility but UrlScan is a lot more performant, so choose depending on your needs and resources.

In an earlier post I talked about the semi-colon issue and since then we have published a KB article 979124 on how to configure uploads for web applications in IIS as well. To complete the story I wanted to do a quick write-up on how to go about fixing your server configuration to avoid this issue.

IIS has been alerted to the claim of a new security issue in IIS 6 and I wanted to explain the issue and our position on it.

Some customers have reported issues of application pools unable to start after applying KB 973917 on Windows Server 2003 to add support for Extended Protection in Windows Authentication. The root cause of this issue is machines being in an unsupported state where SP1 version of IIS binaries exist on an SP2 installation. Product support has released KB 2009746 on how to resolve this issue. The summary of the resolution is to reinstall SP2 to such machines to update all IIS binaries to the SP2 version.

We have just released a non-security update that allows administrators of IIS websites that use Integrated Windows Authentication (IWA) to protect against credential relaying. The feature is called “Extended Protection” and needs to be applied at multiple layers for it to be usable from IIS. An update to a previous Microsoft Advisory 973811 now adds the IIS fixes to the list of components that support Extended Protection. This non-security update is provided for IIS 6.0 on Windows Server 2003 and above.

We recently released fixes for the publicly disclosed FTP vulnerabilities. One of the after-effects of applying this update will be that recursive list commands to IIS FTP 5.x, 6.0 will return the non-recursive listing. To make it clear, this feature does not exist on IIS FTP 7.x either, and that is why I did not include those versions in the previous statement. For those that will miss this feature, there is a workaround on Robert McMurray’s blog.