Contents tagged with IIS7
-
Extended Protection for Windows Authentication in IIS
We have just released a non-security update that allows administrators of IIS websites that use Integrated Windows Authentication (IWA) to protect against credential relaying. The feature is called “Extended Protection” and needs to be applied at multiple layers for it to be usable from IIS. An update to a previous Microsoft Advisory 973811 now adds the IIS fixes to the list of components that support Extended Protection. This non-security update is provided for IIS 6.0 on Windows Server 2003 and above.
-
FTP recursive list after applying MS09-053
We recently released fixes for the publicly disclosed FTP vulnerabilities. One of the after-effects of applying this update will be that recursive list commands to IIS FTP 5.x, 6.0 will return the non-recursive listing. To make it clear, this feature does not exist on IIS FTP 7.x either, and that is why I did not include those versions in the previous statement. For those that will miss this feature, there is a workaround on Robert McMurray’s blog.
-
Fixes released for FTP vulnerabilities
Microsoft has released security bulletin MS09-053 that will address the FTP vulnerabilities that were publicly disclosed a couple of weeks ago. The information in this bulletin supercedes the previous advisory.
-
[Updated] IIS FTP server vulnerabilities for FTP 5.x and FTP 6
There have been two recently publicly disclosed vulnerabilities for FTP 5, FTP 5.1 and FTP 6. Wade has gone through great detail to explain what platforms are affected by each vulnerability in his blog post. Microsoft has released and refreshed an advisory that covers the details, mitigations and workarounds for the vulnerability. The Microsoft Security Research and Defense team has a blog about the exploit details for the original vulnerability. Here is the summary including both vulnerabilities:
-
Updated advisory for FTP Vulnerability on IIS
The public exposure of another vulnerability in the FTP stack has caused a revision in the Microsoft advisory. Please refer the advisory @ http://www.microsoft.com/technet/security/advisory/975191.mspx to get updated information on exposure and impact of vulnerabilities. I have previously discussed this information in an earlier blog post and have updated this post as well. Microsoft Security Response Center (MSRC) has a revised blog as well.
-
Update Released for Dynamic IP Restrictions Beta
We had a couple of forum threads that reported an issue in the Beta module for Dynamic IP Restrictions. Since we are doing a significant amount of change for Beta 2, we wanted to unblock customers affected by this issue be releasing a patch. So here it is:
-
WebDAV Authentication Bypass on IIS 5.0, 5.1 and 6.0
Microsoft has released advisory 971492 about an Elevation of Privilege issue with the WebDAV extension for IIS 5.0, 5.1 and 6.0. These versions of IIS reside on Windows Server 2000, Windows XP and Windows Server 2003 respectively. The advisory contains relevant information for who is affected and what the mitigations and workarounds are. The Microsoft Security Response Center (MSRC) has also release a blog outlining our response and the Security Research & Defense team has a blog outlining technical details.
-
Script to lock down IIS paths
In IIS 7 we have request filtering available to help with locking down files and directories that you don't want to serve out. This is useful for resources (like configuration) that you want your IIS worker process to have access to, but not serve it out to clients. Things like web.config files fall in to this bucket, and default IIS 7 request filtering configuration denies serving out this extension. However on IIS 6, you don't have request filtering functionality built into the IIS platform. You would need to install stand-alone tools like UrlScan.
-
Script to install UrlScan v3.0 as a site filter.
Although using WIX to create an MSI to do this task is a cleaner approach, it is too heavy duty for me. I do this often enough to warrant creating a script for it, so I though I would share it out.
-
UrlScan v3.0 RTW Released
About 2 months ago we released the beta for UrlScan v3.0 to address customer concerns with automated SQL injection attacks and we have been busy since refining it with the help of our customers, community and MVPs. You can download the bits at the links below.