Questions tagged [iis]

Internet Information Services (IIS) is a web server application and set of feature extension modules created by Microsoft for use with Microsoft Windows.

Internet Information Services (IIS) is a web server application and set of feature extension modules created by Microsoft for use with Microsoft Windows.

IIS 7.5 supports HTTP, HTTPS, FTP, FTPS, SMTP and NNTP. It is an integral part of the Windows Server family of products, as well as certain editions of Windows XP, Windows Vista and Windows 7. IIS is not turned on by default when Windows is installed.

184 questions
31
votes
5 answers

How to fix SSL 2.0 and BEAST on IIS

As you can see on this post TeamMentor.net vulnerable to BEAST and SSL 2.0, now what? the app I'm currently development got flagged for SSL 2.0 and BEAST by SSL Labs. I'm using IIS 7.0 with the latest patches, and can't seem to find the answers to…
Dinis Cruz
  • 629
  • 1
  • 6
  • 15
18
votes
3 answers

What is the next step of this file upload attack?

Yesterday I discovered somebody had uploaded this PHP code to my server as a .jpg file via my asp.net MVC application's "Upload your profile picture" form. I believe the attack was unsuccessful for a number of reasons (the images are given random…
Jared Phelps
  • 291
  • 2
  • 5
15
votes
3 answers

External websites in logs

I have a website, let's call it www.good.com. I've been getting a lot of requests to www.good.com under completely different URLs than www.good.com. I suspect this traffic is also causing some site performance issues. I'm running a .NET solution on…
Zachary Dow
  • 253
  • 1
  • 5
13
votes
3 answers

SSL handshake failure modes

In SSL if the handshake is not successful, does it always end with a handshake alert? Or are there other ways to finish the SSL connection (acceptable by standard). I am asking this, because in an HTTPS server configured to require client…
Jim
  • 131
  • 1
  • 1
  • 3
12
votes
6 answers

Is this a ViewState attack?

I recently found this request in the event log: Client IP: 193.203.XX.XX Port: 53080 User-Agent: Mozilla/4.0 (compatible; Synapse) ViewState: -1' Referer: Now, the ViewState: -1' part combined with the origin of the IP address (Ukraine, we don't…
jao
  • 223
  • 2
  • 7
11
votes
2 answers

How insecure is PowerShell Web Access?

Windows Server 2012 comes with a new feature that allows you to administrate the server via a PowerShell command line in any modern browser including Smartphones. This sounds cool and scary at the same time. I am evaluating this option and are…
Peter Hahndorf
  • 445
  • 2
  • 10
11
votes
6 answers

weird visitors to my website

For the last three months I have thousands of real visitors to a single page on my website. Those visits are recorded in Google Analytics and count as page views in adsense reports, but they are fake: They are not generated by spam software /…
Zaher
  • 161
  • 2
  • 8
10
votes
7 answers

What is the danger of hosting your SSL certificate yourself?

I have Active Directory Certificate Services on my server, which makes it possible for me to deliver an SSL certificate for the websites hosted on the same server. I know that normally, I need to acquire a certificate from a known certification…
Arseni Mourzenko
  • 4,644
  • 6
  • 20
  • 30
9
votes
3 answers

How to add X-Frame-Options header to a simple HTML file?

I am having trouble adding X-Frame-Options header to a simple HTML file. Is there any way to do it using JavaScript?
sam
  • 93
  • 1
  • 1
  • 3
8
votes
1 answer

How does Windows/IIS keep a certificate protected or should I never run Apache Webserver on a Windows server?

If I follow the reasoning of a colleague it seems you should never run Apache Webserver or Tomcat on a Windows server if you want to keep the https certificate safe. Let me explain before this question evolves into a Windows vs Linux troll…
Gos Bilgon
  • 136
  • 1
  • 5
8
votes
3 answers

Verify a website user is behind corporate firewall?

We have a public ecommerce website hosted at our datacenter onsite. For people who are within the corporate firewall hitting the website I want to display profiling information about the request of the current page. This would include sql so we want…
Paul Lemke
  • 181
  • 2
8
votes
2 answers

IIS IP Address Restriction - can I rely on it online?

I've been told that I might have more luck posting here than on Stack Exchange, so here goes: I'm looking for a way to lock down a 3rd party application in IIS. It's a web service, so there's no login page or anything, it's meant for use in a VPN…
RodH257
  • 181
  • 1
  • 5
8
votes
1 answer

What are the security concerns with turning off Extended protection for authentication in IIS7 on ADFS?

In setting up SSO for Office 365, in order to make Chrome and Firefox access services on the Intranet, Extended Protection for Authentication must be disabled on the ADFS sever. As the ADFS server is only accessible on the Intranet, and any external…
Matt Bear
  • 181
  • 1
  • 4
8
votes
3 answers

IIS and SQLServer Hardening

Long story short: I'm an engineer doing development, not administration. I have no direct access to the production server, so I can only tell the administration team the best configurations for security. However, as you all know, it's not as simple…
Orca
  • 491
  • 1
  • 5
  • 12
7
votes
2 answers

How to display friendly notification about no TLS 1.0 support in browser

A browser that only has TLS 1.0 support won't be able to establish an HTTPS session with a server that has only TLS 1.1 and TLS 1.2 support. This typically results in a cryptic (to a normal user) error about a cipher suite mismatch or in IE even…
Devon Holcombe
  • 211
  • 2
  • 7
1
2 3
12 13