We deploy a ASP.NET 1.1 web app by creating a new website. The entire website is set to SSL. We are hearing back from our operations people, it then is not possible to turn off SSL for a few directories under the website. Shouldn't it be possible to go into the directories and turn off Re...more >>

Hi, I have this issue with our company Intranet. All servers are on the same domain. Basically we picked up the old intranet which was running on IIS4 and moved to IIS6. In the process the server and some code was changed to use integrated auth and specific IE settings on the clients was i...more >>

Our company Intranet site is comprised of multiple "subwebs" (for lack of a better term). Each subweb has its own unique IIS Authentication method. The root of the Intranet has Integrated Authentication set (so users who are logged onto our network do not have to supply a username and password...more >>

Hi, I have a site that I want to use basic auth over SSL. I want a single login (I'm going to be the only user). The machine currently has a few user account already that I don't want to remove. How do I limit IIS to ONLY allow a single login to access the web (i.o.w. only this user ID wi...more >>

Good Afternoon, Recently one of the following windows updates / hotfixes for my Windows 2000 Server, altered the security settings of my "IIS Out of Process Pooled Applications" COM object. This caused my web server to stop working... The account that was displayed was the IWAM_machine a...more >>

Here is my setup: IIS 6 on Windows 2003 member server -IIS Server called serverA.foo.com - I have a virtual directory to a webpage I have setup authentication on the web page to 'Integrated Windows Authentication' and 'Basic authentication'. - default domain: foo.com - Realm: foo.com I wa...more >>

Is there a way to keep IIS running solely in RAM? panic...more >>

Is basic authentication useful against automated attacks (e.g. those attacks using buffer overflows). Regards, Bulent ...more >>

Hi. I've been running into a problem with one of my customers. For some reason whenever we do a reboot on our customers machine I am required to open IE and try to go to his web pages before they start working again. I don't even have permissions to access his web pages and I get an access denie...more >>

Hello, When only port 443 is open for OWA is does not work. When i open port 80 and port 443 is work. Can anyone tell me why? Windows 2003 server Exchange server 2003 Thx, Mo...more >>

Hi everyone, I have developed an ASP.NET web application and have deployed it to a production server. The web application has only a single page with the page_load event having no code in it. The virtual directory in IIS is setup with anonymous access only. The user that virtual directory i...more >>

We're having quite a strange problem with our web server. On our production server (Win2003 Web Edition) we're running web services that are collecting data from web requests and reports them back with informations. From time to time we get no response back, or just response with error, defin...more >>

The "Send errors to browsers" property under ASP debugging settings should be turned off by default. Like in asp.net no debug info should be send to the browser unless it is explicitly turned on. This will prevent many attacks, such as sql injection. Howard ...more >>

Hello! I'm trying to figure out if there's a way to determine what pages have been set for SSL on my site. The site consists of a couple of thousand pages (a university site) and we're developing a new site for launch in the summer. Naturally, I want to be sure we set SSL on the new pages as w...more >>

Hi, I have a user control embedded into web browser(IE 6.0) for scanning image from a scanner. When the image is scanned, I want to upload this image to server side by using HttpPost class(a third party class, not from .NET Framework directly), within the user control. It seems that I am ge...more >>

Sorry, I posted this to the wrong group a few minutes ago. It belongs here... Hi, I have an IIS ASP website that requires a user to be authenticated on our domain to be let in. However, if a user is already authenticated on the domain they are allowed straight into the ASP web without...more >>

What are the security risks with a webserver having one nic into the dmz on the firewall and the other nic into the production network, with the webserver belonging to the domain, but logged on locally at all times. I am assuming that in order to get it to retrieve the info from a msde data...more >>

I get this message in some browsers when I go to http://www.mysite.ac.uk/mysite which is meant to redirect to https://www.mysite.ac.uk/mysite: "specified request cannot be executed from current Application Pool". I think there is an answer to this somewhere but I cannot locate it. Something ...more >>

Hi, I have an Intranet Web site which generates an HTML document on the server-side, and then, on the client-side, runs MS Word, which opens this HTML document, adds some Word formatting, prints it, and then saves it (via the http://host/site/folder/file.doc from which it was received). ...more >>

Hello: I am new to this employer. They have an IIS 5.0 Server in a DMZ that is a member of workgroup not domain. The name of workgroup is same as domain. Script writes route to internal domain ip range through firewall. I have researched this type of practice in MS technet and found no re...more >>

Hello I want to create a WebService which belongs to a custom application pool & doesnt allow anonymous access. I created a user Named "TestUser", and added it to the IIS_WPG group. Then i created a new application pool "TestAppPool" which is run by TestUser & Created a WebService that runs...more >>

I had sent some file permission on my IIS server and boom they all reverted back. Could this have been a hack?...more >>

hello. i disabled the file system object for my iis 6. but i have a search code for my site written by asp that uses the fso. if i enable fso, other users who upload their files by ftp to server read others files, server's system info, drives etc. how can stop this. can i enable fso for som...more >>

HI, I changed by mistake the password for the IUSR_ account on the Exchange 2003 machine which is also a domain controller. Now OWA is not working. Is there any simple way to return things to the way they were? Amit ...more >>

Hello all, I am trying to find information about how to generate the csr programmatically from IIS 6.0. Can somebody point me to more info or scripts that already exists? Sincerely, Linda ...more >>

Hi , I am using windows server 2003 with service pack 1 and integrated Authentication. In the local intranet all are working correctly, but from another geographical location through vpn we are trying to open the file it was displaying 401.1 error. please find the IIS web log below: ...more >>

Hi ! I've experienced a bad problem with user authentication on a custom asp.net application running on a windows 2003 server. This is the scenario. There is a windows 2003 server with SP1 and IIS 6.0 on which are running a lot of asp.net/vb.net applications. It's on a local intranet with activ...more >>

I need a tutorial that shows me step-by-step how to set up my IIS so that it will be safe. I mean something like this http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part1.html but for win2003. Since I am not an expert I fear that my server will be in danger without a...more >>

Hi, I would like to implement in an IIS more than one SSL certificates, for example one domain name is www.test.com and the other one is www.test2.com and both of them in to a server and there is only one IP address. Need I use more than one ip address or more ? if could we use more than one ssl...more >>

I have a website using Windows Authentication and Delegation to access a backend SQL Server. Everything works when I am on the LAN. When I try to access the website from home I get the Login failed for User NULL... I am using the same name to access when I am on the LAN as when I am at ho...more >>

In IIS6 I defined a custom error page. If I ask for a non existing page in an authenticated folder, it raises a 401.2 error instead of a 404 error. If I aski for a non xexisting page in an anonymous folder, the error page is correcly displayed. What could it be ? -- Patrice ...more >>

I have an ASP.NET site hosted on an SBS 2003 server. The server is a day old and no changes have been made to IIS with respect to user rights, etc. I have configured IIS_WPG to have the rights necessary to access what needs to be accessed on my site folder. I have set this up many times befor...more >>

I have an IIS 6.0 server that was configured with an SSL certificate. That server was moved into a different domain and I am now having trouble applying a new SSL certificate to this IIS server. The web server cannot seem to talk directly to the certificate server in the new domain. I g...more >>

I have a server2003 with IIS6.0 Thanks Bo ...more >>

Hi, I tried to enable SSL in IIS 6.0 and secure the tsweb connection with it. I create a enterprise CA, make a cert request, approve the request, and install the cert in the "Default Website" node under IIS Management. The default "https://localhost" works fine. But for some reason, the "...more >>

This is really driving me nuts. I have a local website on my PC that I use to run certain bits of software for my company. For example, a tutorial MPG file: Pre-SP2 (IE 6 and FF): Open http://localhost/ Click on file I want, and it runs. File shown as 'file:///D:/Work/Help.mpg'. Post-SP2...more >>

Im normally from a unix environment, but have to do some security testing on an all windows network. Can anyone recommend any free tools for security testing? I can hapily take nessus and nmap with me, but it would be nice to have tools that are specific to windows services. ...more >>

Hello there, How can I install an SSL service for a Web Site on port 81? That is, I have two sites on my server, so same IP but port 80 and 81. I want a subdir of site in 81 under https. Everything works if the the site under https is on port 80 (as often happen) but this time I have to...more >>

From time to time we don't get any response from IIS on our 'stand alone' Win2003 Web Server, which is running WEB services. It's strange because there are no errors or other problems, web services just don't respond, so the only way to solve this is to reset IIS (iis reset). After that all is...more >>

Hello! I have a website running on IIS 6.0. The website points to some perl files for submissions. The perl files are located in cgi-bin directory. Here is the problem. When I click on request button, the browser tells me file not found. I enable directory browsing and when I open the ...more >>

I have to reset the security permissions for the C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322 folder on one of my web servers frequently. The machine\aspnet accounts keeps disappearing from the security permission. I’ve even rerun aspnet_regiis a few times but nothing seems to stick. The e...more >>

Hi Gurus Can anyone advise on the steps needed to safely lock down IIS on a Windows 2003 donain controller. I know IIS lockdown is not needed on Windows 2003 IIS and I know I need to still run URLScan 2.5 but I was wondering if there are any other best practices that I should carry out. ...more >>

I've got a problem! My web-game (http://battles.interstellar-war.com) is being plagued by a particularly annoying user. He creates multiple accounts and uses them to harass other players. Each time I ban one of his accounts, he creates a new one. I've tried blocking his IP address, but that'...more >>

Hi, The Application Log of Eventviewer has multiple messages about Active Server Pages stopping and starting. The stop messages are as follows: Source: Active Server Pages Event ID: 4 Description: Service stopped. The start messages are as follows: Source: Active Server Pages Event...more >>

Hi, I'd like to setup IIS so that when users go to the urls: http://www.webserver.com http://webserver.com http://webserver.com/* it automatically forces them to SSL, i.e.: https://www.webserver.com It'd be nice if this was done without a redirect script and was a function/featu...more >>

I have a SBS 2003 running IIS 6.0. Website is running fine. In a website I have a section where I can fill out blanks and hit submit and all info is emailed to me. The file that is called on submit is:"FormMail.pl". Currently the file is located in the CGI-BIN directory in IIS. Problem is ...more >>

Multiple SSL Sites [one] IP I am looking into a method of hosting multiple SSL Enabled CMS Type Sites (I.E. Mambo Server for example or even PHPBB, for all whom may wonder). The issue is this; I am under [one] public IP Address. Although IIS will allow me to host as many sites as my se...more >>

Hi, I'm running an asp.net application on IIS (Windows XP pro, dev machine). The app must call an exe in order to run an API, but in the doc it says we must redirect to the .exe, but IIS asks me for my credentials every time (username/password) even if I don't have any authentication enab...more >>

Hi All, Looking for advice on the advisability of putting HTTP and HTTPS sites on same physical server where the certificate is associated. Obviously HTTPS addresses transfer of data rather than site/server security however it wold be great to get an authoritative view on this. Must admit ...more >>

I havea funky problem here. We have users, through MS Visual Studio, who are able to browse and read source codes of web apps that were developed even though from the global settings (properties of Default WebSite) and even locally on the folders themselves (and service master properties) the ...more >>