Here is a post I did to the webappsec mailing list which I is very relevant to this newsgroups. I also very interested if your comments about this issue. Dinis -------- Original Message -------- Subject: On sandboxes, and why you should care On 29/03/06, Andrew van der Stock <vand...more >>

I accidentally posted the following message in the ASP newsgroup, so I thought I would post it here as it probably belongs in this group instead. I have what I think is a simple question but I am finding nothing but complicated answers. I have a web site running on IIS6. One directory used...more >>

Hi, I'm trying to setup Communicator Web Access (CWA) on a server that is already running Live Comms 2005, Exchange 2003 & OWA. I have done a test install on a VMWare machine, got it up and running successfully. However now I am trying to do it on the live system, I can not get it working. ...more >>

Hi, any expert out there can advise on how to allow the iusr_servername to access a network printer? I have try the solution posted on KB to edit the hkey_users/.default..... setting, no luck. Please help..... I need the isur_servername to print to a printer link to a PC printserver. I have se...more >>

I am trying to set up a virtual directory that uses SSL (at the moment it just contains index.htm). Once all the various settings are set I can navigate to this page from within my network (but external sites produce a page not found error) If I switch off ‘Require SSL’ I can navigate to t...more >>

For some reason all of the BIN folder in any IIS virtual servers are being hidden automatically. I don't mean hidden from the .net application, but simply hidden. They are visible only via FTP or command prompt, but not explorer (regardless of folder options.) There have been no changes made...more >>

I'm trying to determine the best way to restrict access to static files in IIS6.0. From my understanding the recommended solution is to remove the extension from the MIME types in the IIS6.0 console. However testing has shown that you also need to remove these from HKEY_CLASSES_ROOT as well....more >>

The Brain Komar texts implies that the enterprise subordinate CA (i.e. issuing CA) needs to reside on the same machine as IIS. From a security perspective, this seems like a poor design. From a network standpoint, it means I have to support multiple IIS servers in my LAN. Neither is accep...more >>

IIS 6 Win2K3. I created a new virtual folder. That points to \\fileshare\myfolder. the virtual folder is set to use integrated windows authentication and the "connect as" is set to "Always use the authenticated user's credentials when validating access to the network directory." So.. I...more >>

Hello, We have three environments test, acceptance and production. On the test and production environment everything works fine, but acceptance is something different. So you should say make acceptance the same as test and production. So I did but it still doesn't work. When I open my webse...more >>

hi, sorry by my bad english in advance. Configured server with IIS 6 and one Certificate SSL in default web. All run ok. I need one .cgi of this web to run locally without SSL : Configured additional virtual web in the server for access locally without SSL to the website via http://loc...more >>

I have a webiste where the web master would like to have others download exe off the site. Righth now when I try to click on the link it will not download the file. If I chage it to a zip file it works just fine... Any thought or ideas Thanks, Brian...more >>

During a recent security scan of our IIS 6 box, it was shown that the II Version, 6 in this case, and the Internal IP address of the box were being shown externally. Why would this be and how can I fix this. The box is natted behind a firewall....more >>

Hi, I recently built a new webserver to replace an existing server. I copied the data to the new server and rebuilt all of the IIS directories by hand. I replaced the broken SID of the old IUSR account on all of the folders with the new IUSR account from the new server. Now when I try...more >>

Greetings, We are running IIS 5, and have run the lockdown tool (2.1) using the FPEx template. We have noticed that anyone that opens the website inside Frontpage can edit the contents of all websites on this server without being prompted for a password. We hope this is a simple misconfigu...more >>

Ok to explain my scenario here is my goal I have an intranet site that is available internally as well as externally. Currently it is just html files on the intranet (that change may come later which will make it easy to secure via an application, unfortunately right now that is not an opt...more >>

I have a website that contains a virtual directory mapped to a UNC using a domain account under "Connect As." Users are normally able to browse the virtual directory without incident. The site exist on an NLB cluster. Occasionally, one or two of the servers will forget the "Connect As" Passw...more >>

Hi all, We have two domains in here and are currently migrating users from Domain A to Domain B. We have a trust relationship setup between the two and are using Windows Integrated Security for Authentication. My IIS Server is in Domain A. I can connect to the webserver using User X ...more >>

I've gone through the steps of redirecting HTTP requests to HTTPS for OWA as outlined in KB-839357. I've checked, rechecked, and checked again that all steps were followed but I still get: HTTP Error 403 - Forbidden You are not authorized to view this page My head hurts from banging it on...more >>

Thanks in advance for your help ... Environment: .. We have several IIS servers, one for each of the following: Exchange 2003 OWA, Sharepoint 2003, and CRM 3. .. All are Windows 2003 and part of the same domain .. Web access is set to integrated on all servers. .. Network is behind a Symant...more >>

I am running IIS 5.1 on XP SP2. I have two virtual directories in the same Web site that have anonymous access disabled - one contains HTML pages and the other contains a CGI executable. One of the HTML pages has a form which executes the CGI. If I open a new browser window, and then ope...more >>

Heres my problem: There is a webserver at work, win2k, that originally was joined to the domain, but is always logged on locally. We can't get it to audit security events - domain policies override local policies. We logged on with an admin account from the domain to attempt to look at the...more >>

Hi all, I've read the posts on multiple SSL certs on virtual servers, as well as the kb articles (again) and I'm wondering if anyone has had the same issue I'm getting now. In the past I've always managed to get multiple certs working by either using a different port or a different IP address...more >>

I'm using IIS 6.0 on a Windows 2003 Std, I have created Virtual Directory called test\ and in there I have index.htm and also web.cer (web.cer is the certificate that I want my users to download for there PDA's) the index.htm displays OK but when I click on to the link that points to web.cer I...more >>

I have a web server (2K3) sitting inside the DMZ which accesses data inside the domain via the firewall. All the data, including the web site, resides on the data server and is an in-house application. The executables runs on the web server and fetches the data the customer requests. We have t...more >>

The IE team has announced that IE 7 will put warning messages on Basic Authentication username/password prompts. So, I'm trying to get Digest Authentication set up as an alternative to Basic Authentication. I'm finding that IIS is rejecting Authorization: Digest headers from Firefox, but ac...more >>

Hello folks! I have a Windows 2000 server with IIS 5.0. I need to install/import an SSL certificate into one of the sites. The problem is, when I click on a site, right-click to open Properties, select the Directory Security tab, then click the Server Certificates... button, IIS Manager ...more >>

I am using Windows 2003 Server and IIS 6. The website set up as Windows Authentication. Is there a way I can only allow few users (managers) in my company to access Website via Windows Authentication? All other company users will be dennied access? Thanks, JimmyChang...more >>

Hello Here is a strange one. I have and asp 2.0 web site hosted on ServerA that uses windows authentication. When I acces the site from a local pc everything works the way taht it should. If I access the site from a browser running on the server that is hosting it I get the windows logo...more >>

Could anyone point me in the direction of a knowledge base or good book that will help in understanding suspicious looking entries in the logs? I use iis 5, fully patched, anti-virus installed, updated daily and scanned daily. For example, GET /webcalendar/tools/send_reminders.php cmd.dat?...more >>

I have installed IIS manager on a central machine and made an MMC with IIS for several web servers. It connects and shows me everything including websites. On some servers, when I click on a website it says "This site cannot be started because another site running on this computer is already...more >>

Guys I've been informed today that one of my websites (at work) is allowing CSS. Apart from Sp'ing and HF'ing the server is there a IIS security tool I can install on Server 2003 that will prevent all known forms of attacks on the box, such as a security roll up tool that used to exist for ...more >>

I'm working on a C#.Net Web application involving a third party dll. Because they use SoftLock in that dll, the Web app cannot access that dll at runtime, and they told me to make "ASPNET" as a member of the Administrator Group. That fixed the problem, but is that too risky? What might be the ...more >>

I want to allow an IIS admin to do everything IIS but not be an admin on the server. I will have them use MMC on a remote computer and open IIS. That part works when they are in the admins group...looking to make that be a much smaller group. This site has some directions that don't qui...more >>

Hello; I'm trying to set up a web app that accesses a SQL database on a second server. I want to use integrated security and have set the computer account as trusted for delegation. I know I need to use setspn to tell Active Directory that there is an authorized instance of a service of c...more >>

I moved web server (from Server 2003 Standard to Server 2003 Web Edition). I noticed that permissions hasve changed some under IIS. My asp page uses FileSystemObject to write file. My old server, this worked fine. I have verified that WRITE permission is enabled under IIS. But, Under PERMI...more >>

What problems would be caused if the IISADMPWD page is accessed via Anonymous access to the pages to the Internet? What kind of vulnerability would Active Directory be in should this be configured this way? We need a way for users who are on the road all the time and never come to the offic...more >>

Not sure if I am in the right group, but question. If I am going from an SSL page to a non-SSL page (like after loggin on) is there a way to get the browser to NOT give that "you are being redirected to a non-secure page" ? Thanks ...more >>

Hello all, we have an existing ASP 3 based application that use to run perfectly with SQL Server 7. We have been mandated to migrate the site over to the following configuration: WebServer (server 1) Windows 2003 (with IIS 6 of course) Database (server 2) SQL Server 2000 Windows 200...more >>

Yesterday's post: I have IIS server on Server 2003 and Anonymous Access and Windows Integrated Security are checked but when some users wants to access site IIS requires credentials ... If I turn off Integrated Security then I get message "You are not autorized to view this page" I tr...more >>

Hello All, Curious about something. Am using SSL on one of my pages to process payments with a credit card. Now when the user doesn't fill out all the info properly I repost the form to ask for the missing fields. My question is this, since the page is reposting to itself, and is under ...more >>

When I try to access my local SharePoint site I get an error http 500 but when I use my local IP address I can logon fine. Is there a problem. I am using windows 2003 AD with local DNS server. Please help ...more >>

I have IIS server on Server 2003 and Anonymous Access and Windows Integrated Security are checked but whwn some users wants to access site IIS requires credentials ... If I turn off Integrated Security then I get message "You are not autorized to view this page" I tried to change Home Di...more >>

Hello, We are using MBS Business Portal 2.5 on a 2003 server (also domain controller). We are using Basic authentication with SSL. (Integrated Authentication is not an option due to clients not being part of the Windows domain). We also have a Novell NDS network and sync accounts to AD u...more >>

Hi all, I recently installed one Windows 2003 Server and after I installed IIS 6. I have 2 web sites configured: one I want to answer to port 80, the other will listen 443. I install a certificate (ok) using the acticle id 816794 as reference. Everything seems ok. Only... SSL do not work! T...more >>

Does Visual Interdev use an account to gain access to a remote web server or does IIS treat it as an anonymous guest user? We have web developers who insist on having FPSE installed on the production server but the problem is we also have other people in our WAN who have Interdev installed (othe...more >>

Hello, I am trying to come up with a solution which will help me gather ssl certificacte expiration date remotelly. So far the only solution that i caould come up with is running the following command on remote servers: certmgr.exe /s -r localmachine my >> \\server\share\exp_date.txt I trie...more >>

How can I lock an iusr_ so it can't go out of it's wwwroot folder... Because I found a script, which can show my whole C-drive with fso in asp, but I want to disable that so it only can see the wwwroot and not outside that. in the php-engine you have open_basedir, do you also have that in ...more >>

I have windows XP professional, no service pack, FAT32. I have installed IIS. it is showing in Control Panel- Admin.Tools-IIServices. Inetpub, wwwroot folders have been created. But any .asp file doesn't work. Now i went in Control P.-admin.tools-iis-website-default w.site-right click on All T...more >>

Can access to a web page on a Windows 2003 standard server running iis 6 be granted permissions based on computer name. This will all take place on the companies local intranet in a WIndows AD enviroment. Thanks, ...more >>