We are running a Change Password site using Windows 2000 with IIS 5.0 using the standard IISADMPwd files. I am trying to build up a new Windows 2003 IIS 6.0 version and it is not working. I have done lots of reading about the switch to .asp based code instead of .htr code. When I run the s...more >>

Hi, I'm trying to investigate a problem wher IE does not offer to open a item downloaded via https. So far can only reproduce on Windows 2003 Server _Enterprise Edition_ with SP1 installed. Could not repro with Standard Edition. Can be reproduced like this: On some other server: Cre...more >>

Hi, I have a curious problem that I hope someone can shed some light on. The log below shows a domain laptop logging in to our webserver's webdav. This incident occurs after business hours. The bad news is it is my laptop's IP address. (I leave my laptop on to run the virus scanner, et...more >>

I tryed it until yesterday. I think i'm almost succeed. it's so easy. set openssl SSLCACertificateFile to verisign's one. cert tree appear to follow. VeriSign Class 3 Public Primary CA | ---> www.verisign.com/CPS incorp.by Ref. LIABILITY LTD. (c)97 VeriSign | ----->www.yourdoma...more >>

Does anyone have any suggestions for what security steps need to be taken to secure a basic web server in Vista running ASP.NET 2.0 pages with some VB.NET?IISLockdown doesn't list Vista in supported products so am I right to assume it isn't needed in Vista? Should I take it URLScan functions a...more >>

I am trying to set the SSLCertHash property to the byte array that contains the SSL certificate's thumbnail with following code: string path = "IIS://localhost/W3SVC/" + webSiteNumber; DirectoryEntry site = new DirectoryEntry(path); X509Certif...more >>

I have an automated job on an IIS 4&5 server that generates .pdf reports to users directories. The users each have seperate unique logins to their respective directories. The users logins ARE NOT Windows domain accounts. The user accounts are assigned through a proprietary application that also...more >>

Hi, I have a client site who runs IIS5 as his web server with Filemaker 6 as there backend database. There is a major security flaw with the Filemaker web publishing engine and with a simple url string (e.g. fmpro?-format=-dso_xml&-dbnames) you can then view all the published databases, ...more >>

Hi there My setup is as follows. A Windows 2003 Server, IIS 6, WebDav, and a website (aspx/C#) A Windows XP Pro sp2 ie6 sp2. Problem: From a webpage it is possible to choose between opening a folder in a virtual directory with file://... or http:// (WebDav). When a user opens the folde...more >>

I saw some questions and answers which says we cannot supress the security alert box when redirecting from HTTP to HTTPS? But i saw many sites are easily redirecting from HTTP to HTTPS without security alert box.. How can i code such that i should not get alert box from HTTP to HTTPS? p...more >>

Using IIS6 on 2003 SP1. What I am doing is submitting a credit card approval request to an HTTPS (ssl) site. The response is being redirected to an .ASP file - which is set up to accept the fields being returned. Problem is I never get anything returned to the file. I have illiminated the ...more >>

Hello-- I am pasting an event log from our IIS/web server that repeats about 50 times every day during non-business hours. Our SQL administrator seems to believe that somone is trying to hack into our system via FTP. Can somone tell me if the below is a hacker, and what we can do about it?...more >>

Dear Reader, I have installed an Windows exchange server 2003 with my own CA. I have made my own webserver certificate that will be used by OWA. Now I have one issue, when I connect to my e-mail using OWA I see at the bottem of my screen the secured ssl icon, but when I was logged on the ic...more >>

I have a custom intranet that I have setup for our company. The access is secured using IWA and when the site is access by server name (QSERVER\internal) the domain user's credentials are passed automatically and everything is fine. This is good because we don't want internal users (people p...more >>

Hope someone help me , The IE error that is presented is "Cannot find server or DNS Error" and t# Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status 2006-06-26 15:23:19 W3SVC2 3.131.90.64 GET /fpad...more >>

Hello, We have had a request off developers to have access to some servers. I can achieve everything I need by assigning a group to log on locally and Allow RDP. This just allows them to look. One of the requests is to have read ability for IIS but you need admin rights to run this. ...more >>

Hi, I wish to renew a certificate with IIS 5, but the provider of the new certificate should idealy be another issuer. If I follow the renew wizard to generate the CSR, will this work by sending the CSR to the new supplier, then installing the certificate? Will it effect the old certificate...more >>

Hi: I'm trying to deploy my VisualStudio2003 ASP.NET application on Windows Server 2003 w/ SP-1. When I navigate to my site (locally or from another network computer) in Internet Explorer I'm being prompting for a network username/password. I believe have configured the server properly in...more >>

OK, I thought I had tackled this before a while a ago but forgot what I did... I am running IIS6 on a W2K3 server. for most of my site I have Anonymous access authorized. I have one file that I want to use the local system ACLs to authenticate with... I have turned off Anonymous access, I h...more >>

While I am a very experienced developer I am new to the whole IIS secure server stuff. We had created a locally generated "test" cerrificate and installed it and it works with that. But we wanted to expose this outside our firewall with a real certificate. We have an ISA server acting as ou...more >>

If this is OT, then I apologise. I'm running 2003 Standard, basically to host my wife's hobby sites. I monitor the logs for intrusion attempts, and persistent offenders get barred using a simple IPSEC implementation. However, I cannot stop a plague of visits from msnbot/0.9 supposedly o...more >>

Okay so I am on a windows 2003 server. I first found that these certain types of files (.wpd) Corel files could not be downloaded from the web. I first thought it was a security issue so I right clicked the files and was going to look at the permissions. The security tab is missing. In fact on...more >>

I have an ASP.NET 1.1 application on a Windows 2000 Server that can be accessed as ... http://name.tld or https://name.tld . How can I force it to disallow the http access and only permit the https access? -- -- Thom Little -- www.tlanet.net -- Thom Little Associates, Ltd. -- ...more >>

Hello, following are my questions with regard to ASP.NET 2.0, II6.0 & Win2003 server running a Internet Application.; 1. What is the difference between MIME types & ISAPI filter. 2. How can I restrict a file (*.pdf) from being accessed directly from the URL through ISAPI filter. 3. H...more >>

According to a white paper entitled MS Incident Response Plan, MS states that you should never load IIS on a domain controller. Does anyone have any experience with a fully updated windows 2003 server and a fully updated IIS install having security problems? Thanks, -- P Cully...more >>

Hi, In short my problem is securing static pages, so that unauthorized (anonymous) people doesn't get access to these files. You'll find a detailed description below. I have a websolution that is made in Dotnet 2.0. The solution send the user to a correct module based on the users credentia...more >>

Does anyone know the method and strength IIS encrypts the anonymousUserName password in the metabase.xml? Thanks!...more >>

Hi, How are you all? I need information regarding SSL using IIS5.0 Server. I got the CA certificate and i want to setup the SSL connection to my Virtual Directory. Please note that if i assign this certificate to the Web Site then it's enabling the Virtual Directory's "Server Certificate" ...more >>

Hi We have 2 ftp servers in seperate DMZs in different parts of the country both running W2003 Server and IIS running with users isolated using local accounts and individual ftp sites - has to be this way due to the nature of our business and also the files get copied to remote sites aroun...more >>

I am trying to use the Novell NetDrive freeware to connect to an IIS 6.0 WebDAV directory. I tried to copy a file to the server, and got an "error" saying that the server did not support long file names. Is there a security setting on the Windows 2003 server that could make this happen? Thank...more >>

Hi, I was wondering if anyone at Microsoft is able to confirm the defacement of Microsoft France as well as other websites running IIS 6.0 as described at http://www.zone-h.org/content/view/4767/31/ and http://isc.sans.org/diary.php?storyid=1429 If the defacement was real, has it been de...more >>

Hi all, I was wondering why do we need to harden Windows server 2003 by applying rules like: 1.Remove any unneeded Services 2.Close unneeded ports 3.Rename Administrator account 4.Prevent users from installing printer drivers 5.Restrict CD-ROM and floppy access to locally logged-on user o...more >>

Hi, I have SBS2003. I would expose exchange web in internert and intranet. For intranet I would secure with IP filter. For internet I would secure witch client certificate. Now can I combine this methods? That is a person in my intranet that haven't the certificate can access , because the I...more >>

I would like to configure SSL for OWA as well as for Outlook clients using RPC-over-HTTP, so i installed Certificate Services (in Add/Remove windows components), then in IIS I went to the default web site, under server certificate i selected 'Assign an existing certificate' and used the new ...more >>

Does anyone know the pros & cons of having public servers in a workgroup vs in a domain? My situation is I have a couple Win2003 IIS servers, a SQL server, and a document mgmt server (SQL + doc storage) that's also an Active Directory DC. The latter is used for LDAP validation of user logons. ...more >>

Hello All, i was wondering if there exists some way to disable all system stored procedures, as they are vulnerable to attacks specially if they r not needed within any of my applications. something like, xp_cmdshell may cause attacks. i need ur help plz and will appreciate ur response and su...more >>

Is there a way for a non admin to run the IIS 6 admin snap in tool? We would like for our web admin to continue administering IIS, but because of AD policies, he is pulled out of the local admin group and can't connect to IIS. TIA...more >>

We have applied a "test" certificate on a production server, and now the certificate has expired. We have install the MS CA on a domain controller and want to request a new certificate from that CA. However, the certificate is still "in use" on the IIS server, so I cannot request a new certi...more >>

Hello All, i was wondering what is the main difference between the windows authentication and mixed mode authentication?? according to security recommendations, we should enable windows authentication, rather than mixed one, i don get the point why do we refuse the mixed mode authentication...more >>

Interesting issue with a site that uses SSL and IIS 5.0. All of a sudden today, we couldn't browse to the site using SSL. All attempts simply timeout. Nothing in the logs. Take SSL off of the site and it works fine. Certificate is good through September of 2006. I even removed the certi...more >>

I am looking at setting up an external facing FTP server. Are there any guides on how to secure on FTP using IIS 6? Or are there better solutions?...more >>

I'm getting ready to secure my Outlook Web Access 2003 with SSL. The web server is running Windows 2000 (IIS 5.0), and the Certificate Server is on the Exchange server (Win2003). I've set up a test folder, created a certificate using Certificate Authority, and installed it on my web server. ...more >>

I've asked before without success but: How do you protect streaming video (.wmv) from being stored (saved as a file) I have to make hundreds of teaching aids via streaming video (from my pc) and i would obviously like to prevent end user from stealing them all I've been told previously th...more >>

is it possible to test your own web service from the host machine? first time i set up a web service i couldn't access it via web browser and i tried lots of things, thinking it wasn't working - but when i tried it from remote pc's it was actually working fine it does make it difficult to te...more >>

Can someone please explain to how to configure IIS 6.0 for the following scenario and requirements? And, if it cannot be done, can you tell me why? This was easy to do in IIS 4.0 and 5.0. All you had to do was set the web site and connection string to use Integrated Security. Scenario 1....more >>

i am having problems setting up a page to allow the download or run of an EXE to do an installation routine with IIS 6.0 on windows 2003 server msi runs fine Internet Explorer cannot download esinst.exe from myserver Internet Explorer was not able to open this Internet site. The requ...more >>

I have a active-passive cluster on Windows 2003 servers that is running IIS, I am having problems installing the SSL certificate on both nodes. The SSL certificate was created for the cluster name resource, “www2.mydomain.edu” and that cert was installed on node A without a problem. Using ...more >>

I installed a W2003 Server with ASP. The ASP File has to start a .bat File. But it don't work. Has someone a guideline or can help me? On IIS 5.0 it works without a problem...more >>

I have an Windows 2003 Enterprise CA setup to auto-enroll domain computers with a machine certificate for the purpose of L2TP VPN. This works great. The problem is getting a machine certificate for non-domain computers. When going to enroll for a certificate via web http://servername/certsr...more >>

When I create a folder on our windows 2003 server IIS 6 web server, and create another folder inside that one called "System", it changes it back to "New Folder", then disappears. When I try and delete the parent folder it wont allow me to delete it and says the folder is not empty. I have view ...more >>