I am very new to IIS and the security issues of having our own web server. We have Windows 2003 Server with the latest updates and IIS 6. I just found the Resource Kit Tools and assume it might be helpful. Should I be concerned about changing some of the settings in IIS right from the begi...more >>

I've just installed .Net 1.1 and upgraded to 3.0 on my W2K3 server and I want to lock down ASP.Net so that my hosted users can't see each others folders on disk. The disk is already secured via NTFS with separate user and anonymous accounts for each hosted customer. But I don't want ASP.Net to...more >>

When setting-up a secure area of a website that is using NTFS file level security and AD user & group accounts to set the access permissions, is there a timeout period for users once they enter the secure area of the site? And would this work differently with either HTML pages or ASP pages? ...more >>

Hi. I'm trying to setup a secured website on a Server 2003 machine. I would like to require user authentication through the use of certificates. This is a stand-alone web server and certificate server and we are not on a domain. I have installed the certificate service on one server and I ha...more >>

We've been informed by a security auditor that we need to disable NETBIOS on our network. That seems simple enough to do, but we are concerned that doing so may affect NTLM authentication which we use for several web based applications (as well as kerberos). Does NTLM or Kerberos utilize NETBI...more >>

HI All, We want to programmatically assign certificate on IIS server. We are able to assign the certificate, but the website does not work on https after the assignment. I think we are missing some step while programmatically assigning the certificate to IIS server?. We are doing the assignm...more >>

I've configured IIS 6.0 on Server 2003 including enabling asp extensions. HTML pages are accessible, but ASP pages give a 401.3 error. Both the HTML and ASP pages are in the same folder? What permission would be missing?...more >>

Hello All, Is there an easy way to prevent people from accessing certain pages via HTTPS? Basically google is indexing some pages via HTTPS, and we'd just like to forward people to the HTTP version if they happen to accidentally land on an HTTPS version. My first thought was to just setu...more >>

Hi, I run a security scanner for PCI credit card(Visa,MC) shopping cart compliance periodically on my web site, which, upon a recent site scan on our domain, returned a failing test. The reason that the test did not pass was because it maintains that the Microsoft IIS Server is running at a p...more >>

Hi all, We have multiple websites assigned to the same IP, now each website needs SSL certificate assigned to them. Is it possible to install SSL based on Host header Value insted of IP address? I've read someware that it is possible but I can not find the article anywhere. Please advice....more >>

Hello Not sure this is the right news group, but one spec. on ISA could'nt be found. My problem is: In the period of time (eks) from 08:00-11:30 AND 12:00-17:00 i want tol only alowing some outgoing URL In the other time during a day all URL sould be allowed. Can ISA handle this? K...more >>

Hi there, i have a big problem and i did not find a solution so here is my last hope. I have a windows server 2003 with IIS6. There i have a virtual Host with host headder kb.koou.at I want to secure this whol virtual host and so i created a certificate and installed it on the website. If...more >>

Hi All, I have a Windows 2000 Advanced Server with XAMPP and IIS installed. I am in the process of getting rid of XAMPP but the old PHP web application has to run until my new .Net 2.0 is done. I have enabled anonymous access in IIS 5, Integrated Windows authentication checked. Everything I g...more >>

Let me preface my problem with the statement that we are in the process of migrating from W2k/IIS5 to W2k3/IIS6 and I [an old Perl hack] am having to try and make an ISAPI filter work on the new platform. The ISAPI approach might not even be the most efficient/ best approach to the situation, b...more >>

Everyone, I have an environment that uses a Stand-alone CA to issue certificates to remote users from a public web site using web enrollment. This cert is used for authentication for another web site. Right now I have a server farm behind load balancers, but only one of them is configur...more >>

I have a security scenario where people in remote offices change their passwords then attempt to connect to an IIS-hosted application at my site before the replication interval. I know that windows polls the PDC emulator to see if password changes have occurred, however, I wasn't sure if IIS ...more >>

Hi, We are having problems with the following situation. If we change security settings for an application pool identity (something like putting it in a security group (to have NTFS access on a folder, accessible through a virtual directory in IIS)), the access is only granted after IISR...more >>

I recently added the domain controller role to my IIS server so it could be our 'backup domain controller'. Long story short, I ran into major problems and had to demote this server. Demoting it forced the server back into a workgroup so it had to then be rejoined to the domain. Fine. On...more >>

I'm migrating to new hardware (Server 2003, IIS6, SQL2005) from old hardware running exact same software. Migrated a few sqldatabases. Set host file to point websites to same box to test. I've set all websites to .net 2. Posted one website (.net 2) using Visual Studio just to test and eve...more >>

I have a load balanced SSL Web site on IIS 6.0 connecting to a SQL database on another server. I use Kerberos to authenticate my users against the SQL server, but recently I'm getting an error stating 'The Local Security Authority cannot be contacted' when I hit the site. Does anybody have an ...more >>

Greetings. We have Windows Server 2003 with IIS 5.1. I need to know how to avoid that the users doing Download of files (.pdf, .xls, .doc) that they see in our Intranet through browser of IE 6,0 and 7.0..???? ...more >>

Someone please help me with this perplexing access problem. I've been struggling all day with it. Here's the scenario: Windows 2003, IIS6, running Classic ASP application, with basic authentication against our domain. I've given "engineering users" access to the wwwroot for the site. So f...more >>