I have a base Windows 2008 installation and took an HTML website working in IIS6 and moved it to IIS7. I cannot resolve the 403 - Forbidden: Access is denied. error that I am getting. I have tried changing the user for anonymous authentication and have successfully tested the connection. I ha...more >>

I know you could do XSS in the past with IIS 5.0 until it got plugged, but now I have a "real need". Is it possible to loosen up the security in a control fashion? ...more >>

Hello, This is a very belated followup to the below issue, I am the original poster. I recently was creating a new OU structure and new security policy and during testing it was noticed that in fact happened on a server that has a web-app that uses Windows integrated authentication, which ...more >>

I am running a Windows IIS machine (standalone) and would like to allow users to authenticate against our existing back-end KDC (MIT Kerberos realm authentication). IIS is running a COTS app, so I don't have any flexibility to muck with the code. Ideas? Thanks Blake ...more >>

I have an internal-only web app which I want to use a Windows Integrated Security to control access. I setup the Properties - Directory Security - Authentication and Access Control ensuring Anonymous Access is NOT checked and Integrated Windows Authentication is checked. I'm hoping the cre...more >>

Have a question about an IIS server with multiple commerce web sites and single SSL certificate Here is the scenario (single server, single static IP) www.TheCompany.com this top level company website has the SSL certificate www.Product1.com \\CompanyServer\c\web\Product1 www.Product2...more >>

HTTPS protocol transfers data using encryption. Is request URL encrypted or is it available in plain text when packets are transmitted? I'd like to use query part of URL to pass request id and I wonder if that request ID is encrypted or not. for example: https://host/page.aspx?myId=myIdV...more >>

Hi, I'm trying to get a CGI to use delegated Kerberos authentication. The environment is IE6 on the client (A) and IIS6 on two servers (B and C). Delegated authentication is working with ASP, according to http://support.microsoft.com/kb/314404 but when I substitute the CGI for "Test1.as...more >>

I'm developing an web application with DCOM interfaces. When I run the application from VS2005 (internal Web Server), I don't have any problem accessing to the DCOM hosted by another machine. When I run the application from a virtual directory configured in IIS 7 (Windows Vista), I can acc...more >>

Hi all, trying to get the following setup to work: Http SPNEGO SPNEGO via CORBA IE <---------------------> IIS <---> CGI <--------------------------------> AppServer So basically using IIS as a primitve frontend for an AppServer that can do Kerberos Auth i...more >>

Hi every body, I wonder why it is forbidden for a CGI application to do certain things, which I consider quite harmless from a server point of view, like for instance play a sound or encrypt/decrypt data. I have a CGI application that runs from within a CGI folder on a Windows Server 2003....more >>

Hi, If I start using IIS service on my machine, would my machine be exposed to intruders from the outside world? would that be a good idea to disconnect the cable modem everytime I start the server? I want to test my app locally and safely within my own "virtual" network but don't want to ...more >>

I currently have a Windows Server 2003 doamin running Active Directory(doamin.local) We setup and installed an IIS server in the DMZ for customer to be able to access order status(using local ids and passwords) We have now decided to setup a site for our Outside sales employees to be able to...more >>

We are required to have failure auditing on the HKLM\Software and HKLM\System registry hives (implemented recently) and now we are getting several thousand of the following event in just a couple of days. Why does it need all the WRITE, Set, and Create access privileges? No IIS problem has b...more >>

Having trouble with my URL redirects. I would like to redirect from safe.check.com to safe.mydomain.com:2200, but want to hide the port. Is there a flag that would limit the address in the browser to safe.mydomain.com? Would seriously appreciate help on this. Thanks, O. J. King ...more >>

Hi All First time poster to this group,and this is my first experience looking into the intricacies of Kerberos. Anyway, I've developed a vanilla asp .net application. It has a web tier which connects to a web service which talks with the SQL server - a very standard set-up. I have set the...more >>

Hi, my configuration: windows xp prof sp2 with IIS 5.1. I have several asp.net applications some using login/password (with Anonymous authentification set in IIS) and others using the windows account (with Integrated Windows Authentification). When testing the application on the IIS ser...more >>

I have enabled auditing of the IIS Metabase. Now when a change is made, an event similar to the following appears in the Security event log: Event Type: Success Audit Event Source: IIS-METABASE Event Category: Object Access Event ID: 4505 Date: 2008/04/14 Time: 4:06:18 PM User: DOMAIN...more >>

Hi, We have two 2003 AD forests with trusts in place and we are in the process of building a intranet. We have set the security to Windows intergrated authentication. When a user in forest1 (the one that also has the web server) tries to access the site it works fine. When a user in forest2...more >>

Hi, I have a virtual directory in IIS 6 pointing to a network share using a specified username/pwd to connect to the share. I can see that it connects properly but I can not browse the web root folder I get an htto 500 error. I am unsure of what is wrong or what to change. The actual websit...more >>

A web vulnerability tester is complaining about our IIS 6 server that it supports the "OPTION" command. What is this and is there a way to cleanly disable it in IIS 6? -- Will ...more >>

Hello together, I have the following question: I want to enable anonymous access for a HTTPS-website. The website is located in a local path on the IIS-server. I have set up the following: properties of the website -> security: Authentication: activate anoymous access; I have set a va...more >>

Hi All, I am trying to create a virtual directory programatically using the = following code, if works fine, but when I try to create with the same = name again, I get exception. If I use diffrent names for virtual = directory no issues, and I am actually deleting that virtual directory = be...more >>

I have a Win2K domain and need to create an intranet web server. I'm concerned about the security, will do a clean install of Windows 2000 Server/IIS 5, and am referencing the following document, http://windowsitpro.com/articles/print.cfm?articleid=22274 but I'm still concerned if the steps...more >>

By default, IIS 6 puts the special IUSR_<machine-name> account into the local Guests group. Unfortunately our standard installation environment for Windows 2003 has a number of settings that are hostile to guest accounts. Does anyone have a list of which of the following the special IUSR acc...more >>

Hi All Apologies if I am in the wrong area. The problem that I am having is as follows: We have a number of different websites hosted on the same server (which is running windows 2003 service pack 2 and IIS) we'll call them siteA, siteB, siteC ONLY siteC has an SSL cert applied. Everyth...more >>

I can not get Kerberos to work on my web server. I have done all of Ken Schaefers troubleshooting techniques still to no avail. I created a test.htm page and when i hit it, I check the security event log and it is still using NTLM. Any ideas why Kerberos is not running? I am ultimately trying ...more >>

I just found that we can see the database connection string in plain text via the IIS ASP.NET configuration even the connection string is encrypted in web.config file. Is this a security hole? ...more >>

Our management want's us to be able to display a message when users attempt to logon to one of our secure sites. Now if a user enters an incorrect password. the logon window just flashes and clears out any username and password that was entered. Short of writing custom code, is there any way ...more >>