SANs published a list of the top 25 reasons systems are hacked. Evidently, a consortium of people participate in this list including Microsoft. The list is a whose who of problems that continually plauge systems and range from improper coding, to improper permissions, to running processes in privledged accounts.

It is a solid list and I would recommend that you inspect it for anything you aren't already looking for:

http://www.sans.org/top25errors/#s4

Wanted to postback to this article by Wade on the IIS team.

He summarizes this issue really well - in particular that topics lose focus due to a the many posts and lack of the ability to see information chronologically sorted in searching.

http://blogs.iis.net/wadeh/archive/2008/12/18/how-iis-can-help-with-sql-injection.aspx

Keep in mind that as he points out early on, request filtering for SQL inhections is a band-aid. Your appliciations should be written so they do not allow passing of invalid or risky strings to the server.

Thanks!

-brett

Looking over the logs for search queries that wind up here, there's a need to post some FAQs now that IIS 7 is out.

Q: Can I install IIS 7 on XP or Windows Server 2003?
A: No.

Q: Where do I download IIS 7?
A: It's on the Vista or Windows Server 2008 DVD. Don't look for IIS7 on microsoft.com, it's not there.

Q: I have Vista, but don't see IIS 7.
A: Not all versions have IIS7.  See http://learn.iis.net/page.aspx/28/installing-iis7-on-vista/

Q: What happend to IIS_WPG?
A: See http://www.brettblog.com/2007/10/13/IISGroupsAndUsers.aspx

Q: What happened to the IUSR anonymous user?
A: See http://www.brettblog.com/2007/10/13/IISGroupsAndUsers.aspx

Q: Where is the mother lode of IIS7 info?
A: http://iis.net

Q: How do I disable IPv6?
A: Network properties for NIC

Q: How do I enable WebDAV (DAV) on IIS 7?
A: http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1579 Note that you will need to adust the URLFiltering section to allow DAV (see http://learn.iis.net/page.aspx/354/how-to-configure-webdav-with-request-filtering/ )

Q: Where do I get the updated IIS 7 FTP Server?
A: http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1619

If you have more questions you'd like see on this list, let me know!

-brett

A big shout out to IIS Pm Kanwaljeet Singla

File this under must have details for IIS 7. Very practical info on IIS 7 registry keys.

http://blogs.iis.net/ksingla/archive/2007/12/30/list-of-registry-keys-affecting-iis7-behavior.aspx

-brett

Finally a document on HTTP.sys!

 Just got a ping from the http.sys team alerting me to this link where you'll find a paper on http.sys on Vista and Longhorn.

http://www.microsoft.com/downloads/details.aspx?FamilyID=311f4be8-9983-4ab0-9685-f1bfec1e7d62&displaylang=en

-bret

Seems like all I do these day is post entries about other peoples entries. It points out one of my main functions here is as a concentrator of content. It also points out my utter lack of creative output, but hopefully no one will notice.

Mike has posted an excellent piece on a detail in IIS 7 that will make a devs live far easier. See http://mvolo.com/2006/11/01/iis7-modules-vs-iis6-isapi-memory-management.aspx for details about how IIS 7 memory management.

-brett

If you're intrested in some of the new stuff coming out of Microsoft check out this just posted content:

Developing Rich Experiences with Microsoft® .NET Framework 3.0 and Visual Studio® 2005

https://www.microsoftelearning.com/eLearning/offerDetail.aspx?offerPriceId=109340

You might think, "why do I care about this if I just do IIS 7". The reason is that IIS 7 allows you to create applications using these technologies (aside from Avalon) and you WILL see IIS 7 applications that make heavy use of Workflow to track processes in applications as well as even determine which page to show in a web application. Imagine having an IIS 7 module that determined which pages to show based on a users membership level, region, lanugage, rights on the site, etc. CardSpace is a part of this too - and I keep saying this so get used to it - CARDSPACE IS HUGE. HUGE. In two-three years that is all you're gonna hear about. Finally Windows Communication Foundation - for web services has a big tie in to IIS 7 as it can host WCF services.

IIS 7 lets you take advantage of these technologies and offer them as modules or handlers to all your sites. Or extend them in an application to use in tracing and troublehsooting logs.

So, free training for developers intersted in this stuff. This will not be free after Vista ships.

After you've looked at this, look at IIS.net on how to write a managed module or handler and let me know if you have a cool idea about how to integrated IIS7 and .NET 3.0

-brett