Thursday, August 24, 2006
IIS 7 and WebDAV, FTPS, and FPSE

One of the most frequent question I hear is not so much about IIS but about some "add on" feautres like FTP. The IIS team has said various things and different times about topics like WebDAV, secure ftp, and FPSE (FrontPage Server Extensions). I asked the PM in charge of these things about what's going on and here's the official word.

  • There will be an updated FTP server that will include FTPS not SFTP.
  • There is a plan in place to provide FPSE equiavlent functionality/compatability. Hopefully there will be more details on this forthcoming.
  • They are also working on a DAV provider.

Ok, I know that's vauge, but trust me - it's less vauge than usual on these topics. The key point here is that the "plan" is to have these capabllities in IIS 7. I put plan in quotes because even though it is not forseen, plans can change.

If you have questions, post them here or on IIS.net forums.

Thanks,

Brett

 

Thursday, August 24, 2006 9:57:57 PM (GMT Standard Time, UTC+00:00)  #    Comments [0]  |  kick it on DotNetKicks.com
Wednesday, August 16, 2006
Security features in IIS 7

The IIS team is meeting this week over lunch where they have someone present to the extended team details about what's going on with IIS 7. It's cool cause you get to see everyone at once that you don't normally see in the same place and because it's a chance to review what's going on with each of the major section areas. Today the topic was security and Thomas Deml discusses some of the new features. Some of these details haven't been highlighted much so I'd thought it would be good to go over them.

#1 Best security feature and top ranking improvement of all time for IT Pros: the IUSR account is now a built in account. In other words, it's not a local account anymore like it is on IIS 4-6. You can finally copy your content from one IIS 7 to another and permissions you've set like "Deny IUSR Execute" will be good on the target system. That's a big help for replication and recovery.

#2 The IIS_WPG group goes away. You will no longer need to assign application pool identities to the IIS_WPG. Any application pool identity is automatically assigned to a built in group that has the right memberships to host the w3wp.exe process.

#3 Request Filtering: This is a manged module that lets you control what kinds of request will and won't be allowed to access the server, site, or application. Sort of like URLScan but lets you have different rules for different places.

#4 .NET Role/Membership Providers: You can use any .NET role or membership provider as the store for users and groups. This works with Forms auth of course so you can implement forms authentication for any content, like static files, .asp, .cfm or whatever you like - and store your users in just about any store you like - ADAM, XML, Oracle, MySQL, Access, SQLExpress2005, whatever you like.

#5 Hidden Namespaces: This is actually part of request processing but deserves to be called out separately. You can declare a namespace as hidden so a folder like "Secrets" cannot be accessed. This protects folders like AppData and AppCode for example.

#6 Skinny Install: When you install IIS 7, you do NOT get equivalent functionality to IIS 6. Since IIS 7 is more modular, it is possible to install less and still deliver some content. So, in keeping with the mantra "install only what you need", Microsoft isn't making assumptions about what you need except that since you said you wanted IIS 7 installed, there's decent chance you want the web server installed. However, if you want ASP.net, or CGI capability, or even Windows Authentication, you'll have to ask for it.  See http://brettblog.com/PermaLink,guid,d4f6c28c-83c5-4166-a805-61cb968172e6.aspx for details.

#7 Reduced Footprint: By removing modules you don't need from the server, you have reduced security exposure. This is not quite the same thing as #6. Skinny install is my own slang for the new reduced install feature set. That translates to fewer modules, but you could potentially take things down even further. The point here is that the feature set of IIS 7 is tweakable to host only those you require, thereby reducing the footprint and attack surface.

If you (or I) think of any more, I'll add them.

-brett

IIS 7 | Security
Wednesday, August 16, 2006 6:37:32 AM (GMT Standard Time, UTC+00:00)  #    Comments [0]  |  kick it on DotNetKicks.com
Thursday, August 10, 2006
New Article on how to write an IIS 7 Managed Module

This article is by Technical Evangelist Michael Jurek. He has written a couple of IIS 7 modules that I use extensivly in demonstrations. Technically, this is a handler rather than module, but the point is the same - to illustrate how you can use managed code to modigy the behavior of the http request processing pipeline.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dniis/html/iis7run.asp

This article includes code for a managed handler as well as how to add a page to the IIS 7 UI to configure the applicaation. Extending the IIS 7 schema is also involved.
 
The handler itself adds a copyright and optiona watermark to any .jpg. After this handler is installed as  global module, then any .jpg on the server will have a watermark and copyright on it when renederd by the server. Very cool. All you ahve to do is drop the image on the web server, and IIS 7 takes care of the rest. My guess is that there are great many sites that deal with images for sale that are going to be intrested in something like this.
 
Just take this idea and stretch it out a bit. What if you wanted to process other kinds of content in some other way. For example, say you wanted to have every page renedered by the server or some folder delivered as a pdf. Perhaps add a special tag to a URL like /?ShowasPDF and have a module pick up the tage and convert the output on the way out?
 
How about a moudle that took an Office document and striped out comment and revision for unathenticated users? Attached corporate metadata, encryption, tags, disoclaimers to all office documents delivered by the server?
 
How about a module that dose CardSpace authenticaiton, langugae translation, convert to speech, or send any page to an email address?
 
The possibilites are endliess. This is going to be fun stuff.
 
-brett
IIS 7
Thursday, August 10, 2006 7:09:25 AM (GMT Standard Time, UTC+00:00)  #    Comments [0]  |  kick it on DotNetKicks.com
Monday, August 07, 2006
Rant by Port80 software on Eweeks assesement of AJAX security

I enjoyed this post by my friends at port80software on Eweeks asseement of AJAX security.

Fear, Uncertainty and Doubt in Web 2.0

Features such jewels as:

eWEEK should be ashamed of statements like:

"By exploiting shortcomings in AJAX programmers' work, hackers may also be able to gain access to Web applications themselves and wreak havoc with online businesses." 

OK, I know fear mongering sells magazines, but let's rephrase that to ridicule eWEEK properly:

"Bad guys can do bad things if they can get into your site because you didn't do things right."

and

You can see eWEEK’s clear misunderstanding here:

"Now [an attacker] is inside your application and can create a pipeline that allows them to see all the function names, variables and parameters of your site," Hoffman said."


Hello? Inside the application?  When I view Amazon.com or any other site, I am inside their application, by this way of thinking.

---

By in large, I agree with the sentiment that there is far too much fear mongering going on. I have a lot to say on this topic. More later.

-brett

 

 

 

News
Monday, August 07, 2006 6:21:03 PM (GMT Standard Time, UTC+00:00)  #    Comments [0]  |  kick it on DotNetKicks.com
Sunday, August 06, 2006
Paradigm shift! Early rerports on massive increase in file transfer speeds with Longhorn/Vista

Longhorn server has soom cool features but only a handful get any attention. Buried in the feature set is a complete overhaul of the tcp/ip stack. When I first heard about massive speed improvements with file transfers from using Longhorn, I was skeptical (which I usually am believe it or not of such claims). However, the source was had a lot of credibitily - it was Casey Jacobs from who manages Microsoft.com. Over luch one day he was detailing to me how they had done some preliminary testing on file transfer speeds. The result were so astounding they rechecked their numbers. I have been hesitant to make any public claims since I haven't confirmed their testing nor has the IIS team formally tested this scneario (yet). But I found where Casey blogged about it.

(http://blogs.technet.com/mscom/archive/2006/07/11/441154.aspx)

 Below are results from copying a 199MB file between Microsoft data centers:

  • Pull from W2K3 in CA to W2K3 in WA:  ~2:12
  • Pull from W2K3 in CA to Longhorn in WA:  ~0:12
  • Pull from Longhorn in CA to Longhorn in WA:  ~0:04

This is a big deal improvement. IIS 7 will of course benefit from this. Based on this, we can speculate that IIS 7 will make an oustanding base for delivering large media files, VPCs, gigabytes of log files or other reports.

 

In fact, it might be possible for your Windows 2003 Server, when upgraded, to suddenly saturate your bandwidth!  Casey's tests reported they achieved >890Mbs per server. 

 

Casey quickly gets to this point:

 

With these gains in network utilization, there is a paradigm shift in what network utilization amounts to network congestion.  Previously with each client/server connection taking a relatively small portion of the available bandwidth over latent links, it was much easier to determine when network link utilization was becoming an issue.  Now, two servers can fill a 1 Gig WAN link all by themselves, .

For further information on the TCP/IP changes in Vista and Longhorn:

 http://www.microsoft.com/technet/itsolutions/network/evaluate/new_network.mspx

 

-brett

 
IIS 7 | Microsoft  | Scalability
Sunday, August 06, 2006 8:48:53 PM (GMT Standard Time, UTC+00:00)  #    Comments [0]  |  kick it on DotNetKicks.com

Theme design by Jelle Druyts