-
Posted to
IIS7 - Configuration & Scripting
by
Switche
on
03-12-2008, 11:57 AM
I am trying to manage custom membership providers via WMI's WebAdministration provider. I can add, remove, and modify membership providers, but I cannot set any properties on providers other than the "Name" and "Type" properties. For example, I need to manage the "ConnectionString" and ...
-
Posted to
IIS7 - Security
by
Switche
on
01-24-2008, 4:37 PM
I am a Web host providing services to a large base of users.
The security model I am using has a separate windows user for each Web site (which I'll refer to as the site's "Anonymous User"), using Anonymous Authentication for each Web site, and each Web site is part of a shared application pool. The Application Pool Identity has ...
-
Posted to
IIS7 - Security
by
Switche
on
11-29-2007, 5:32 PM
In response to anilr's last comment here; can someone provide a simple example of how a canonicalization bug can be exploited due to a Mime Map allowing access to .* file types?
I can understand the inherent file serving vulnerability of serving all unknown file extensions as application/octet-stream, but I don't see the connection of ...
-
Posted to
IIS7 - Security
by
Switche
on
11-29-2007, 3:06 PM
I verified all my settings were still in place, then performed an iisreset. After ther reset, I was indeed receiving the same 401 error denying access. I verified this in a new browser process as well. I re-added "NT Authority\Authenticated Users" back to the Users group and iisreset again, but I was still being denied ...
-
Posted to
IIS7 - Security
by
Switche
on
11-27-2007, 7:30 PM
Thanks for your reply, anilr.
If this is the case, why does removing the "NT Authority\Authenticated Users" from "BUILTIN\Users" group not produce the same 401 error as removing the "BUILTIN\Users" group from the Web site home directory's ACL?
-
Posted to
IIS7 - UI & Remote Management
by
Switche
on
11-27-2007, 7:22 PM
I am currently running Server 2008 RC0.
Using the example of the Handler Mappings feature on the Web site level, I have a Handler Mapping for the ".php" file extension that is set as a "Local" Mapping, as well as a few other "Local" Handler Mappings on the site.
If I now want to revert only the ...
-
Posted to
IIS7 - Security
by
Switche
on
11-27-2007, 4:33 PM
Thanks for your reply and the information, Thomas. We'll be using delegation to control this, since using the AppCMD switch will still allow any future changes to each site made via ISM to affect both Web sites.
-
Posted to
IIS7 - Security
by
Switche
on
11-27-2007, 4:29 PM
From my understanding, the default anonymous user for IIS is now named "NT AUTHORITY\IUSR", is now a built-in Windows account, and thusly can no longer be managed as a normal Windows user could.
I found that there is some kind of unlisted association of this account with the "Users" Windows group. For example, if I keep ...
-
Posted to
IIS7 - Security
by
Switche
on
11-26-2007, 4:32 PM
On my server, I need to have two separate Web sites using the same physical path as the home directory.
However, the new settings model creates "web.config" files in physical directories when customizing IIS settings, so my sites are inheriting and/or overriding each other's settings. These settings must be unique to each of the ...