Recent Discussions
IIS hardening with CIS standards - tools and options
Hello IIS experts. Please suggest on best strategy for hardening on-prem IIS farm to CIS standards. I'm also interested in recurring audit of the results. There is a number of commercial products allowing to scan IIS for CIS Benchmarks. The latest "CIS Benchmark for Microsoft IIS 10" available to download in PDF format free of charge at https://www.cisecurity.org/cis-benchmarks/. However in this instance CIS does not offer "Build kit". Depends on product to be hardened, CIS "build kit" can be set of scripts, GPO policy or similar to allow rapid hardening deployment. Since there is no Official build kit I'm looking for alternatives. Can you please share your experience on this subject? I found few blogs but those are quite old.
How to Host a Rails App on IIS: Seeking a Simple Approach
Hello, Iโm having trouble hosting my Rails app on IIS (Windows Server 2019). Unfortunately, I donโt have the option to choose a different server since the app will be hosted on an on-premise server, which also runs other applications on IIS (Windows Server 2019). Iโve read numerous discussions on this topic, and the most common feedback is that โitโs painful.โ However, I havenโt been able to find a clear, step-by-step guide or solution. So far, Iโve come across the following options: Hosting with a reverse proxy Hosting with WSL Hosting with Docker However, Iโm looking for a more traditional approach to hosting the app, similar to how one would typically host an application in other languages. As a developer with limited experience in server management, Iโm not sure where to start. If anyone has any tips, tutorials, or guidance, I would greatly appreciate your help!
Temporary error 403 on images
I've been having the following problem for some time now. Some images are repeatedly not displayed on the website (error 403). These are also linked as an image. If I click on the link, they appear without any problems. When I refresh the page with cache turned off, different images are affected. Does anyone have an idea? for instance www.salzlandkreis.de/bildungkultur/ringheiligtum-poemmelte/impressionen http and https same behavior
IIS issue - apsnetcore.dll not found
Hi, I am working on upgrading a server from 2012 to 2022 (on AWS). I have installed a fresh 2022 instance and have sued webdeploy to copy the entire IIS configuration from the 2012 server to the 2022 server. To try to further bring the server up to date, the 2012 server is running .Net 2.x and on 2022 I have installed .Net 8.x When I launch the 2022 server IIS runs but my websites won't come up - I keep getting a 503 error. When I look in the Event Viewer the error message I see is "apsnetcore.dll not found". I have spent some time trying to identify how to rectify this but so far have not been successful. Could anyone please give me any suggestions to try to find a fix ? TIAChunked data through IIS
I am trying to chunk data through iis but it is not happning I tried <rewrite> <outboundRules> <!-- <rule name="Remove Content-Length" stopProcessing="false"> <match serverVariable="RESPONSE_Content-Length" pattern=".*" /> <action type="Rewrite" value="0" /> </rule> --> <!-- <rule name="Add Chunked Encoding" patternSyntax="ECMAScript"> <match serverVariable="RESPONSE_Transfer-Encoding" pattern=".*" /> <action type="Rewrite" value="chunked" /> </rule> --> and <rule name="Transfer-Encoding chunked"> <serverVariables> <set name="RESPONSE_Content-Length" value="" /> <set name="RESPONSE_Transfer-Encoding" value="chunked" /> </serverVariables> <action type="CustomResponse" statusCode="200" /> </rule> and <httpProtocol allowKeepAlive="false"> <customHeaders> <!-- <remove name="Content-Length" /> <add name="Transfer-Encoding" value="chunked" /> --> <add name="X-Content-Type-Options" value="nosniff" /> </customHeaders> </httpProtocol> in these cases in response header transfer-encoding is coming as chunked but response body is not coming
IIS Logs have Incorrect Date Modified
I have a server that is creating daily IIS logs (stored local) with a timestamp in the Date Modified that have the incorrect date for the "current" log. Example: Today is 9-10-2024, the current log is named correctly(u_ex240910.log), has correct information inside, but the Date Modified Timestamp is 9-9-2024 7:00PM. There is also a log file for u_ex240909.log) which has correct information in it as well. I have dozens of IIS servers, and this is not an issue on the rest of them. The Logging feature in IIS Manager is setup identical on this issue server and working servers so I am stumped. Screenshot of "problem" server. Screenshot of "working" server: Screenshot of Logging setup in IIS Manager(which is identical on both trouble and working servers):
Calls from classic asp web pages to custom com+ soap web adaptor sequential/concurrent issue
Hi, I have a classic asp web site which uses a custom com+ app installed on the server to communicate with a custom soap web service. When I use the website installed on a Windows 10 Ent workstation running IIS 10 it behaves as needed, with separate web page hits making concurrent connections to the web service through the adaptor. However, when I use the site installed on a windows 2012R2 server running IIS 8.5 the actions from different web page hits are queueing and being processed sequentially. This is most noticeable when a series of actions are performed. eg If page hit (a) makes 5 sequential calls to the web service which might take a total of 60 seconds to complete, and then page hit (b) happens a few seconds after page hit (a), none of the actions from (b) are started until all 5 actions from (a) have completed. On the W10/IIs10 machine they are run concurrently. When I test using VBScript running under cscript.exe they run sequentially on both machines, so I am down to thinking that this is an IIS issue. Both instances of IIS and the com+ app are configured the same. The only difference I can see is that IIS Worker Processes info looks very different, with the "good machine" showing 8,412 Private Bytes and a very large 2,151,803,376.00 KB Virtual Bytes, and the "bad machine" showing 66,380.00KB Private and only 95,224 Virtual. The "bad" one has 64GB RAM and the good one only 16GB. This is very confusing because normally I would expect the server to perform better under load/multi-user conditions than the workstation, but this is the other way around. Any idea what may be causing the calls to be queued? Or perhaps it's not the com+ apps calls that are queued, it's just that subsequent pages not start processing until the previous page has finished waiting for a response?Can't add more than 60 performance counters for IIS at once!
Hi, I have a lot of sites under IIS installation (4000-5000 sites). Don't tell me why ๐ I'm trying to add all of them at once in Performance counter to see which one is consuming high traffic but the windows mmc is unable to add them at once, I can pick up maximum 60 sites. Adding them this way is just nightmare. Can anybody advice me how to add all of them at once using powershell script? ThanksHow to prevent Malicious HTTP Redirections on an Exchange server
Hello All! I am attempting to assist a customer who is trying to pass PCI scans. By default, their IP addresses redirects any HTTPS (443) requests to the Exchange server's OWA. This is fine, except the scan states that the server does not pass a couple of vulnerabilities, one of them being "Redirection via Arbitrary Host Header Manipulation". As a solution, they recommended whitelisting domains, only allow permitted domains to be included in the Host header. I (for the life of me) cannot figure out how to get this to work on a server who's default website is the Exchange OWA. Every time I try to implement a rule in IIS (see:https://techcommunity.microsoft.com/t5/iis-support-blog/host-header-vulnerability/ba-p/1031958) that would redirect any requests that don't match the supplied string to the desired domain name, the page won't load and I get "ERR_TOO_MANY_REDIRECTS" presumably because of Exchange's automatic OWA redirection. Is there a way I can prevent malicious HTTP redirections without breaking OWA? To clarify: there are two domain names on our DNS that lead to the IP address of the Exchange server: mail.domain.com andvpn.otherdomain.com, obviously one is meant for mail and the other one is meant for vpn access over port 8443. The main domain (domain.com) leads to a completely different IP address that hosts their public website. I would like to change the IIS settings on the Exchange server so that mail.domain.com is the only domain allowed to be requested through an HTTP request.
Book about IIS and PHP?
I need help finding a book about IIS and PHP. I am looking for a book with example source code in PHP for use with IIS. Most books for PHP pertain to Apache. I am trying to have a jumping off point with PHP but am intrigued by the corporate mystique of IIS and it's web applications.Disabling Certificate Revocation List (CRL) Caching on IIS 10.0
Background Hello, community members! I am trying to disable CRL caching on IIS 10.0 in order to be able to fetch updated version of CRL each time I make a request to my website. It is required for development purposes: I revoke or un-revoke client certificate, publish latest CRL on my CA and want IIS to check the latest information. Setup What I completed as a setup step: Exported root CA certificate and installed it on my computer by following these articles:HTTP Error 403.16 when you access a website - Internet Information Services | Microsoft Learnand Export Root Certification Authority Certificate - Windows Server | Microsoft Learn. Set "Accept" for client certificates on IIS. Checked following materials about IIS CRL settings: CRL checking by IIS - Microsoft Community Hub,HTTP_SERVICE_CONFIG_SSL_PARAM (http.h) - Win32 apps | Microsoft Learn,Disable Client Certificate Revocation (CRL) Check on IIS | Microsoft Learn. Actions What I am trying to do to disable CRL caching on IIS: Delete existing SSL binding for my website:netsh http delete sslcert ipport=0.0.0.0:3010. Add binding which tells IIS to download CRL each 10 seconds and not to cache it (see bold text):netsh http add sslcert ipport=0.0.0.0:3010 certhash=SOME_VALUE appid={SOME_VALUE} certstorename=My verifyclientcertrevocation=enable revocationfreshnesstime=10 urlretrievaltimeout=30000. Bold text parameters mean that we enable CRL checking, refresh CRL each 10 seconds and set HTTP timeout for CRL download to 30 seconds (30000 milliseconds). Verify that the information has been updated. If CertCheckMode is set to 4, certificate revocation verification will be done by downloading the remote CRL, even if we have the valid cached CRL on the server. It ignores the cached CRL completely. Restart IIS or reboot the machine: iisreset. Clear CRL cache:certutil -urlcache crl delete. Publish new CRL and verify that it doesn't contain our certificate. Send not revoked certificate: 403 status has been returned by IIS.This means that IIS uses cached CRL and above-mentioned settings for IIS doesn't work. If I disable CRL checking it works:verifyclientcertrevocation=disable. CRL is reachable. Question What settings should I change in order to disable CRL caching on IIS 10.0? I want IIS to download CRL each time I make a request to it.using IIS URL Rewrite module for HTTP to HTTPS
I have installed the URL Rewrite module in IIS 10 to redirect HTTP calls to HTTPS, and I have attempted to set up the redirect but have not gotten it working on one server. Here is the issue: Server1 with IP 1.1.1.1is running IIS with an https enabled website. An outside DNS has assigned gohere.comto IP 1.1.1.1. When users attempt to get to http://gohere.comthe connection times out and it is not redirected to https://gohere.com Accessing https://gohere.comworks without an issue. Here is the rewrite code from the web.config file. <rewrite> <rules> <rule name="HTTP to HTTPS" patternSyntax="Wildcard" stopProcessing="true"> <match url="http://gohere.com*" /> <conditions> <add input="{HTTPS}" pattern="^OFF$" /> </conditions> <action type="Redirect" url="https://gohere.com" appendQueryString="false" /> </rule> </rules> </rewrite> I have also tried using match url=".*" Any ideas on what might be causing the issue? Or something to try to get it working? Thanks! JimError: Connection got closed prematurely, some technical error
My ftp site is mickftpsite.com, 99.242.126.196 I messed up some technical thing with my win 10 IIS ftp site. I do not know what it is. I ran ftptest.net with this result... Status: Resolving address of mickftpsite.com Status: Connecting to 99.242.126.196 Warning: The entered address does not resolve to an IPv6 address. Status: Connected, waiting for welcome message... Error: Connection got closed prematurely The warning is of no consequence. The various reasons to get the "closed prematurely" message do not seem to apply. After much trying of various things I decided to start over from the beginning. I started over like this... I checked... ports forwarded in router 21, 80, 443, 30000-65000 In firewall... open those ports both inbound and outbound, allowed Microsoft ftp server private and public, allowed ftp traffic in, 4 categories Also to get a clean new install... stopped ftp service removed ftp site from iis turned ftp off in Windows Features [uninstall] created a new folder for the ftp root and checked permissions: c:\inetFtp Re-installed iis ftp [Features on] restarted IIS and Ftp Service I meticulously went thru the install steps following 2 or 3 of the many on line blogs Have gone through all of those settings a few times and they are each OK A couple of other things.. I do not know what these actually do but I ran them hoping that something in the configuration would get reset... net stop WAS net start w3svc So conclusion, something technical in the background, not necessarily in inetmgr, possibly in the Registry, is messed up. Any suggestions are appreciated ๐ Thank you, Mick
peculiar problem with my website, https://mickwebsite.com
I have a peculiar problem with my website, https://mickwebsite.com, which I host on my home desktop computer using IIS 10. The website is accessible over mobile data but not over WiFi. Specifically, I am not able to run the website from a browser [Chrome] on the host computer; While I can run it from another device [my phone] using mobile data, I am unable to run it over WiFi from that device. I have verified that my website is accessible by mobile data from anywhere in the world using Hostinger.com I get this response: This site canโt be reached. mickwebsite.com took too long to respond. I ran a Win 10 trouble shooter to access my website and received this feedback... resource (mickwebsite.com) is online but isn't responding to connection attempts. and this... The remote computer isnโt responding to connections on port 443, possibly due to firewall or security policy settings, or because it might be temporarily unavailable. Windows couldnโt find any problems with the firewall on your computer. I have never had any "security policy" settings? I have done and checked all of these... port forwarded 80 and 443 redirected http to https allowed Chrome through the firewall removed all chrome add-ons tried with an alternate browser: MS Edge tried with firewall off as well as on ensured all proxy options set to off I have also done these... power off-on computer power off-on modem ipconfig /flushdns netsh winsock reset Suspecting the problem is a setting in the modem, I ran all of the tests in the modem Troubleshooting > Network Diagnostic Tools. All returned successful results I ran the Wi-Fi Spectrum Analyzer Data in the modem. It returned a page of data with no obvious error indications. I am at the end of anything I can think of to try. Any help appreciated ๐ Mick
Recent Blogs
- 5 MIN READIIS Crash Dump Collection A Comprehensive Guide to Diagnosing IIS Crashes Table of Contents What is Crash? What is Exception? How to Verify Same? What Logs Can Be Collected? What is D...Dec 03, 2024
- Issue Most of you have encountered situations where you have used IIS URL Rewrite to redirect traffic from one site to another. But in some cases, rewrite rules fail to work as expected and ret...Dec 19, 2024
