Alik Levin's : IIS 7

Securing IIS7 - Windows Server 2008 Security Guide

alikl — Thu, 28 Feb 2008 22:09:42 GMT

Windows Server 2008 Security Guide is out.

It covers many crucial aspects but my favorite of course is IIS7 chapter:

Chapter 6: Hardening Web Services

This chapter provides prescriptive guidance for hardening the Web Server role. The chapter discusses how the Web server role installs Microsoft® Internet Information Services (IIS) 7.0, which has been redesigned into forty modular components that you can choose to install as needed.

It points to the following resources:

IIS 7 Great Finds - How To Setup IIS7 On Vista, Bulk Web Site Creation, ASP.NET Pipeline Integration With IIS7

alikl — Sat, 06 Oct 2007 12:45:56 GMT

I started to get used to new version of IIS7 without installing early builds of Windows Server 2008 but using my Vista machine. IIS7 comes built in, it is just not configured with default installation. Several colleagues asked me to provide them with the step by step how-to for configuring IIS7 on Vista. I was about to post it but Wenlong Dong already has done fantastic job describing it - IIS7/WAS Installation. His blog is focused on performance too - my new passion. Subscribed!

On Mike Volodarski's blog I found interesting Fastest way to create IIS7 websites, applications, and application pools. Mike's side bar also pointed me to even more interesting article on IIS web site - ASP.NET Integration with IIS7. Subscribed!

IIS 7 Configuration File - applicationHost.config - Password Management

alikl — Tue, 24 Apr 2007 22:52:57 GMT

From my learning of IIS7 I understand that IIS7's metabase is actually XML configuration file very familiar to me and similar to ASP.NET's web.config. It is called applicationHost.config and sits in C:\Windows\System32\inetsrv\config

My first interest was to see how it manages passwords when specifying specific accounts for application pool.

I created demo application pool called xxxx, then I created demo account and specified my application pool to run under it. Then I navigated to C:\Windows\System32\inetsrv\config\applicationHost.config and opened it Notepad. I needed to run Notepad as administrator since UAC prevents from opening it directly into Notepad (I cannot say it about Visual Studio, which opens it gladly without running as Administrator). The following picture depicts what I found there:

Seems like the password encrypted using RSA and the cipher was stored in the config file, not the clear text password.

Very cool.

Where is the key? Digging deeper...

I learned it from:

http://www.iis.net/default.aspx?tabid=2&subtabid=25&i=992&p=3

http://www.iis.net/default.aspx?tabid=2&subtabid=25&i=992&p=4

Enjoy

Basic Steps To Make ASP.NET Web Site CardSpace Aware

alikl — Mon, 09 Apr 2007 15:26:35 GMT

From short investigation and a lot of information from Richard Turner's screencasts

Here is what I get. To make my ASP.NET app I need:

Write ASP.NET server side code to validate the token that holds end user's data, further processing might include checking against membership provider - CardSpace Simple Demo screencast on Channel9
Add client script code to specify CardSpace object and its properties, like required claims. This will trigger CardSpace UI to show up for the end user - CardSpace Simple Demo screencast on Channel9
Configure IIS to require SSL connection - New Screencast: How to configure IIS7 for Windows CardSpace sites
Give application pool account read access to private key for the server cert that actually gives SSL support. This is needed for decrypting the XML token in the server code for its further deserialization - Secure your private keys more easily with Vista

I got it right? Forgetting something?

IIS 6.0 Was True Love, New Romance Is About To Begin - IIS 7

alikl — Sun, 08 Apr 2007 00:01:41 GMT

I just could not hold it back - it is midnight and I am watching Richard Turner's screencast - New Screencast: How to configure IIS7 for Windows CardSpace sites

It was humiliatingly :) easy to set up test server cert, so I've done it, here is the prove:

Next he talks about how to configure it for CardSpace - I stopped watching since I know if I continue I may end up watching the sun set together with my laptop.

Richard, good job!!

Good night.