Lynn's slides - Jan 2008 Allup » SlideShare
Original slides and session recordings - http://www.msdnevents.com/resources/2008-winter-resources.aspx
HelloSecureWorld - http://www.hellosecureworld.com
'How Do I?' Security on MSDN - http://msdn2.microsoft.com/en-us/security/bb896640.aspx
SDL - Security Development Lifecycle on MSDN - http://msdn.microsoft.com/msdnmag/issues/07/11/SecDefects/default.aspx
Design Guidelines for Secure ASP.NET sites - http://msdn2.microsoft.com/en-us/library/aa302420.aspx
MS Anti X Scripting Library - http://www.microsoft.com/downloads/details.aspx?FamilyID=efb9c819-53ff-4f82-bfaf-e11625130c25&DisplayLang=en
Using RegEx - http://msdn2.microsoft.com/en-us/library/ms998267.aspx
Encrypting Web.Config - http://msdn2.microsoft.com/en-us/library/53tyfkaw.aspx & http://msdn2.microsoft.com/en-us/library/system.configuration.sectioninformation.protectsection.aspx
ViewStateUserKey - http://msdn2.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspx Best Developer security book ever - Writing Secure Code 2 - http://www.microsoft.com/mspress/books/5957.aspx
Security horror stories - XSS attack - http://www.davidairey.co.uk/google-gmail-security-hijack/
What is the advantage of using the Anti XSS libraries vs. simply using Server.HtmlEncode.
The following Is an excerpt from .NET Data-bound Web controls & (anti)XSS - Some Considerations:
Further information such as the following can be found at Microsoft Anti-Cross Site Scripting Library V1.5 is Released!
Great Article with example attacks.
General site - http://www.iis.net/default.aspxVirtual labs - http://virtuallabs.iis.net/Video - http://www.iis.net/default.aspx?tabid=2&subtabid=26&i=1141
Asli Bilgin whiteboard on IIS 7.0 for developers - http://news.zdnet.com/2422-13569_22-153107.htmlHow to set up WAS - http://www.devx.com/VistaSpecialReport/Article/33831About svcutil - http://msdn2.microsoft.com/en-us/library/aa347733.aspx
About appcmd.exe http://www.iis.net/articles/view.aspx/IIS7/Use-IIS7-Administration-Tools/Using-the-Command-Line/Getting-Started-with-AppCmd-exe
WCF hosted in IIS 7.0 - http://www.iis.net/articles/view.aspx/IIS7/Hosting-Web-Applications/Windows-Communication-Foundation--WCF-/Writing-a-Web-Service-hosted-in-IIS7Intro to ApplicationHost.config - http://www.iis.net/articles/view.aspx/IIS7/Use-IIS7-Administration-Tools/Using-XML-Configuration/Introduction-to-ApplicationHost-configDeep Dive IIS 7.0 configuration - http://www.iis.net/articles/view.aspx/IIS7/Use-IIS7-Administration-Tools/Using-XML-Configuration/Deep-Dive-into-IIS7-ConfigurationSecurity Changes between IIS 6.0 and IIS 7.0 - http://www.iis.net/articles/view.aspx/IIS7/Managing-IIS7/Configuring-Security/Changes-between-IIS6-and-IIS7-SecurityOutput caching in IIS 7.0 - http://www.iis.net/articles/view.aspx/IIS7/Managing-IIS7/Optimizing-Performance/Using-Output-Cache/IIS7-Output-CachingDeveloper Center on IIS.NET - http://www.iis.net/default.aspx?tabid=7&subtabid=711ASP.NET integration with IIS 7.0 - http://www.iis.net/articles/view.aspx/IIS7/Hosting-Web-Applications/ASP-NET/ASP-NET-Integration-with-IIS7
A module, similar to the ISAPI filter in previous IIS versions, participates in the request processing of every request in order to change or add to it in some way. Examples of some in-the-box modules in IIS7 include authentication modules, which manipulate the authentication status of the request, compression modules that compress the outgoing response, and logging modules that log information about the request to the request logs.
The module is a .NET class that implements the ASP.NET System.Web.IHttpModule interface, and uses the APIs in the System.Web namespace to participate in one or more of ASP.NET’s request processing stages.
A handler, similar to the ISAPI extension in previous IIS versions, is responsible for handling the request and producing the response for specific content types. The main difference between the module and the handler is that the handler is typically mapped to a particular request path or extension, and supports the processing of a specific server resource to which that path or extension corresponds. Examples of handlers provided with IIS7 include ASP, which processes ASP scripts, the static file handler, which serves static files, and ASP.NET’s PageHandler which processes ASPX pages.
The handler is a .NET class that implements the ASP.NET System.Web.IHttpHandler or System.Web.IAsyncHttpHandler interface, and uses the APIs in the System.Web namespace to produce an http response for specific content it supports.
When planning to develop an IIS7 feature, the first question you should ask is whether this feature is responsible for serving requests to a specific url/extension, OR applies to all/some requests based on arbitrary rules. In the former case, your should be a handler, and in the latter, a module.Developing Custom Handlers or Modules for IIS 7.0 - http://mvolo.com/blogs/serverside/archive/2007/08/15/Developing-IIS7-web-server-features-with-the-.NET-framework.aspxIIS 7.0 Managed Modules Starter Kit for Developers - http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1302