Community Server

In this part we extend, slightly, upon the previous scenario, by adding delegation. Now we need to allow IIS, in our resource Forest (or domain) to delegate the end user’s credentials, to a backend service (SQL Server in this case):The machines this case are:MachineDomainIP ...

Note: I have created a list of all the IIS and Kerberos parts  I'm finally getting around to writing this section on IIS and Kerberos. This initial post will cover the basics of a cross-Forest Kerberos authentication scenario. In the next few posts we'll cover more complex situations including delegation and ISA Server ...

Last week I was in Seattle attending the Microsoft MVP Summit for 2008. Certainly this year's summit was much better organised than some previous summits in terms of interaction with the IIS product group. Whilst we've seen a bunch of interesting stuff coming out from the product group over the past few months (WebDAV, MSDeploy, ...

As some of you may be aware, Cesar Cerrudo of Argeniss presented a session at the just completed Hack in a Box conference where exploit code was demonstrated that allows certain code running with restricted privileges (e.g. Network Service) to gain high privileges (e.g. LocalSystem). The exploit appears to rely on the fact that certain ...

Here's a useful little module I didn't know even existed, but it appears to have been added to the Microsoft download site in the past couple of days. It allows for bit rate throttling of common, supported, media files when served by IIS 7.0. IIS first sends the first twenty or so seconds of data at the fastest possible rate, and then ...

Today Microsoft released to the Microsoft download site WebDAV modules for Windows Server 2008 / IIS 7.0 in both x86 and x64 versions. These are also available from the www.iis.net website. Robert McMurray has written a page explaining how to configure the new WebDAV module.

Well, the book is finally a reality. I received my copies today - yay! You can buy a copy from Amazon.com or your favourite bookstore now.

Note: previous articles Windows Server 2008 and IIS 7.0 introduce some changes to the way that you need to implement Kerberos support. The three major changes that I'm aware of are:Service Principal Names (SPNs) no longer need to be registered under the account that the web application pool is running under. Instead, in a default ...

Hi all, There are two security patches out this month for IIS. The first (MS08-005) affects Windows XP x86 (IIS 5.1), Windows XP x64 (IIS 6.0), Windows Server 2003 (IIS 6.0) and Vista RTM (IIS 7.0). Vista SP1 and Windows Server 2008 are not affected. This is a local escalation of privilege vulnerability, and requires that the attacker be ...

Windows Server 2003 SP1 introduces kernel mode SSL. Windows Server 2008 takes this one step further and introduces kernel mode authentication. This can be utilised by IIS 7.0 applications to improve performance. It also has implications for Kerberos authentication and management of SPNs.Consider the following scenario: Ensuring Kerberos AuthN for ...