Disabling TLS 1.0 breaks IIS 7.5
Config: Server 2008 R2, IIS 7.5I am trying to pass a PCI scan. I have enabled TLS 1.1 and 1.2 and verified the protocols work.I have already disabled SSL 3.0, now I need to disable TLS 1.0. When I do...
View ArticleIIS7.5 RequestFiltering 404.19 - what sequence is denied?
I have configured requestfiltering but am getting a 404.19 in the logs.Is there a way to find out the sequence that is being blocked?The web address is :...
View ArticleModSecurity 2.9.0 RC2 doesn't work on IIS
Hi everyone,I want to use mod security to protect my IIS server so I installed ModSecurity 2.9.0 RC2: https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc2I used the downloaded *.msi...
View ArticleSSL Certificate renewal
I am trying to renew a wildcard SSL certificate in Windows 2008R2 IIS V7.5.I have installed the p7b cert in to the certificates intermediate container (MMC, certificates, following Godaddy's article)...
View ArticleRedirect users based on given credentials
It is possible to create a site in IIS 7.5 to redirect external users to different sites based on the credentials they provide in the logon screen?px so user1 gets the company1.html & user2 gets...
View ArticleAUTH_USER without Windows Security Login
I have a Server 2008 64 bit SP2 IIS 7.1 server that is taking over duties for a 2003 box. Both servers are on the corporate domain. The 2003 box has Windows Authentication turned on (anonymous login...
View ArticleBest way to grant anonymous access to virtual directory mapped to network share?
On Windows 2008 R2/IIS 7.5 I need to create a virtual directory that points to a network share. The contents of the virtual directory need to allow anonymous access through IIS. To make this work, I...
View ArticleOCSP stapling not working
I run a website on Windows Server 2012 R2 (IIS8.5) and am busy beefing up the TLS security. Running SSL Labs tests against the machine shows that it is not using OCSP stapling. I have read in several...
View Articleenable TLS_FALLBACK_SCSV
I'm trying to enable TLS_FALLBACK_SCSV on my IIS server on Windows server 2012 R2.Some article's suggest creating a dword called UseScsvForTls with a value of 1...
View ArticleDisplay Mixed Content Warning
We have an ASP app with an ASP login screen, but the front end is Silverlight. The Silverlight app talks to WCF Services hosted inside the IIS hosted ASP app. The servers (2) have domain names, and in...
View ArticleSecurity behind Windows Security Integration
Hello,I have implemented the Windows Security integration for our application. Now I am concerning about the security behind this mechanism.We have set up the following scenario:IIS Application...
View Articleanonymous access with IIS7 and checking AD groups of user
Can someone please help me with this? I have a web page in IIS7. I am trying to set up anonymous access so it doesn't challenge the user for login, but validates that they belong to a certain AD...
View ArticleSSL (self-signed) IIS 7.5 and local address IP
I have Server Foundation with one card Ethernet - IP address 192.168.1.105. I set up also "My Web" in IIS 7.5 for using ssl binding: 192.168.1.105 https(443) and without host header (*).generated...
View Article[Mod_Security] Question about the configuration.
Hi everyone,I've made my mod_security worked for my server. I used this simple rule :SecRule ARGS "zzz" phase:1,log,deny,status:503,id:1When I got in to my browser and typed : localhost/a?=zzz. It gave...
View ArticleMutual SSL for Web Service in IIS 7
Hi,I required SSL Settings in my web site, when client call it, it will ask for Certificate Request, this is working fine,however, when they present Certificate, they received forbidden access 403 from...
View ArticleDifferent Domain : Application Not working
Hi, I have hosted a classic asp application in IIS7. It is using windows authentication mode. I need to access the application from different domains.but the application is working fine for only one...
View ArticleAuth failed from local IIS server - 401.1
Hi, im having a weird issue. I have Windows authentication setup on an IIS site (its a dynamics crm site). All is working well outside the web server, but i cant authenticate to the very site on the...
View ArticleRequestFilter for # character to stop XSS
I have seen a URL to test for XSS that has the following syntaxhttps://<website>/<page>/?#prettyPhoto=Not_FeelIng_Safe&%3Cimg%20src=%27x%27%20onerror=alert%287%29%3EBIf I add #...
View Article401.2 Errors When Debugging ASP.NET Application
I'm tired of wasting time on this issue.I'm working on an ASP.NET application that's been slowly built up over the years, and I suspect there is some error or conflict that is causing this problem.When...
View ArticleLogs not showing domain\username for 401.1 errors
Hi, hopefully someone can help me out...I've got a site in IIS 7 using Windows Authentication (Anonymous is disabled).Whenever I get a 401.1 on the site, the IIS logs don't register the domain\username...
View Article