how to setup request filtering to Abort Request instead of returning 4xx ?
If you send a post request with 10000 GB of data, even if this request is filtered by the request filtering module, IIS will download the 10000 GB of the request to later simply answer 4xx error! That...
View ArticledynamicIpSecurity seam to not working
NOTE: When i ask a specific Static file (ie: http://192.168.0.107/index.html I have the behavior i describe below, but when i ask the default document (ie: http://192.168.0.107 => with i setup to...
View Article502 - Web server received an invalid response while acting as a gateway or...
I have OS Windows Server 2008 Standard SP2 with IIS 7.0 on which portal application is setup which has a Url Rewrite rules, as per the Web Pen Test report we have to disable weak ciphers and protocols...
View ArticleApplication pool and Domain Accounts
Hi Guys,I have a question regarding application pools with domain accountsWhich is the least privileges that Domain Accounts needs to have for the maxium security (in case of bug or zero day...
View ArticleAuthenticate against SQL with AppPool identity when Anonymous accessis disabled
I have a situation which sounds similar to an old thread (https://forums.iis.net/t/1190853.aspx), except i'm looking for the opposite answer.Im running an IIS site, with anonymous access diabled, so...
View ArticleI can't get SSL to work on Windows Server 2012 IIS using the Self-signed...
I am trying to get SSL working on a Windows Server 2012 server. I have created a "self-signed" certificate in IIS, bound a URL's HTTPS to it, but when I try to invoke the https on the url, I get Your...
View ArticleCan I compress the 'Server Hello' response in a TLS handshake?
Hi fellow techs,Rather specific question I know but here is my issue. I have a WiFi chip I'm trying to integrate to a new device, this device will be hitting a .NET web app over https using TLS 1.2. I...
View ArticleSelf-signed certificate in Application request routing not working
Hi,I am planning to use the self-signed certificate in Application request routing environment for testing purpose. So I configured the certificate followed this document...
View ArticleKerberos delegation suddenly stops working
I have a pretty standard iis (v8.5) site setup with windows authentication (negotiate) and delegation to another web-service on our network. At first everything works as expected and the users can...
View ArticleServer Name Indication (SNI) with Windows Authentication
We have the following setup in IIS 8.0 and the site is Windows Authenticated.One site setup in IIS and uses both port 80 and port 443 for setting up multiple domains. Each domain setup with port 443...
View ArticleClik here to view.
An unknown certificate on my IIS server.
Hello, I am looking at a Windows 2012 IIS server and I see a certificate WMSvc-myiisserver that has an expiration date of 1/20/2015 and it is using SHA1. I do not recall I ever deploy that certificate...
View ArticleDoes IIS require administrator to set up an SSL certificate via...
I'm trying to set up an IIS SSL binding with regular user account that has extra permissions. Here is the piece of code that sets up SSL certificate:var siteName = "Default Web Site"; using (var...
View ArticleConnect to multiple SQL Servers via multiple Windows Auths via IIS 8.5
Hi,Up to now, we've always used SQL Server Authentication to connect our web applications to our SQL Server databases using a "service" account. We don't want to have to maintain the SQL security for...
View ArticleHSTS age settings
Hellowhat is the downside of setting hsts the too high? is it like TTL for DNS records? if I need to lower the HSTS in the future will i have to wait for the clients to hit the site again?thanks
View ArticleSession Cookies in IIS
Hi,Recently we have done the vulnerability scan for IIS webserver in which have found below findings but not getting an option how to close those.Need help to understand the steps if some things can...
View ArticleIIS Client cert issue/bug?
I have a rest service hosted in IIS 10 that uses a client certificate on one of the end points. Under SSL settings I have the client cert as "Ignore" and have an authorization filter on the endpoint....
View ArticleHTTP Page on HTTPS site.
Is there a way to have HTTPS site on IIS,and enable HTTP for specific pages?For example, my site is https://mysite.comand my unsecure page is http://mysite.com/someDir1/someDir2/unsecure.aspx.I tried...
View ArticleUsing a custom account as AppPool Identity leads to 503
I need to use a user account as a custom identity for my App Pool. That user account is created and configured by a bunch of scripts which also register that account as a custom identity in the app...
View ArticleGetting IIS to use the application pool identity when Windows Authentication...
Using Windows Server 2016.Have IIS setup, leveraging Windows Authentication to secure the directories, but want to leverage the application pool identity for SQL and other processes that may be...
View ArticleAuthorizing access with custom HTTP header
Hi, Is it possible to deny access to some resource based on the presence of some specific HTTP header ? Is this functionality available out of the box, or any specialized IIS module needs to be...
View Article