Is safe give write permission to site own folders
Hello, I have a website that needs write permission in its own folder to download a file from another domain and update the htmlexample:wwwroot / site / views / shared / x.htmlIt doesn't seem to be...
View Article2020 LDAP channel binding and LDAP signing Impact on IIS Integrated windows...
I have a question related to the security update (2020 LDAP channel binding and LDAP signing requirement for Windows)We are using IIS Integrated Windows Authentication for our ASP.Net application. And...
View ArticleSFTP o FTPS
Estimados, buenos diasLos consulto por lo siguiente: tengo in IIS 8.5 corriendo en un Windows Server2012 R2; y un cliente que me envia la siguiente peticion:1) IP público de C****, para que le...
View ArticleIIS Windows Authentication prompts for site pages multiple times,...
This refers to IIS 8.5. "authPersistSingleResponse" is set to false.The site has a default landing page, written in ColdFusion, but doesn't do anything more than print HTML and basic JS to move around...
View ArticleHTTP 401 for WebDAV client (Windows)
I am trying to map a drive letter in Windows to a public web server (for custom Lenovo driver updates repository). In order for that to be possible, I learnt the web site needs to have WebDAV module...
View ArticleSChannel certificate stores
With out using the ISC_REQ_MANUAL_CRED_VALIDATION, can I control which stores the Schannel used for certificate validation?I want to use my own custom stores as trusted stores.
View ArticleDefault iis message 40* is break security
Is returning the standard iis message from 400 family errors a vulnerability issue like headers?My reasoning: I'm not returning the headers, but the iis 404 error is different from apache, so an...
View ArticleServer Sending RST ACK immediately after received Client Hello
my webserver unable to handshake with A10 Load Balancer. as traced through wire shark, the connection from A10 LB getting reset by my webserver immediately after received Client Hello from A10 LB....
View ArticleMinBytesPerSecond for Slow HTTP Post Attack
I recently received a Qualsys report which listed - SLOW HTTP POST as a vulnerability with my application.I have checked the various countermeasures, and configuring - MinBytesPerSecond, in the...
View ArticleIIS 10 - PHP v7.2.2 installed via Web Platform Installer - how to update to 7.3
Hi,we installed the PHP via WebPI tool in 2018/04/09 which was the version 7.2 for IIS, today the PHP is already in 7.3.4 accordingly towww.php.net website but if we open the WebPI is offers only PHP...
View ArticleIIS ARR route with SSL to backend server
<div class="body">Hello Guys ,I have a question about IIS ARR + backend server farm member route.I know that client could comminucate with ARR server with HTTPS protocol . What i need to...
View ArticleHow to enable TLS session resumption or Optimize TLS handshake on Windows 2016
Hi,We are facing issue on windows 2016. The issue is when more than 15-20 users request token the W3wp (IIS 10) and lsass.exe using 100% CPU. By monitoring using WPA and Network Monitor we saw TLS...
View ArticleHas anyone had success with TLSv1.3 and IIS10?
Microsoft recently announced TLSv1.3 support for Windows Server 1903 here. I'm trying to test it out using IIS10 but having issues - has anyone else attempted to get this working?To enable TLSv1.3, I...
View ArticleIIS and OCSP Stapling
Hello, I have configured my web server for OCSP Stapling by following the steps described in this article: https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settingsBut I still...
View ArticleAttack and new files created
Hi everyone,I have suffered an attack to my site. The hackers got to execute server code so that every time a user uploads a file, this new file includes the pool user with every privilege (you can go...
View ArticleClik here to view.
IIS Client Certificate Mapping/Authentication Does Not Appear to Work...
Hi,Apologies in advance for the length, but I wanted to thoroughly document my analysis of this issue.I have spent an inordinate amount of time (weeks and weeks) Googling/researching/testing/debugging...
View ArticleWindows Authorization from PHP client app
Hello, I have two PHP apps - an API service and a client - running on separate IIS servers on the same domain. My intent is to be able to authenticate a request using Windows Auth, such that I do not...
View ArticleDisable TRACE verb
Hi EverybodyI have disabled the TRACE verb on couple of sites on my IIS server.1 of the sites still return 200ok to the curl command, all other sites return 404 not found (as it need to return).anybody...
View ArticleClik here to view.
Windows Server 2019 disable legacy TLS in IIS via certificate binding is...
When we read about "TLS version enforcement capabilities now available per certificate binding on Windows Server 2019", it sounded perfect. However we cannot get it to work? We are using IIS10 on...
View ArticleCustomError Execute URL shows 403.18, when running in different AppPool
In IIS10, We have a custom error application (CustomError) that is running under an application pool (CustomErrorAppPool). We have few more web application, For example RootSite running under seperate...
View Article