Wednesday, December 30, 2009

IIS Security: Semi-colons in URL

IIS security guy Nazim Lala has just blogged about a IIS 6 security issue, related to the use of Semi-colon (;) in a URL. It's not much of an issue if your IIS 6 server is properly configured. Good example of how Best practices can make your day. For more technical info do read the blog and check your servers for anything like that. It's always good to double check than to suffer right...

Have fun... Hopefully see you in new year!!!

Update: Info also present on MSRC Team Blog

Posted by ma_khan at 3:39 AM 0 comments
Labels: ,

Monday, December 28, 2009

Why should I use Web Platform Installer?

This is one question I have often heard from a lot of people. I had written about this a long time back and yet find it interesting enough to give it another shot.

For those who are not aware... Web platform installer is a free tool from Microsoft which lets you download, install and configure tools and utilities under the Microsoft Web Platform umbrella. So that includes IIS, Web Tools and Extensions from Microsoft, Runtime Frameworks, Development tools (These are express editions ofcourse) and a lot of opensource frameworks and applications. More info at www.microsoft.com/web

I recently had a demo for an event and wanted to ready a few VM's on which of course I had to get IIS and a few other tools up and running. Once the basic OS's were installed I downloaded, installed and configured IIS, PHP, Web Developer Express Edition, SQL Express Edition and a few open source apps on 4 different machines in a matter of 1\2 hour. Sounds real fast and cool huh!

All I had to do was install web platform installer from http://www.microsoft.com/web/downloads/default.aspx on each of the machines, choose all that I wanted to and rest was taken care by WPI.

Some advantages I found of using WPI are:

  1. I don't have to worry about dependencies.
  2. I don't have to worry about the IIS version. It works on IIS 6, IIS 7.
  3. If a certain IIS extension was made for IIS 7 then it doesn't show up when you are running Windows Server 2003.
  4. I don't need to know what are the latest IIS extensions from Microsoft. They are all mentioned in Web PI with their status (Beta, RC or Live Version).
  5. If a reboot is required then Web PI will come up automatically once you reboot and log in. This is cool because now it will continue from the place it left off.
  6. It does download and install simultaneously. Example: If you have selected 4 items to be installed, WPI will install the 1st item as soon as it is downloaded and start downloading the 2nd item simultaneously. Here again it is smart enough to go through the dependencies 1st and then to the actual item.
  7. User friendly.
  8. WPI has been successful in bringing a good mixture of both Microsoft and Non-Microsoft open source applications for us to take advantage off.
If you haven't, try it today and see the advantages for yourself. I am now using it on every time basis for my demos and VM setup.

Other than this you can now(in V2) install and configure media components and include a custom feed (Example: feed of your enterprise application) as well from WebPI. Kateryna from IIS Team has more info on that here and here.

Note: For the people who have had hard time installing PHP on IIS 6 or IIS 7 you really should try it out through WEB PI. It feels like a walk in a park.

Have Fun!

Posted by ma_khan at 12:47 AM 0 comments
Labels: , , ,

Saturday, December 5, 2009

Where is the IIS Admin Service in IIS 7???

Question:
Hello, I am pretty new to IIS 7. I have just recently started working on IIS 7 test boxes at my office. I installed default IIS 7 and was very happy but I think I have missed something as I am not able to find the IIS Admin Service. However, my IIS box seems to be running fine. On my IIS 6 production box I can see the service and IIS 6 does not work at all without the IIS admin Service started. What am I missing?

It might sound a little new to you but IIS Admin Service in not required in IIS 7 for as long as you are not using IIS Metabase compatibility feature or FTP 6 publishing services.

The interesting fact is not that IIS can run without IIS admin service, but How ?:)

This is where you need to understand what is the role of IIS Admin Service and why that is not required in IIS 7. For the basics lets start with what are services in general. Services are basically programs that run in the background performing core operating system functions usually without any required input from the user. IIS Admin Service is one such service where in the user doesn't have to do anything.

Now coming to what IIS admin service does: IIS Admin service is responsible for managing the metabase (the configuration repository in IIS 5, 6). In IIS 6 metabase is in xml format and can be edited and read in plain text editors like Notepad. The service runs under inetinfo.exe and is governed by iisadmin.dll primarily. IIS admin service makes the metabase available to applications that are dependent on it including IIS core components as well.

Having said that the implementation of IIS admin service is pretty much the same in IIS 7 except that the configuration of IIS 7 is no more dependent on the Metabase. IIS 7 still stores its configuration in xml format, however, the schema and the depth of configuration and granularity is entirely different from what it was in IIS 6. Therefore IIS metabase is no more required in IIS 7 and exists only for compatibility reasons that is if you wish to install the IIS 6 compatibility components of IIS 7. The configuration is now stored in administration.config and applicationHost.config files which is at c:\windows\system32\inetsrv\config\. If you are familiar with .Net configuration then this will seem like a welcome change to you. IIS 7 configuration can also be governed via web.config files within your apps. For more info on the new architecture model check my previous post.

Hope this answers your question.

Posted by ma_khan at 2:39 AM 1 comments
Labels: , , ,

Thursday, December 3, 2009

Troubleshooting: .Net 2.0 Setup requires .Net 4.0 Runtime

I recently came across this problem when I was attempting to create a setup project for one of my applications... I say attempting because I am not a developer but I like to amuse myself sometimes with some code here and there... So I have Visual Studio 2010 Beta 2 installed on my Windows 7 which by the way ROCKS!

I created the application.. I created the setup project ... fixed some minor issues and there... cleaned some code... and finally the build succeeds... and I have the application with me...

I test it on my machine and everything goes smooth and I love it... Now here's the thing... I run it on my server which by the way is running Windows Server 2008 and I receive the lovely pop-up as shown below:

I was very sure my projects were created with .Net Framework 2.0 in mind... I couldnt make out as to why it was asking for .Net 4.0? What I knew for sure was .Net 4 apps can be written with Visual Studio 2010. So it was time to open my code again... I check my code I check everything around to see if anything refers to .Net 4.0. Couldn't find any. I checked the properties of the helper project for the setup and it showed what I wanted to see:

.Net Framework 2.0 ... I knew I was missing something... so I go back to my setup project and check it again ... this time a bit more carefully and in consultation with some one (Harish Ranganathan)who has far more experience than me in writing code... and pretty soon enough we get to the Detected Dependencies view in the Setup Project which had .Net Framework as a dependency...I had seen that previously... Never cared much about it thinking that my project indeed needed the .Net Framework to work... What I had missed was the generalization...

Yes my project needed .Net 2.0 framework but that never explains the same generalization is going to be applied by VS 2010 now... is it?

That question was answered by the properties windows when checked for .Net dependency. Take a look:

My mistake couldnt be shown more clearly than this... :) Once I changed that to .Net Framework 2 everything's good...

Hope this helps...

Posted by ma_khan at 1:38 AM 0 comments
Labels: , ,

Sunday, November 15, 2009

Virtual Tech Days: November 11-13 2009

I gave a session on IIS 7.5 for developers in the recently concluded Virtual Tech Days ... It was good to see the amount of participation and enthusiasm people had with every session being conducted.

Virtual Tech Days is an online event where in every session is delivered on Live Meeting. These sessions are based on latest technology offerings from Microsoft, driven by various evangelists and product team members. Virtual Tech Days as the name suggests are completely technology driven and hence one can expect rich demos show casing examples related to the latest technologies...

My session was part of the Web Platform sessions lined up over a period of 3 days. I basically focused on architectural changes from previous IIS versions to IIS 7.5. Moving on we discussed the ASP.Net processing model and then discovering WEB PI and a few IIS extensions.

Later on, I briefly introduced the 2 managed code API's (MWA & MWM) to the audience for web development. I had a pleasure of a solid Q&A session for 15-20 mins which was very exciting to me.

Virtual Tech days is held almost bi-monthly these days and information can be obtained from www.virtualtechdays.com

Posted by ma_khan at 3:17 PM 0 comments
Labels: , ,
Subscribe to: Posts (Atom)