IIS 8.5 SNI – Fixing SSL_ERROR_BAD_CERT_DOMAIN

 IIS, Windows Server 2012  Comments Off on IIS 8.5 SNI – Fixing SSL_ERROR_BAD_CERT_DOMAIN
Jun 022019
 

As you probably know SSL certificates use the https protocol to encrypt communication between your web browser and the web server hosting the web site you’re visiting. You can always tell when your session has been encrypted because your browser will display a lock icon near the address of the site in the browser’s location bar. If your web site doesn’t already have an SSL certificate you really need to get one. Certain web browsers have already started identifying sites without SSL as “not secure” even if there’s no ecommerce function or data transfer and Google also announced they would lower a site’s search rankings if it didn’t feature SSL again regardless of the site’s function.

So as every good sys admin should do I have deployed SSL certificates for all my sites. Recently I installed a new SSL certificate for my blog but upon testing it afterwards to ensure everything was working properly I was presented with the unsettling error message below indicating Warning: Potential Security Risk Ahead. Clearly something was amiss.

image

 

SSL_ERROR_BAD_CERT_DOMAIN

When viewing the advanced details of the error displayed below I saw the error code SSL_ERROR_BAD_CERT_DOMAIN. Naturally I was surprised to see this error because I  knew my certificate had just been issued and wasn’t expired or using an old hashing algorithm etc. Upon closer inspection I could see the error was indicating the certificate was only valid for a different domain name which was not the domain of my site. This was a little confusing because I had just installed the new certificate and knew with complete certainty that it was registered in the name of my domain not the domain identified in the error message. The other domain name in question was also hosted on my server so this was a good clue to check site bindings.

 

Managing IIS Server Certificates

The next step was to double check the installed certificates. Using IIS Manager you can easily find and manage all of the certificates installed on the server.  This is handy when you need to quickly identify expiration dates for example but to see how the certificates are assigned you will need to check the individual site bindings.

image

One other way to see all the SSL certificate bindings is to run the following command:

This will output advanced details about all of the certificates installed on the server including the hostname:port and certificate store where the certificate is located.

image

 

IIS Server Name Indication (SNI)

The server hosting my site uses Windows Server 2012 R2 with IIS 8.5 which has a powerful feature for hosting SSL certificates called Server Name Indication (SNI). SNI allows multiple SSL certificates using different domain names to leverage a single dedicated IP address. Before IIS 8 this could only be accomplished with a wild card certificate.  So after reviewing the SSL_ERROR_BAD_CERT_DOMAIN error message I knew the issue had to be related to an incorrect IIS site binding related to SNI config.  As you can see in the picture below the SNI feature needs to be enabled by checking the box Require Server Name Indication. My site was sharing the same IP address as another site featuring a different SSL certificate and in my haste to install the new certificate I had not checked the Require Server Name Indication box. Once I did that and saved the settings my site was operational again without the security warning.

image

 

In Summary

Starting with IIS 8 scaling SSL certificates has never been easier thanks to Server Name Indication (SNI).  The caveat with this increased scalability is that you have to ensure your site https bindings are always set properly by checking the Require Server Name Indication box on the https binding. If not set properly your site visitors will be greeted by the Potential Security Risk warning related to the SSL_ERROR_BAD_CERT_DOMAIN error. Thanks for reading!

Avatar

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Resolving IIS WMSVC Underlying Connection Was Closed

 IIS, Windows Server 2008, Windows Server 2012  Comments Off on Resolving IIS WMSVC Underlying Connection Was Closed
Dec 082018
 

IIS Manager Remote Administration is a handy tool for for a web server administrator when you have multiple servers to manage. This feature will save you the trouble of having to Remote Desktop into each server every time you need to touch IIS. With IIS Manager Remote Administration you can login to one server for example and then configure IIS Manager with connections to other servers that you manage.  Or depending on the security of your enterprise you could even configure IIS Manager on your workstation and connect to the other servers from there. This becomes especially helpful if your enterprise has extra layers of security such as two factor authentication to lock down Remote Desktop access.

 

The underlying connection was closed: An unexpected error occurred on a send

Usually it works great. However, sometimes you may encounter connection problems while attempting to connect to your other severs.  I recently experienced one such error as shown below. It was occurring at nearly the final step of the remote management wizard after authenticating with my admin credentials.   It indicated that The underlying connection was closed: An unexpected error occurred on a send.   I have used IIS Manager Remote Administration for many years and this was the first time I had ever seen this particular error.  I went through the usual trouble shooting steps of ensuring port 8172 wasn’t blocked at the local firewall on either end. So then I decided to try reproducing the error on some other servers that I support and sure enough each server had this same issue.

image

 

I work for a large corporation that follows the practice of Separation of Duties which simply means that several different departments are involved with installing, configuring, and deploying our Windows servers.  In my role as an IIS web server administrator I know that many hands have touched the servers that I manage before the server is ever released to my team.

Checking the Management Service Certificate

Another place I checked was the Management Service itself. From here I could see that the WMSVC certificate was correctly assigned.  I was beginning to feel a bit flummoxed at this point. Everything I had checked so far appeared to be configured correctly.

image

 

Checking Port 8172 Certificate Binding

At a loss for a clear explanation of why I was getting the error above I decided to check online to see if anyone else had ever experienced it.  Searching for the error online I saw a suggestion to check the certificate binding on port 8172 using NetshNetsh is a command line utility that allows one to modify or display numerous settings of a server’s network configuration. To check a server’s certificate bindings  you just execute the following command.

image

 

Scrolling through the output I arrived at the settings for port 8172 and I could see the Certificate Hash of the certificate being used for this port. Next I went back to IIS Manager to double check the certificates that were installed on the server.  In addition to the certificates of several applications hosted on the server I saw the WMSVC certificate.  This is the default certificate used to secure the remote management communication between servers.  At this point a light bulb went off in my head because I could clearly see the Certificate Hash of the WMSVC certificate was different than the Certificate Hash of the certificate bound to port 8172. In fact the certificate bound to port 8172 wasn’t even installed on the server.

image

 

Changing Port 8172 Certificate Binding

My conundrum was over. The next steps were pretty clear. I had to delete the existing certificate binding on port 8172 and then configure port 8172 to use the WMSC certificate. Here is the command to delete the existing binding for a port and IP address:

image

Here is the command to bind a new certificate to port 8172. Just replace XX below with the correct thumbrint of your certificate.

 

image

 

Back to the Remote Admin Wizard

After deleting the old certificate and configuring the correct one, I returned to the Remote Administration wizard and tried it again.

image

With the correct certificate configured on port 8172 I was finally able to complete the  Remote Administration wizard.

image

In Summary

IIS Manager Remote Administration is a handy tool for administrators to save time managing IIS without having to always use Remote Desktop to login to another server. If you have issues configuring remote management between servers be sure to double check the certificates that are installed as well as the bindings for port 8172 using Netsh commands. Thanks for reading!

Avatar

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Using aspnet_regiis.exe to Encrypt Connection Strings

 ASP.NET, IIS, Windows Server 2008, Windows Server 2012  Comments Off on Using aspnet_regiis.exe to Encrypt Connection Strings
Feb 062016
 

When it comes to securing IIS web applications on Windows Server 20008 R2 or Windows Server 2012 R2 one typically thinks of firewalls, access control lists (ACL), and using an application pool identity. These security measures will protect a site from external threats . However, .Net configuration files which typically store username and password data are text files so anyone with admin access to the server can read their contents.  The only way to prevent prying eyes from seeing app.config or web.config passwords is to encrypt them. Fortunately encrypting the connectionStrings section of a config file is straight foward. You can also encrypt other configuration sections in addition to connectionStrings section. Encrypting and decrypting config files can be performed programatically using .NET Framework methods or by using the ASP.NET IIS Registration tool (aspnet_regiis.exe).  With the encryption commands you can target either the path to the config file or reference an IIS application name. In my examples I will be encrypting and decrypting the connectionStrings section with the .NET Framework 4.

 

Encrypting Configuration Sections

You will find aspnet_regiis.exe in the C:\Windows\Microsoft.NET\Framework\version\ folder.  With the .NET Framework you can use the builtin protected configuration providers RSAProtectedConfigurationProvider  or DPAPIProtectedConfigurationProvider to encrypt and decrypt sections of your config files. You can also create your own provider. The general synatax to encrypt a config section is as follows:

It is important to note when using aspnet_regiis.exe to encrypt or decrypt config files and you specify a physical path (rather than a web app name) the command is hardcoded  for a file named “web.config”.  If you are trying to run the command against an app.config you will first need to rename that file to web.config before running the command. Rename it back afterwards before using it. For this reason I find it easier to create a .bat file hardcoded with the necessary command syntax to encrypt my configs and then a 2nd .bat file to decrypt my configs.

On my Windows 2012 R2 server I have setup an IIS 8.5 site called domain1.com. For the example below I am using the builtin DPAPI provider to encrypt a web.config in c:\domains\domain1.com. The encrypted web.config is shown below.

 

encrypted-config

 

Decrypting Configuration Sections

Following steps above we have now encrypted the connectionStrings section of the web.config for domain1.com. Naturally We also need to be able to decrypt it. When decrypting a config section you do not need to specify the protected configuration provider. Just like when encrypting a config file we can target either a file path or IIS web application name. Here is the syntax to decrypt a configuration file section:

In my example below I decrypt the connectionStrings section of my web.config in c:\domains\domain1.com. As a reminder again when using the –pdf option we do not need to specify “web.config” in the syntax.

decrypt-config-connectstrings

After running the above command, the connectionStrings section of the web.config is decrypted as shown below. Once I am done editing my connection string I will follow best practices and encrypt the connectionStrings section again.

web-config-decrypted

Failed to decrypt using provider error

It is important to note that when encrypting your config files the encryption key is stored locally on the server which means if you need to move your encrypted config file to another server you will need to either decrypt the config file first before moving it to the new server or export the key prior to moving and install it on the new server.  If you move an encrypted config file to a server without exporting the encryption key you will receive an error like below indicating: Failed to decrypt using provider … Key not valid for use in specified state.

crypto-error

 

Creating an RSA Key Container

Fortunately moving encryption keys between servers is straight forward. We can create our own RSA key container, export it to a file, and then move it from server to server as needed. This is ideal for multi node web farm solutions where applications are deployed across multiple servers.  Use the following syntax to create an RSA key container. Be sure to include the –exp option so the container can be exported:

creating-mycrypto

 

Adding the configProtectedData section to your config

Next you will add the following configProtectedData section to your web.config.

Below is how my web.config looks now that I have added the configProtectedData section.

myfarmkey-config

 

\r\n

Assigning permissions to the RSA key container

\r\n

Before the new RSA key container is ready to be used by my site domain1.com, I need to assign the application pool identity permission to access it. On the server in my example the application pool identity for domain1.com is ApplicationPoolIdentity. I use the following syntax to assign this user to the new RSA key container:

\r\n

\r\n

myfarmkey-identity

\r\n

Encrypting a config with an RSA key container

After adding the configProtectedData section to the web.config and granting permission to the RSA key container for domain1.com’s application pool identity, I’ll run the encryption command again using the new “MyFarmCrypto” RSA key container:

image

In the image above we see the encryption succeeded. Note in the command syntax above we are specifying the configProtectionProvider name MyFarmCrypto and not the RSA key container name. If you mix that up you’ll get an error. We can see below how domain1.com’s web.config now looks after being encrypted with the new RSA key container.

farmcrypto-encrypted\r\n

Exporting and Importing an RSA Key Container

\r\n

Now that we’ve successfully created and tested our new RSA key Container we need to export it to a file. Once it’s saved in a file we can then copy it to other servers for installation as needed. It is important to remember to use –pri option to include the private key when the export file is created otherwise you will not be able to decrypt information on the next server .

\r\n

\r\n

export-farmkey

\r\n\r\n

Having logged into another server and copied the MyFarmKey.xml file to c:\temp I will import the key fil using the following command:

\r\n

\r\n

import-farmkey

\r\n\r\n

For security purposes, after importing the key on a new server, delete the key .xml file from the server to ensure someone unauthorized doesn’t use it decrypt data. This of course assumes that you have backed up the file off server somewhere safe.

\r\n

To permanently delete the RSA key container from a server you should run this command:

\r\n

\r\n

Summary

\r\n

The .NET Framework offers powerful encryption tools to secure sensitive information like usernames and passwords in application connection strings. When encrypting a config file on a server the private key used to decrypt the information is local to the server. Creating an RSA key container will enable you to encrypt information with the same private key across multiple servers. Thanks for reading.

Avatar

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Blocking SQL Injection with IIS Request Filtering

 IIS, Windows Server 2008, Windows Server 2012  Comments Off on Blocking SQL Injection with IIS Request Filtering
Feb 062015
 

SQL Injection became a favorite hacking technique in 2007. Despite being widely documented for so many years it continues to evolve and be utilized.  Because SQL Injection is such a well known attack vector, I am always surprised when as sysadmin I come across someone’s site that has been compromised by it. In most instances the site was compromised because of not properly validating user data entered on web forms. Classic ASP sites using inline SQL queries with hardcoded query string parameters are especially vulnerable. Fortunately regardless of a site’s potential programming weaknesses it can still be protected. In this walkthrough I will cover how to protect your site from SQL Injection using IIS Request Filtering.

\r\n

Identifying SQL Injection Requests

\r\n

Most people find out about SQL Injection the hard way after their web site has been defaced or their database has been compromised. If you are not sure your site has been attacked you need look no further than your web site’s traffic logs. Upon visual inspection of the IIS site logs you will see blocks of legitimate requests interspersed with the malicious requests. Checking the HTTP status code at the end of each request will indicate if there is any issue. If the status code was a 404 or a 500, you know the malicious request didn’t work. However, if the request had a HTTP status code of 200 then you should be concerned.

\r\n

image

\r\n

 

\r\n

Using Log Parser to Find SQL Injection Requests

\r\n

Looking through web logs for malicious requests can be a tedious and time consuming. Microsoft’s wonderful log analysis tool Log Parser makes it easier to identify pages on your site that are being targeted by SQL Injection attacks. Running the query below will create a report of all the page requests in the log with query string parameters.

\r\n

\r\n

 

\r\n

Using Findstr to find SQL Injection Requests

\r\n

Using Log Parser to identify malicous requests is helpful however if you need to look at multiple sites’ logs the task becomes more challenging. For these situations I like to utilize Findstr. Findstr is a powerful Windows tool that uses regular expressions to search files for any string value. One powerful feature is that you can store your search strings in separate files and even exclude certain strings from being searched. In the example below, I use the /g parameter to have Findstr load a file named sqlinject.txt with my predefined string and then search all the web logs in the W3SVC1 folder. The output is redirected to a file called results.txt.

\r\n

findstr /s /i /p  /g:sqlinject.txt C:\wwwlogs\W3SVC1\*.log >c:\results.txt

\r\n

Using this syntax it is easy to extend the capability of Findstr by creating a simple batch file with all the web log folders on your server. Once setup you will be able to any identify SQL Injection requests against your server within minutes.

\r\n

\r\n

Configuring IIS Request Filtering

\r\n

The Request Filtering module was introduced in IIS 7 as a replacement for the very capable Url Scan. Using Log Parser and Findstr you will be able to identify plenty of malicious requests attacking the web sites on your server. A Request Filtering rule can block requests based on file extensions, URL, HTTP Verbs, Headers, or Query Strings. Additionally you can block requests based on a maximum size of the query string and url length.

\r\n

image

\r\n

 

\r\n

Like any other IIS module you can maintain the settings outside of IIS Manager by editing the web.config. The values are stored in the <requestFiltering> section within <system.webServer>

\r\n

image

\r\n

\r\n

Filtering Rules

\r\n

I typically create 1 rule for each Deny String that I want to block. You can add multiple strings on each rule however I find it easier to maintain when only using 1 string per rule. This way if a rule is inadvertently blocking legitimate requests you can quickly disable it while leaving the other ones operational. The request url or query string can scanned for Deny Strings. However, enabling url scanning requires a bit of forethought because if the Deny String matches any part of the name of a page on your site, requests to that page will be blocked. matches . For example if you want to block requests containing the SQL command “update” but there happens to be page called update.aspx on your site, any request to update.aspx will be blocked.

\r\n

image

\r\n

If I had to pick only 1 Deny String for filtering it would be cast(. Nearly every SQL Injection request I’ve seen uses cast( and no legitimate page or query string parameter should have this name.

\r\n

\r\n

404 Status Codes

\r\n

Any request blocked by Request Filtering will return a 404 error status with a specific substatus to identify the reason it was denied. A few common ones are listed below.

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

HTTP Substatus Description
404.5 URL Sequence Denied
404.14 Url Too Long
404.15 Query String Too Long
404.18 Query String Sequence Denied
404.19 Denied by Filtering Rule

\r\n

With Request Filtering is enabled, it is easy to keep an eye on blocked requests. The Log Parser query below will create a report of all the requests with HTTP status 404 and substatus greater than zero.

\r\n

\r\n

 

\r\n

Blocking User Agents

\r\n

While investigating a recent SQL Injection attack I noticed in the IIS logs that the site had been compromised by an automated tool. It was interesting to see how the first malicious request was very basic and then each subsequent one became more elaborate with complex SQL queries. What I found even more curious was that each request used the same User-Agent which in fact identified the name of the tool and where to download it.

\r\n

image

\r\n

 

\r\n

Their web site clearly states the creators of the tool released it with the intention of helping system administrators discover vulnerabilities. Unfortunately it’s far too easy for someone to use it with malicious intent.  The good news is that blocking requests based on the User-Agent is quite easy. You just need to create a new rule and specify User-Agent in the header and then the name of the agent in the Deny Strings.  As you can see by the 404.19 status in the picture above the automated tool was successfully blocked the next time around after the rule was added.

\r\n

image

\r\n

 

\r\n

In Summary

\r\n

SQL Injection is a popular attack vector for web sites but by leveraging IIS Request Filtering the malicious requests can be easily blocked. Using Log Parser and Findstr you can quickly check your site’s logs to identify suspicious activity. Thanks for reading.

\r\n

Avatar

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Managing IIS Logs with GZipStream

 ASP.NET, IIS, Windows Server 2008, Windows Server 2012  3 Responses »
Aug 282014
 

Depending on how many sites your Windows web server is hosting maintaining IIS logs can be a challenge.  IIS logs provide valuable insight into the traffic your sites are experiencing as well as detailed SEO metrics and performance data. A typical web server will have just enough free disk space for future growth needs but ultimately will be limited by the capacity of drives in the server. If left unmonitored IIS logs can quickly fill any remaining disk space on the server. There are a few 3rd party tools that are good at compressing log files when they are under one parent folder but when the log files are in different locations such as on a WebsitePanel server I support an alternative solution is needed. In this walkthrough I will demonstrate how I solved this challenge using asp.net and GZipStream.\r\n\r\n \r\n

What about Windows Folder Compression?

\r\nEnabling Windows folder compression should always be the first step to try when freeing up space used by IIS logs. I always redirect the site logs to a folder at the root level of the server so it’s easy to find them and monitor their growth. In the example below I saved 8.3 GB of disk space without having even having to zip any files. However Windows folder compression was not going to work for my WebsitePanel server.\r\n\r\nCapture12\r\n\r\n \r\n

Finding WebsitePanel IIS Logs

\r\nWebsitePanel is a wonderful Windows control panel for Multi-Tennant web hosting and the best part is that it’s free. If you haven’t discovered this incredible application yet check it out. Once installed every aspect of site creation and maintenance is completely automated. As shown in the picture below customer sites are usually deployed with a directory structure like c:\HostingSpaces\customername\sitename. The IIS logs are always stored further down the tree in …\sitename\logs\W3SVCXX. As one can imagine on a web server with hundreds of sites it would be quite a challenge to track down and manually apply Windows compression on all the W3SVC folders. This would be further complicated as new sites are added to the server.\r\n\r\nUntitled-1 copy\r\n\r\n \r\n

Using Directory.EnumerateFiles and GZipStream

\r\nI knew I was going to do some coding to solve my challenge but I also wanted to keep the solution easy to use.  In years past I would have considered VBScript folder recursion and executing the PKZip command line tool but I wanted something more contemporary.  So I used Visual Studio 2013 and created a Console Application.\r\n\r\nCapture9\r\n\r\n \r\n\r\nimage\r\n\r\n \r\n\r\nThe GZipStream class which was introduced in .Net 2.0 would handle the necessary file compression. Since I would only be compressing individual files I didn’t have to deal with using a separate library such as DotNetZip.\r\n

\r\n

The Directory.EnumerateFiles method introduced in .Net 4 would use find all the IIS log folders from the WebsitePanel hosting spaces directory tree. Using the searchOption overload  would enable me to not only search for .log files but also limit the searching to specific folders matching “W3SVC”.  In the snippet below I loop through the search results, compress any log file older than 1 day, and delete the original file. The last step is to just write the name the file that was just zipped to an audit log.\r\n

\r\n

I only needed 30 days worth of log files to be left on the server. In the snippet below I delete any zipped log files matching my date criteria and then write the activity to the audit log.\r\n

\r\n

\r\n

\r\n

Using an XML Config File

\r\nTo help keep my application flexible I created a simple XML file to store the path to the WebsitePanel hosting spaces folder and the number of days of logs I wanted to keep on the server.\r\n

\r\n

 \r\n\r\nLoading these values into my program is done by parsing the XML data using XmlDocument.\r\n

\r\n

 \r\n

Running the Program

\r\n

Running the program from a command line I can see the progress as files are compressed. Afterwards I setup a scheduled task so it will run every day to compress new IIS log files and purge the ones older than 30 days.\r\n\r\nCapture7\r\n\r\n \r\n\r\nA few days later I came across several sites on the server using CMS products with their own application logs. These log files were not being cleaned up by the site owners and taking up free space on the server so I decided to archive them as well. Since they were being stored within each site in subfolder called “Logs”, tweaking the searchOption parameters of the Directory.EnumerateFiles method would catch them. With a quick rebuild of the program, it would now compress the CMS log files as well as the IIS log files.\r\n

\r\n

\r\n

\r\n

In Summary

\r\n

IIS logs contain wealth of data about web site traffic and performance. Left unchecked over time the logs will accumulate and take up disk space on the server. Using Windows folder compression is a simple solution to reclaim valuable disk space. If your log files are different locations then leveraging the power of ASP.NET with Directory.EnumerateFiles and GZipStream will do the trick. Thanks for reading.

Avatar

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

3 Steps to Securing FTP on IIS 8

 IIS, Windows Server 2012  Comments Off on 3 Steps to Securing FTP on IIS 8
Aug 072014
 

The FTP protocol is some 43 years old now. Yet it continues to be one of the most widely used file transfer technologies available. Over the years it has been shown to  be vulnerable to brute force attacks, packet capture, and other attack vectors.  Fortunately with IIS 8 on Windows Server 2012  your FTP server doesn’t have to be vulnerable. It goes without saying that FTP Authentication and Authorization are the most fundamental methods to secure your server.  Here are three additional things you can do to increase the security of your server’s FTP service and minimize its attack footprint.\r\n\r\n \r\n

IIS 8 FTP Logon Attempt Restrictions

\r\nOne of the most common FTP attack vectors is the dictionary attack. Using automated tools hackers will repeatedly hammer your FTP site with thousands of username and password combinations hoping to find that one account with an easy password. In the picture below you can see just a snippet of this automated activity. Fortunately none of these attempts were successful.\r\n\r\nlog\r\n\r\n \r\n\r\nIIS 8 now features FTP Logon Attempt Restrictions. This powerful feature is not available in IIS 7 or IIS 7.5. Once configured automated logon attacks will be stopped in their tracks. From IIS Manager simply click on FTP Logon Attempt Restrictions.\r\n\r\nCapture3\r\n\r\n \r\n\r\nConfiguring the FTP Logon Attempt Restrictions module is easy. Simply choose how many logon attempts are to be allowed and the time period for them to occur. When you consider that most FTP clients will save passwords in a profile, legitimate users on your FTP site should only need 1-2 logon attempts. However, depending on how many FTP users you’re hosting and their technical savvy you may need to tweak these settings.\r\n\r\nCapture4\r\n\r\n \r\n\r\nTesting my FTP site now with the new logon attempt restrictions it is easy to see how well it works. After the threshold is exceeded my connection to the server is forcibly closed. Automated hack attempts will no longer be a threat to this FTP server.\r\n\r\nCapture5\r\n\r\n \r\n

Enable FTP Over SSL with IIS 8

\r\nThe FTP protocol wasn’t originally designed for encryption. Fortunately with IIS 8 (and IIS 7) your FTP sessions can now be encrypted with SSL. To configure FTPS also known as FTP Over SSL open IIS Manager. You can either specify using SSL when adding FTP Publishing to a site or alternatively just going to the FTP SSL Settings on an existing site. Connecting with SSL can either be optional or or you can force all connections to use it. Using the drop down menu choose the certificate that you want to be used to encrypt the connections.  Windows Server 2012 has a default certificate available however you are also welcome to install your own 3rd party certificate.\r\n\r\nimage\r\n\r\n \r\n\r\nAfter you’ve configured the SSL settings on the server you just need to change your FTP client connection properties. In the picture below I’m using a legacy version of Cute FTP 8.0. Depending on which FTP client you’re using your protocol menu will look different.\r\n\r\nimage\r\n\r\n \r\n\r\nHaving changed my FTP client settings I attempt to connect to the server using SSL. The first time you connect to the server you will be prompted to accept the new SSL certificate. The log snippet below shows that my FTP session is being properly established with SSL. My communication with the server is now secure and protected.  Here is a more detailed walk through of configuring FTP over SSL on IIS 8.\r\n\r\nimage\r\n

\r\n

Configuring IIS 8 FTP User Isolation

\r\nWhen IIS 7 was released the FTP service had been completely redesigned from the ground up with security in mind. This was a welcome change indeed from IIS 6. In addition to supporting FTP over SSL it introduced FTP User Isolation. Multiple users on the same FTP site could be separated regardless of which file path they were being logged into without risk of someone traversing up parent paths to other user folders.\r\n\r\nThe FTP Authorization rules make it easy to identify multiple users or even local groups to have access to the FTP server. The user isolation is accomplished by creating a virtual directory called LocalUser and then choosing User name directory (disable global virtual directories). The LocalUser virtual directory should point to the FTP root directory and then you create a separate virtual directory for each FTP user which points to their destination path.\r\n\r\nimage\r\n\r\n \r\n\r\nWith FTP User Isolation configured your users will never be able to move up up to a parent path beyond their individual root directory. Even if a user were able to correctly guess the username and virtual path of another FTP account on the server they will not be able to reach it. Due to the confines of the isolation the FTP session can not see anything else on the server. In the example below I login with local account ftpuser2 and attempt to change the path to /ftpuser1 however that path does not exist and therefore is not accessible to my user. Here is a more detailed walkthrough of configuring FTP User Isolation on IIS 8.\r\n\r\nimage\r\n\r\n \r\n

In Summary

\r\nIIS 8 on Windows Server 2012 offers the most secure FTP service of any IIS version to date. You have multiple layers of FTP security available by leveraging FTP Logon Attempt Restrictions, FTP Over SSL, and FTP User Isolation. Your FTP server will be well protected using these built-in modules. With internet security there is no ‘patch’ for complacence.  More security is always better so implement it when it’s readily available to you.  Thanks for reading.

Avatar

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Preventing Automated Attacks with IIS Dynamic IP Restrictions

 IIS, Windows Server 2012  Comments Off on Preventing Automated Attacks with IIS Dynamic IP Restrictions
Aug 042014
 

Another one of the great built-in features of IIS 8 is Dynamic IP Restrictions (DIPR). With a few simple configuration steps you can quickly set limits for blocking IP addresses based on the number of concurrent requests or frequency of requests over a period time. With these parameters in place IIS will take over blocking requests unattended thereby making your server more secure.\r\n\r\nBefore DIPR was available on IIS 7 you could manually block 1 IP or a range of IPs easily in the IP Address and Domain Restrictions module. However this could be a time consuming task if your server was under attack. Using a tool like Log Parser to examine the site’s logs you could identify IPs with suspicious activity but then you still had manually enter Deny Rules. Determined hackers will use a variety of IPs from proxy servers so by the time you’ve blocked a handful a new range could be starting up. DIPR was released out-of-band for IIS 7 and IIS 7.5 so you can leverage this great security tool on those web servers as well. In this walk through I cover how to configure Dynamic IP Restrictions and even show a test in action.\r\n

\r\n

Installing Dynamic IP Restrictions

\r\nOpen the Server Manager and to Web Server role. Under Security ensure that IP and Domain Restrictions is installed.\r\n\r\nimage\r\n\r\n \r\n

IP Address and Domain Restrictions in IIS Manager

\r\nOpen IIS Manager and click on IP Address and Domain Restrictions.\r\n\r\nCapture2\r\n\r\n \r\n\r\nFrom this window you can either Add Allow Entry rules or Add Deny Entry rules. These rules would be for manually blocking (or allowing) one IP address or an IP address range. You have to be care when blocking an IP range because you could inadvertently block legitimate traffic. Click on Edit Dynamic Restriction Settings to set the dynamic thresholds for blocking IP addresses.\r\n\r\nimage\r\n\r\n \r\n\r\nClick Edit Feature Settings to set the Deny Action Type. In this example I’ve set Forbidden so blocked requests will receive an http 403 status error. These errors will also be recorded in the site’s log for us to review later.\r\n\r\nimage\r\n\r\n \r\n\r\nOn the Dynamic IP Restriction Settings screen you can choose the maximum number of concurrent requests to block. And you can also Deny IP addresses based on frequency of requests over a period of time.\r\n\r\nCapture4\r\n\r\n \r\n\r\nAs always depending on the volume of your web site’s traffic you should test these settings to ensure that legitimate traffic does not get blocked.\r\n\r\n \r\n

\r\n

Testing Dynamic IP Address Blocking

\r\nI didn’t have a real security incident available for testing the DIPR module so I did the next best thing. Using Fiddler the free debugging tool from Telerik and StressStimulus a free load testing plugin from StimulusTechnology I hammered my test virtual server for a few minutes and got the desired results. With Fiddler open you will see the StressStimulus module. From here you can record your test case or open an existing test case as well as edit the test case paramters.\r\n\r\nCapture12\r\n\r\n \r\n

\r\n

\r\n

Test Results

\r\nStressStimulus gives you multiple detailed charts to review to gauge the performance of your site and identify potential areas of weakness. For my test I choose to hit the wp-login.php page on my test WordPress site with 3 concurrent requests and 100 iterations. The test completed within a few minutes.\r\n

Capture8

\r\n \r\n\r\nVisiting the test page from the server running StressStimulus I get the expected result. It’s blocked by a 403 error.  The full description of this code is 403.502 – Forbidden: Too many requests from the same client IP; Dynamic IP. \r\n

Capture

\r\n \r\n\r\nUsing the Log Parser query below to analyze the site log I see that 331 requests were blocked with a 403.502 status code.\r\n

\r\n

image\r\n\r\n \r\n\r\nFurther examination of the log with Log Parser shows the full break down of the requests blocked with 403 status.\r\n\r\nSELECT TOP 100\r\nSTRCAT(EXTRACT_PATH(cs-uri-stem),’/’) AS RequestPath, sc-status,sc-substatus,\r\nEXTRACT_FILENAME(cs-uri-stem) AS RequestedFile,\r\nCOUNT(*) AS TotalHits, c-ip\r\nFROM w3svc.og TO top-403-ip-requests\r\nwhere sc-status=403\r\nGROUP BY cs-uri-stem, sc-status,sc-substatus,c-ip\r\nORDER BY TotalHits DESC\r\n

\r\n

image\r\n\r\n \r\n

Summary

\r\nThe Dynamic IP Restrictions module is available with IIS 8 as well as IIS 7 and IIS 7.5. It is a powerful tool to block automated attacks on your site and requires minimal configuration and maintenance. Thanks for reading.

Avatar

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Solving SQL Server High CPU with IIS Request Filtering

 IIS, SQL Server, Windows Server 2012  1 Response »
Jul 272014
 

The other day I was troubleshooting 100%  CPU utilization on a SQL Server 2008 database server. The server had 100 or so databases of varying sizes however none were larger than a few hundred MB and each database had a corresponding web site on a separate web server.  Since the server hosted quite a few databases the high CPU needed to be resolved quickly because it was causing issues for everyone.  High CPU on a database server can often be symptomatic of a issues occurring outside the server. In this case the real issue was in fact being caused by a SQL Injection attack on a web server.\r\n

Top Queries by Total CPU Time

\r\nThe knee jerk reaction when experiencing high CPU may be to stop it immediately either by restarting services or recycling app pools however letting it run temporarily will help you to isolate the cause. SQL Server 2008 has some great built-in reports to help track down CPU utilization. On this occasion I used the Top Queries by Total CPU Time report. You can get to this report by right clicking on the server name in SQL Server Management Studio and then selecting Reports.\r\n\r\nimage\r\n\r\n \r\n\r\nThe Top Queries by Total CPU Time report will take a few minutes to run. However once it completes it provides a wealth of information. You’ll get a Top 10 report clearly showing which queries and databases are consuming the most CPU on the server at that moment. Using this report I was able to see that one of the databases on the server had 4 different queries running that were contributing to the high CPU. Now I could focus my attention on this 1 problematic database and hopefully resolve the high CPU.\r\n\r\n \r\n\r\nimage\r\n\r\n \r\n

SQL Profiler and Database Tuning Advisor

\r\nNow that I knew which database was causing the problems I fired up SQL Profiler for just a few minutes. I wanted to get a better understanding of the activity that was occurring within the database. Looking at the high number of Reads coming from the app named “Internet Information Services” I was starting to realize that web site activity was hitting the database pretty hard. I could also see plaintext  data being inserted into the database and it was clearly spam.\r\n\r\nimage\r\n\r\n \r\n\r\nBefore I turned my attention to the web site however I wanted to see if there could be any performance improvement using the Database Engine Tuning Advisor since I had the valuable profiler trace data. The DTA will analyze the database activity and provide a SQL script with optimizations using indexes, partitioning, and indexed views. Usually with DTA I’ll see 5-10 % performance improvement. I was excited to see a 97% improvement!\r\n\r\nimage\r\n

\r\n

Preventing SQL Injection with IIS Request Filtering

\r\nAfter I applied the optimizations script from the Database Engine Tuning Advisor the CPU utilization on the database server improved considerably. However, I knew the web site was experiencing suspicious activity so I used Log Parser to get some reports from the site’s traffic log. Using the query below I could see the most frequently used querystring values and it was obvious the site experiencing a SQL Injection attack.\r\n

\r\n\r\nlogparser.exe -i:iisw3c “select top 20 count(*),cs-uri-query from ex140702.log\r\n\r\ngroup by cs-uri-query order by count(*) desc” -rtp:-1 >file.txt\r\n\r\n

\r\n

 \r\n\r\nWith attacks like this a natural inclination is to start blocking IP addresses. Unfortunately sophisticated attacks will use a variety of IP addresses so as soon as you block a few address malicious requests from new ones will take over. The best solution is to block the malicious requests with Request Filtering so I quickly added a few rules to block keywords I had seen in my log parser reports.\r\n\r\nrequestfiltering\r\n\r\n \r\n\r\nImplementing the IIS Request Filtering rules stymied the SQL Injection attack. Using the Log Parser query below I could see the http status codes of all the requests hitting the site with the new rules in place.\r\n

\r\n\r\nSELECT STRCAT(TO_STRING(sc-status), STRCAT(‘.’, TO_STRING(sc-substatus))) AS Status, COUNT(*)\r\n\r\nAS Total FROM w3svc.log to TopStatusCodes.txt GROUP BY Status ORDER BY Total DESC\r\n\r\n

\r\n

 \r\n\r\nRequest Filtering uses the http substatus 404.18 when a query string sequence is denied. Looking at Log Parser report below you can see the  50,039 requests were blocked by the new Request Filtering rules.\r\n\r\ntopstatuscodes\r\n

An Once of Prevention…

\r\nThe web site that had been attacked hosted free cooking recipes and allowed visitors to submit their own recipes. Unfortunately the owner’s goodwill was easily exploited because there was no form field validation on site’s submission page and new recipes were automatically being displayed on the site without being approved. This is a dangerous site design and should never have been deployed without basic security measures in place.\r\n\r\nI did a quick select count(*) from the recipe table in the database and was amused by all the delicious recipes I found Smile.\r\n\r\nimage\r\n\r\n \r\n

In Summary

\r\nSQL Server 2008 has several built-in reports like Top Queries by Total CPU Time to help Investigate high CPU utilization. Running SQL Profiler will provide detailed analysis of database activity. Running the profiler output through the Database Tuning Advisor can yield significant performance improvements for the database. IIS Request Filtering is a powerful tool to block SQL Injection attacks against a web site. However, SQL Injection can be easily mitigated using basic data validation. Thanks for reading.

Avatar

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Scaling SSL With IIS 8 Server Name Indication (SNI)

 IIS, Windows Server 2012  1 Response »
Jun 302014
 

One of the many great new features with IIS 8 on Windows Server 2012 is Server Name Indication (SNI).  SNI is a TLS extension that includes  the hostname or virtual domain name during SSL negotiation. The reasoning behind this was to improve SSL scalability and minimize the need for dedicated IP addresses due to IPv4 scarcity. This means that you can now host multiple SSL certificates on a web server only 1 IP address. With previous versions of IIS you were forced to bind SSL certificates with unique IP addresses  and the only workaround available for hosting multiple SSL certificates with 1 IP address was to use a wild card certificate. In this walkthrough I will show how to leverage hosting multiple certificates using SNI.\r\n

Web Hosting Certificate Store

\r\nA new certificate store was created for Windows Server 2012  called the Web Hosting store. It is similar to the Personal store however it has been designed to support a significantly higher number of certificates with only a minimal performance impact on the server. On Windows Server 2012 certificates are now loaded on-demand in memory. Previously on older versions of Windows Server all certificates on a server would be loaded from just one GET request. The end result of this was high memory usage and limited scalability.\r\n\r\nsni6\r\n\r\n \r\n

Hosting Multiple Sites Using 1 IP Address

\r\nOn my test server I have 3 sites configured using host headers and 1 IP address.\r\n\r\nsni2\r\n\r\n \r\n\r\nI have already imported 3 SSL certificates and you can see they are in the Web Hosting certificate store. Installing the certificates is straight forward but I am not going to cover that in this blog post. However, if you need help with installing certificates then here are the steps to follow.\r\n\r\nsni1\r\n\r\n \r\n

Enabling Server Name Indication

\r\nServer Name Indication (SNI) is enabled on the site binding properties by clicking the Require Server Name Indication checkbox. Click OK to save the settings and then close the Site Bindings window.\r\n\r\nsni3\r\n\r\n \r\n\r\nNow I have added  an SSL certificate for each site and enabled Server Name Indication each site’s SSL binding. The certificates have been correctly added to the Web Hosting store to ensure scalability. Looking at IIS Manager below we can see that the https binding of each site is sharing same IP address. With previous version of IIS this would not have been possible because the other 2 sites would have automatically been stopped.\r\n\r\n \r\n\r\nsni4\r\n\r\n \r\n\r\nUsing an elevated command window you can see the new SSL binding type by running the following command:\r\n

\r\nThe picture below shows the SSL bindings for the 3 sites and the hostname is now included with port 443. Running this command on Windows Server 2008 you would only see the IP address and 443.\r\n\r\nsni7\r\n\r\n \r\n

In Summary

\r\nWindows Server 2012 and IIS 8 offer many new features and performance improvements for hosting sites. Server Name Indication (SNI) offers impressive SSL scalability with the addition of the Web hosting certificate store. Now you can host multiple unique certificates on multiple sites using only 1 address. Implementing SNI offers greater site density on web servers with only a minimal memory impact. Thanks for Reading.

Avatar

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Installing WordPress, PHP, and MySQL on Windows Server 2012 R2

 IIS, Windows Server 2012  4 Responses »
Apr 032014
 

Microsoft’s Web Platform Installer (Web PI) makes installing applications a breeze. In a recent blog post I covered just how easy installing IIS has become using Web PI. In this walkthrough I’m going to cover installing WordPress, PHP, and MySQL using Web PI.  I remember the days when installing these applications was a manual process. Depending on your level of expertise it was quite a challenge to get everything working properly. If you’ve ever tried to uninstall and then reinstall MySQL you know what I mean.  Now thanks to Web PI with just a few clicks of your mouse you can have WordPress, PHP, and MySQL installed on Windows Server 2012 R2 in a few short minutes.\r\n

\r\n

Setting up Your Site

\r\nOn my test server I have a new installation of Windows Server 2012 R2 with IIS 8. Using the default site you’ll see the familiar IIS 8 welcome page called IISStart.htm. This page is automatically created for the default site when you install IIS. Be sure to delete it once you deploy your files.\r\n\r\nimage\r\n

\r\n

Launching Web Platform Installer

\r\nAfter installing the IIS role on your server you’ll be able to launch Web PI directly from IIS Manager by clicking on Get New Web Platform Components . The real power and ease of using Web PI to install WordPress, PHP, and MySQL is evident after you choose WordPress and Click Install. Web PI will automatically select the other application dependencies and include them in the installation.\r\n\r\nimage\r\n\r\n \r\n

Choosing MySQL Root Password

\r\nWeb PI will prompt you to choose a password for the root administrator user for MySQL. Be sure to make a note of this password because it will be needed later and resetting the MySQL root password manually can be challenge.\r\n\r\nimage\r\n\r\n \r\n\r\nClick Accept. The installation will start running.\r\n\r\nimage\r\n\r\n \r\n\r\nWeb PI will download and install all the necessary applications. It will complete within a few minutes.\r\n\r\nimage\r\n\r\n \r\n\r\n \r\n

Configuring the site for IIS

\r\nAt this stage of the installation Web PI will prompt you to choose a few settings for the IIS configuration. You can either install WordPress on an existing site or select New Web Site. I am going to install WordPress into the root of my site so I am using “/” for the application name. If you plan on running WordPress from a subfolder then enter a name for the application. Once the required parameters have been entered you will be able to click Continue.\r\n\r\nimage\r\n\r\n \r\n\r\n \r\n\r\nYou will be prompted to enter a few unique phrases to strengthen the password security.\r\n\r\nimage\r\n\r\n \r\n\r\nOnce Web PI completes the installation process your new MySQL Database Name, Database User Name, and Database Password will be displayed on the screen. Make a note of these settings. You will need them later to log into the database.\r\n\r\nimage\r\n\r\n \r\n

Installing WordPress

\r\nOnce Web PI completes its installation process the WordPress installer will be launched. This final step of installing WordPress completes quite quickly. Enter the Site Title, the admin username and password, and your email address. Click Install WordPress to finish setting it up.\r\n\r\nimage\r\n\r\n \r\n\r\nWordpress is now ready for use. Click Log In to go to the WordPress Dashboard.\r\n\r\nimage\r\n\r\n \r\n\r\nimage\r\n\r\n \r\n

Securing WordPress

\r\nAny serious web developer or server admin knows how important it is to secure your web site.  So after I install WordPress the very next thing I do is secure it. There’s a great WordPress plugin called Limit Login Attempts which can help block automated brute force attacks to your login page.  If you wanted to take it a step further you could even use Url Rewrite to block requests except for your own IP which I chose to do when my site was once targeted by brute force attacks. One other plugin you may want to consider is called Bad Behavior. This is a great plugin for mitigating link spam and the robots that deliver it. Combined with Akismet your site’s blog post comments will be spam free.\r\n

Summary

\r\nWordpress is one of the most widely used free CMS products. Installing WordPress on Windows Server 2012 R2 also requires PHP and MySQL. Now thanks to Web PI installing WordPress, PHP, and MySQl has never been easier. Your site will be up and running in mere minutes. After installation take some extra time to secure the login page and prevent comment spam. Thanks for reading.

Avatar

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

 Older Entries