IIS Show #4 with Brett Hill
- Posted: Dec 16, 2005 at 11:15 AM
- 24,169 Views
- 4 Comments
Download
How do I download the videos?
- To download, right click the file type you would like and pick “Save target as…” or “Save link as…”
Why should I download videos from Channel9?
- It's an easy way to save the videos you like locally.
- You can save the videos in order to watch them offline.
- If all you want is to hear the audio, you can download the MP3!
Which version should I choose?
- If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available).
- If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file.
- If you have a Zune, WP7, iPhone, iPad, or iPod device, choose the low or medium MP4 file.
- If you just want to hear the audio of the video, choose the MP3 file.
Right click “Save as…”
- MP3 (Audio only)
Prior to working for Microsoft, Brett was an IIS MVP for three years and provider of advanced IIS training to Fortune 1000 and government audiences. Having discussed web problems with many large customers, he provides some tips for developers to keep in
mind when creating applications for the web. Topics range from folder naming conventions to security and are sure to help with the deployment, security, and operation of any web application.
Comments Closed
Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation,
please create a new thread in our Forums,
or
Contact Us and let us know.
Follow the Discussion
Something just seems wrong when it is possible to specify web paths that will fool the parser. This seems inherently insecure. I don't disagree with your comments to keep paths short and clean but to be worried that specifying a directory with .com is going to fool the parser just makes me wonder about either the URL/HTTP specifications or the implementation of IIS.
Microsoft has spent lots of effort allowing users to have long file names and directory names. I rememeber the old 8.3 days and I for one love good descriptive names - though I hate blanks in names like "Program Files" and needless dots (.) are kinda silly too - yet .Net actually encouraged this practice.
Your advise is good but the Microsoft examples out there contradict them.
I, personally, would like more exciting, powerful topics coming out of Microsoft considering IIS was pretty much the first hackable product for Microsoft. Were you around, or seriously involved with IIS when Code Red was in it's prime?
So what I would like to know is what you would like to have heard in this? In other words, what would you say to developers are the top things the should know to write secure code for web applications?
=brett
I appreciate your concern here, however, the thing to keep in mind is that the parser is not fooled, it is simply parsing according to its rules. Keep in mind that you cannot send this kind of URL from IE as it wil not allow it. You have to use another utility of some kind.
See http://www.windowsitpro.com/Article/ArticleID/23278/23278.html?Ad=1
http://www.mvps.org/marksxp/WindowsXP/IIS/iis4.php
And Writing Secure Code by Michael Howard
"Just say no to parent paths. If you remove the requirement for parent paths in your application, anyone attempting to access a resource by using parent paths is, by definition, an attacker!"
http://www.microsoft.com/mspress/books/sampchap/5612b.asp
Remove this comment
Remove this thread
close