IIS Show #4 with Brett Hill (Channel 9)

Prior to working for Microsoft, Brett was an IIS MVP for three years and provider of advanced IIS training to Fortune 1000 and government audiences. Having discussed web problems with many large customers, he provides some tips for developers to keep in mind when creating applications for the web. Topics range from folder naming conventions to security and are sure to help with the deployment, security, and operation of any web application.

Follow the Discussion

Follow
Oops, something didn't work.

Try again?

Sign In to be begin to follow these comments

What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in. You need to be signed in to Channel 9 to use this feature.

Getting "follow" information

Stop following these comments

Start following these comments

What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in and view them all on your notifications page.

Removing your "follow"

Setting up your "follow"

Did you know you can
sign up for email notifications?
- Subscribe to this comments

sanfords

Jan 11, 2006 at 5:55 PM

Something just seems wrong when it is possible to specify web paths that will fool the parser. This seems inherently insecure. I don't disagree with your comments to keep paths short and clean but to be worried that specifying a directory with .com is going to fool the parser just makes me wonder about either the URL/HTTP specifications or the implementation of IIS.

Microsoft has spent lots of effort allowing users to have long file names and directory names. I rememeber the old 8.3 days and I for one love good descriptive names - though I hate blanks in names like "Program Files" and needless dots (.) are kinda silly too - yet .Net actually encouraged this practice.

Your advise is good but the Microsoft examples out there contradict them.
AUserAboutIIS

Apr 14, 2006 at 1:29 AM

I completely agree - though my biggest problem is this was a total waste of time. The message seemed slightly rehearsed and for the most part completely "out-of-date."

I, personally, would like more exciting, powerful topics coming out of Microsoft considering IIS was pretty much the first hackable product for Microsoft. Were you around, or seriously involved with IIS when Code Red was in it's prime?
iisguy

Jun 09, 2006 at 4:26 PM

Yup, i was around. Of course the basics would have prevented code red such as applying existing patches or disabling extensions you aren't using. I didn't cover that info in the podcast since this was not about administration as much as much as what to tell developers. I can assure it was not rehearsed.

So what I would like to know is what you would like to have heard in this? In other words, what would you say to developers are the top things the should know to write secure code for web applications?

=brett
iisguy

Jun 09, 2006 at 4:34 PM

I appreciate your concern here, however, the thing to keep in mind is that the parser is not fooled, it is simply parsing according to its rules. Keep in mind that you cannot send this kind of URL from IE as it wil not allow it. You have to use another utility of some kind.
See http://www.windowsitpro.com/Article/ArticleID/23278/23278.html?Ad=1
http://www.mvps.org/marksxp/WindowsXP/IIS/iis4.php

And Writing Secure Code by Michael Howard
"Just say no to parent paths. If you remove the requirement for parent paths in your application, anyone attempting to access a resource by using parent paths is, by definition, an attacker!"

http://www.microsoft.com/mspress/books/sampchap/5612b.asp