msdigest.net

Microsoft has confirmed the 0-day vulnerability in IIS FTP Service that could allow for remote code execution and posted a Security Advisory.

In short it’s only the FTP service in IIS prior to IIS 7 and Windows 2008, here’s the full list of affected systems:

• Microsoft Internet Information Services 5.0
• Microsoft Internet Information Services 5.1
• Microsoft Internet Information Services 6.0

Microsoft is investigating new public reports of a vulnerability in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, Microsoft Internet Information Services (IIS) 5.1, and Microsoft Internet Information Services (IIS) 6.0. The vulnerability could allow remote code execution on affected systems that are running the FTP service and are connected to the Internet.

Read more in Microsoft Security Advisory (975191)

Great news, today I received a very pleasant e-mail from Microsoft, that told me that I’ve been awarded the Microsoft Most Valuable Professional Award for 2009, to follow the award which I received in 2008.

I am very happy and once again extremely humble to be associated with a great group of very clever people around the globe.

Thanks to Microsoft for the award, I really appreciate working with Microsoft and getting access to the information and resources that the MVP award opens up for.

Congrats to all the other newly and renewed MVPs!

The IIS Team has released another cool product for IIS 7. A few days ago The IIS Team released the beta of IIS Search Engine Optimization Toolkit. The toolkit provides you with a number of features which can help you ensure that your site follows best practices with regards to how search engines crawl and parse your site as well as providing features for generating robots.txt files and sitemaps.

Carlos, the person behind the toolkit, has more information about the release here as well as a great video giving an overview of the Site Analysis feature of the toolkit here. ScottGu also has a walkthrough post up on his blog here.

Installing

Use Web PI (click on the image below):

Or from Microsoft download center:

• IIS Search Engine Optimization Toolkit 1.0 Beta (x86)
• IIS Search Engine Optimization Toolkit 1.0 Beta (x64)

Saw this great blog post about IIS Security written by Tobin from the IIS Team. It covers the following topics with IIS Security:

• Ghosts of IIS Security Past
• Improvements in IIS 6
• Improvements in IIS 7.x

It’s a must read for everyone working with IIS.

Read the blog post here.

The IIS Team released the latest version of IIS Media Services 2.0 last week, it’s available as RTW (Released to Web) and can be downloaded is these versions:

• Using WebPI
• x86 version
• x64 versions

There are two releases available side-by-side on iis.net and through the Web Platform Installer:

• IIS Media Services 2.0 RTW – the production-ready release announced last week. Includes:
  • Smooth Streaming
  • Bitrate Throttling
  • Web Playlists
• IIS Media Services 3.0 Beta – a preview of new features in 3.0 made available in March at MIX. Includes:
  • Live Smooth Streaming
  • Advanced Logging

For production deployments, you’ll want to use the 2.0 RTW.

For at demo and more info about Smooth Streaming, check these sites:

• IIS.net – try the experience 
• IIS.net – media landing page

The IIS Team has released the FastCGI Extension 1.5 for IIS 6.0 and IIS 5.1 – Beta.

It’s an upgrade of the existing FastCGI Extension 1.0, based on the same technology and this new version adds several important improvements and features.

The FastCGI Extension 1.5 includes these new features:

• Monitor changes to a file. The extension can be configured to listen for file change notifications on a specific file and when that file changes, the extension will recycle FastCGI processes for the process pool. This feature can be used to recycle PHP processes when changes to php.ini file occur.
• Real-time tuning of MaxInstances setting. This MaxInstances setting dictates the maximum number of FastCGI processes which can be launched for each application pool. If it is set to 0 then FastCGI extension will automatically adjust the number of instances up or down every few seconds based on the system load and number of requests waiting in the queue. 
• STDERR stream handling. There are several options of how the extension can handle text sent by FastCGI application on STDERR. The extension can send the error data as a failure response to the HTTP client or it can ignore the error and send whatever was received on STDOUT as a response with 200 status code.
• Sending a termination signal to FastCGI processes. The extension can be configured to send a termination signal to FastCGI process before terminating it. This enables FastCGI process to do a clean shutdown before getting killed.
• _FCGI_X_PIPE_ environment variable. This variable is set by FastCGI extension and it contains the name of the named pipe that is used for communication between the extension and FastCGI process.
• Relaxed enforcement of response headers syntax. The FastCGI extension has less strict enforcements for the correctness of the response headers.

Read more at source.

At the 2009 MIX conference in Las Vegas, the Microsoft IIS team announced the release of 10 new extensions and launched a new end-to-end experience for discovering and installing community applications on IIS.

This wave of IIS extensions span new functionality in request processing, server management, site/app management and discovery of community applications.

You can check out each extension or get the Web Platform Installer to install all of them.

• Application Request Router (ARR) 2.0 beta, with disk cache and cache proxy support for edge configurations the IIS HTTP load balancer. ARR can be used as a complement to existing hardware load balancers, or as a standalone proxy.
• FTP 7.5 RTW, with extensibility  support for developers who want to customize this IIS7 FTP publishing service.
• WebDav 7.5 RTW, with support for both shared and exclusive locks to prevent lost updates due to overwrites.
• Advanced Logging beta for monitoring and measuring media and Web browsing experiences, rich and flexible data collection, client-side logging and real-time logging capabilities.
• Administration Pack for IIS7 RTW, with IIS Manager support for management of FastCGI, Request Filtering, ASP.NET authorization and custom error settings, and HTTP request filtering, and Configuration Editor for easier config management.
• IIS Snap-in for Windows PowerShell RTW, for management of the IIS configuration system through Windows PowerShell, along with 60 cmdlets for common management tasks in Powershell.
• Web Deployment Tool RC, which is a platform for Web deployment of IIS servers and applications that run on servers. This extension provides a foundation for administrators who want to synchronize and migrate Web servers in a web farm. Developers use Web Deployment Tool to deploy applications to a server or integrate with the new Windows Web Application Gallery.
• Database Manager RC, providing Web database management support for local and remote databases from within IIS Manager.
• Media Services 3.0 beta, which introduces the world to live streaming on IIS with multiple extensions, including Smooth Streaming and Advanced Logging. Our media extensions bring high quality media delivery to IIS customers as well as CDNs like Akamai.
• Web Platform Installer 2.0 beta, which installs community applications and its dependencies on Windows computers. See Introducing the Web Platform Installer for more details.

For more information www.IIS.net and live.visitmix.com

A few days ago the IIS Team released yet another cool extension for IIS 7.0, the new extension “Dynamic IP Restrictions” has been released as a beta.

The Dynamic IP Restrictions Extension provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.

The Dynamic IP Restrictions includes these key features:

• Blocking of IP addresses based on number of concurrent requests – If HTTP client makes many concurrent requests then that client’s IP address gets temporarily blocked.
• Blocking of IP addresses based on number of requests over a period of time – If HTTP client makes many requests over short period of time then that client’s IP address gets temporarily blocked.
• Various deny actions – it is possible to specify what response to return to an HTTP client whose IP address is blocked. The module can return status codes 403 and 404 or just drop the HTTP connection and do not return any response.
• Logging of dynamically denied requests – all denied requests can be logged into a W3C formatted log file.
• Displaying currently blocked IP addresses – a list of currently blocked IP addresses can be obtained by using IIS Manager or by using IIS RSCA API’s.
• IPv6 – the module fully supports IPv6 addresses.

Download it here:

• Microsoft Dynamic IP Restrictions for IIS 7.0 – Beta (x86)
• Microsoft Dynamic IP Restrictions for IIS 7.0 – Beta (x64)

For more information read this blog post.