IIS 7.5 and IIS 8.0 European Hosting

BLOG about IIS 7.5 Hosting, IIS 8.0 Hosting and Its Technology - Dedicated to European Windows Hosting Customer

European IIS 8.5 Hosting - HostForLIFE.eu :: How to Enable HTTP Strict-Transport-Security (HSTS) on IIS

clock December 22, 2016 06:04 by author Scott

In this article, we will only show simple tutorial about how to enable and serve HTTP Strict Transport Security (HSTS) response header in IIS.

Definition HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks, and which greatly simplifies protection against cookie hijacking.

HSTS improves security and prevents man-in-the-middle attacks, downgrade attacks, and cookie-hijacking.

It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named Strict-Transport-Security. HSTS Policy specifies a period of time during which the user agent should only access the server in a secure fashion.

Therefore, adding a HSTS header is important after you’ve added SSL to your WordPress website, so browsers automatically request your HTTPS address.

All you need to add to your web.configconfiguration file is an Outbound Rule, to rewrite request responses and sending the HTTP Strict Transport Security response header:

<outboundRules>
  <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
    <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
    <conditions>
      <add input="{HTTPS}" pattern="on" ignoreCase="true" />
    </conditions>
    <action type="Rewrite" value="max-age=31536000" />
  </rule>
</outboundRules>

HSTS and includeSubdomains #

Do you have your SSL (TLS) certificate on your www. subdomain? Then you need to include it using includeSubdomains. The outboundRules rule then becomes:

<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
  <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
  <conditions>
    <add input="{HTTPS}" pattern="on" ignoreCase="true" />
  </conditions>
  <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
</rule>

HSTS header in WordPress functions.php #

You can set a HSTS header through your functions.php theme file as well. For this to happen, you can hook into the send_headers action.

Use the following code in your functions.php to send a HSTS header:

<?php
add_action( 'send_headers', 'saotn_add_hsts_header' );
function saotn_add_hsts_header() {
  header( 'Strict-Transport-Security: max-age=31536000; includeSubDomains; preload' );
}



European IIS Hosting - HostForLIFE.eu :: How to Check Trace is Enabled on IIS Server

clock December 9, 2016 07:33 by author Scott

Trace \ Track is a vulnerability that is usually identified on an IIS server when we run PCI compliance and find this vulnerability. A hacker can run a Trace attack on IIS Website and get information about the Backend server and other important information.

In latest versions on IIS (IIS 6.0, 7.5) Trace is disabled by default but still it is good idea to make sure that Trace is disabled on IIS.

Testing if Trace \ Track is Enabled on a IIS website or not

Follow these steps :

1. Go to command Prompt of your Machine.
2. Type telnet <URL of the website> 80 (this will open a telnet session of that website on port 80)
3. Type following commands on the telnet session screen in exact same order: 

    TRACE / HTTP/1.0
    Host: <hostname_you_are_testing>
    TestA: Hello
    TestB: World


4. Press enter twice. 

If Trace is enabled on your server, you should see following results:

    HTTP/1.1 200 OK
    Server: Microsoft-IIS/7.5
    Date: Tue, 05 Dec 2016 08:17:15 GMT
    Content-Type: message/http
    Content-Length: 76 


And If you receive following results on the telnet screen, then Trace is enabled :

     HTTP/1.1 501 Not Implemented
    Content-Type: text/html
    Server: Microsoft-IIS/7.5
    X-Powered-By: ASP.NET
    Date: Tue, 06 Dec 2016 09:32:58 GMT
    Content-Length: 1508


    Connection: close

Disabling Trace or Track on IIS

The easiest way to mitigate the risk of Trace \ Track on iis is  : installing URLScan from Microsoft, 
The urlscan.ini file is included as part of URLScan . This sets by default a configuration setting "UseAllowVerbs=1".  In this [AllowVerbs] section of the ini file, only http methods that are allowed are GET, HEAD, and POST so simply by installing URLScan on an IIS server , we can assume that it  protected from TRACE or TRACK.  

 



European IIS Hosting - HostForLIFE.eu :: How to Fix "Could not establish trust relationship for the SSL/TLS secure channel" Error

clock December 6, 2016 10:45 by author Scott

One of our clients receive this error message when deploying his ASP.NET application.

“System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.”. Here is how we solved that issue.

There are 3 related and important issues:

1. the remote site uses a Server Name Indication (SNI) certificate, installed on a different domain name
2. the web application was published to a IIS 6.0 (Windows Server 2003) web server
3. a System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. This error message is caused because the process is not able to validate the certificate supplied by the server during an HTTPS (SSL) request

IIS 6.0 + Server Name Indication (SNI) certificates = System.Net.WebException #

A Server Name Indication (SNI) certificate basically means that you can install oneSSL/TLS certificate on a web server, to use on multiple domain names. The TLS part takes the negotiation, and that enables the server to select the correct virtual domain early and present the browser with the certificate containing the correct name. Therefore with clients and servers that support SNI, a single IP address can be used to serve a group of domain names for which it is impractical to get a common certificate.

Windows Server 2003 (IIS 6.0), Windows Server 2008 (IIS 7.0) and Windows Server 2008 R2 (IIS 7.5) do not support SNI-certificates.

How to Solve this Error Message

You might wonder what the solution to this error message was. Well, simple: Move the website to an IIS 8.0+ (Windows Server 2012) web server. This version supports Server Name Indication certificates. Microsoft calls this SSL Scalability in IIS 8.0. Because of SNI, or SSL-scalability, support in Windows Server 2012, the ASP.NET System.Net.WebException went away.

It’s simple, right? :)

 



European IIS 8 Hosting - UK :: How to Optimize Your IIS 7.5/8 Performance

clock March 3, 2015 06:58 by author Scott

Most of you must be very familiar with IIS, moreover if you use Windows Server and deploy your ASP.NET application. In this tutorial, we will only give short tips about how to improve your IIS 7.5/8 performance. With good performance, IIS will serve better and faster web pages to your users.

Please Disable ASP Debugging

When you run your server in the production environment, you may not need to run ASP debugging mode. Stopping debugging mode will save you a great amount of processing power. To disable debugging, click on your server name in IIS and then right click on it to enable feature view. One the right pane, click on ‘compilation’ and then click on ‘debugging properties’. Next, set the following values as given below:

Server side debugging: false

Client side debugging: false

Limit ASP Threads per Processor

This limits the number of ASP requests handled by IIS simultaneously. Normally, the default value is 25. The maximum allowed number is 100. You can increase it to 50 and monitor the performance level of your IIS. To change this value click on your server and then double click on ASP under IIS in the feature view mode. Next, click on “limit properties” and set the value, as you consider suitable to match your processing needs.

Enable HTTP Compression

This is something that our clients ask to configure and it is really effective to make your site run faster. This feature helps to transfer data faster between IIS and client browsers and saves your bandwidth. You can compress HTTP in both website level and server level. To enable server level http compression, right click on sever name in IIS and then double click on compression under IIS on the right pane. You can enable both static and dynamic http compression.

Setup Logging Option

With default settings, IIS logs almost everything under the hood.  You either can disable logging option or can select a number of essential events to log in your server. To set logging option, click on “Sites” in IIS server, and then select the parameters that you want to keep as a log in your server. Remember to enable the “feature view” by right clicking on the server name in IIS. In the feature view pane, click on ‘log’ and set the logging feature; to disable logging completely click on the disable option on the right pane. Remember that you can set logging option both in server level and website level.

Setup HTTP Response Header

This feature helps to minimize the number of http requests send to IIS by website visitors. HTTP expires header will help the client browser to cache webpages and its elements such as images, CSS etc.  To set http expires you need to click on HTTP response headers in the IIS, and then click on “set common headers”. Next select ‘expire web contents” and select the number of days or hours—this is total time your contents will be cached in the client’s browser.

Enable Output Caching

When you enable output caching, IIS will keep a copy of requested webpages. If a new user requests the very same webpage located in the cache, IIS will send the copy from its cache without reprocessing the contents. Output caching can significantly improve your server response time for dynamic contents.

Modify ASP queue length property

This value represent how often IIS will send “server too busy” message (HTTP error 503) to the users when ASP is receiving high number of requests. If the queue length time is too high, IIS will send “busy message” to users with longer delay, which make the users feel that the server may be out of service.  Too low queue length will cause the server send “server busy message” quite often, consuming resources of the server. If you are unsure about this setting, you can follow Microsoft’s recommendation for one-to-one ratio, which means if you have four processors in your server with ASP thread processor value set to the default 25, you can set the queue length to 25*4=100.

You can change the queue length by going at “limit properties”—the same way you change the ASP thread processor value.

Control the connection limits

This option can give you to control the connection in three ways: controlling connection timeout, controlling maximum bandwidth per website, controlling concurrent connections.

This connection limit option will allow you to set the maximum bandwidth per second and the maximum concurrent connection per second.  The maximum allowed bandwidth make a site use only a certain amount of bandwidth per second—thus improving the performance of other sites in a shared web-hosting environment.

Controlling the number of concurrent connection is another way to improve IIS performance and to improve the security of IIS as well. This option will allow only the specified number of clients to connect to the website at a given moment. So, if any malicious program tries to send numerous connection requests will be rejected by the IIS, and thus prevent your server becoming overloaded with requests during a DDoS attack.

After changing the performance settings, check the performance level of your server by gradually increasing load to a desired level. You can also consider using Google page speed tool to check whether page-loading time has been improved.

Hope above tutorial bring benefits for you. Thanks for reading.



About HostForLIFE.eu

HostForLIFE.eu is European Windows Hosting Provider which focuses on Windows Platform only. We deliver on-demand hosting solutions including Shared hosting, Reseller Hosting, Cloud Hosting, Dedicated Servers, and IT as a Service for companies of all sizes.

We have offered the latest Windows 2012 Hosting, ASP.NET 4.5 Hosting, ASP.NET MVC 5 Hosting, and SQL 2014 Hosting.

Tag cloud

Sign in