This article explains how to enable reverse Domain Name System (DNS) lookup for all versions of Internet Information Services (IIS).

When reverse DNS lookups are enabled on the web server, the IP address of each web client that connects to the IIS server is resolved to a DNS name, and the DNS name instead of the web client IP address is placed in the IIS log files.  Enabling reverse DNS also affects what CGI and ISAPI extensions see as a value of the Remote_Host variable.

Microsoft KB article 297795 gives a step-by-step demonstration how to enable RDNS for IIS4, IIS5 and IIS6, but all you need to do is run the following in a command prompt from the ADScripts folder:

For IIS4 run:

adsutil set w3svc/EnableReverseDNS TRUE

For IIS5 and IIS6 run:

cscript adsutil.vbs set /wesvc/EnableReverseDNS "TRUE"

In IIS7, you must install the IP and Domain Restrictions role service for the Web Server (IIS) role.  You can do this in Server Manager or from the command line using the following command:

ServerManagerCMD -install Web-IP-Security

In Windows Server 2008 R2, the ServerManagerCMD.exe program is deprecated and has been replaced with the ServerManager Powershell cmdlets.  The following two cmdlets are used to install the IP and Domain Restrictions role service:

Import-Module ServerManager
Add-WindowsFeature Web-IP-Security

Now that the role service is installed, you can configure reverse DNS lookups, as follows:

• Open Internet Information Services (IIS) Manager.
• Navigate to the Server Name in the Connections pane.  If you only want to enable reverse lookups on a particular website, navigate to that website.
• Double-click IP Address and Domain Restrictions in the center pane and click Edit Feature Settings in the Actions pane.
• Put a checkmark in Enable domain name restrictions and click OK.

You will see the following warning:

Restricting access by domain name requires a DNS reverse lookup on each connection. This is a very expensive operation and will dramatically affect server performance. Are you sure you want to enable restrictions based on domains?

Clicking Yes will enable reverse lookups for all clients connecting to the web server.  I have not noticed any more than a 1-2% increase in CPU performance and the websites are just as performant as before.

Each of these changes go into effect immediately.  There is no need to restart IIS.

The discussion is specific to IIS 7 and later versions. Let's start with version IIS 7.0. It has a built-in feature that is able to filter HTTP requests. If a request is found to have contents which are unacceptable to process the request, then it will block such request there, before proceeding to process a request by a web application. This feature is useful as a mitigation technique, for such SQL Injection vulnerabilities.

Prerequisite
At first, verify the IIS version that you are using currently. If you are using earlier than IIS 7.0, then update with the latest version before applying the following configuration.

Configuring the Request Filter
To create a global filtering rule for SQL Injection, we should follow the below steps:

Step 1
Open the run window by pressing keyboard key Windows key + R and copy and paste the following code
%systemroot%\system32\inetsrv\config\applicationhost.config
 
It will open the applicationhost.config file.

Step 2
In the applicationhost.config file, identify <requestFiltering> section. Under this section, configure for the reserve keywords or reserved special characters, like DELETE, CREATE, UPDATE, INSERT, --,',/* etc. in <denyStrings> section.
Configure the file extensions for which IIS server needs to be validated. The sample code is shown below:

Step 3

Now, to save the file, go to the File menu and choose Save option.

How  does the above configuration behave in the IIS server?

With the above configuration settings, first of all, IIS will look at each incoming request for pages with .html, .aspx, or .asp extensions, to search for specific strings in the request's Query String. If the IIS server finds the specified strings, then IIS will block the request and return a 404: Not Found page to the client.
 
If you want to add a new file extension or change the existing file extensions in applicationhost.config file, you can add/remove the required file extensions in file Extension tags which lies in the <appliesTo> section. Whatever strings you are placing in the <denyStrings> section, the IIS looks for those strings. If it finds those, then it will block the request and return 404 error page to the client. You can add a new string, remove the existing string,  or change the existing string, in the <denyStrings> section.

In fact, in IIS server, you may have hosted many web applications which are running in parallel.
 
Let's say, for one of the web applications, you don't want to deny any string for the incoming request. How will you handle such  a scenario?
 
It is very simple. Create a rule in your application's config file, for which, you want to allow all such strings. If you create a rule in the application's config file, it will override the applicationhost.config file's rule. For instance, if you want to allow the string "end" for only a few applications,  and for the rest of the applications, you want to deny such a string, then follow the below steps:

Step 1: Remove the <add string="end" /> entry from applicationhost.config file.

Step 2: Add the below code into the application's config file where you want to restrict the string "end":

Make a note --  the name for the filteringRule tag must and should be unique and it should not conflict with a name which is in the applicationhost.config file or/and the same name with any other web.config files in the path. And, it is also possible to limit the scope of filtering rules using location tags.

Procedure to check logs for SQL Injection attempts

You can check the SQL injection attempt logs in IIS W3SVC logs section. filteringRule rejects such SQL injection attempts and responds with a 404 status and with a substatus 19. You have to check these logs periodically to make sure that your rule is blocking such SQL Injections for the legitimate requests.

After the configuration changes made in the applicationhost file, if you give the followingURL request in your browser, the following output will show:

http://localhost/OWASP.UI/UnvalidatedRedirectsForwards/ValidatedRedirectsForwards.aspx?returnUrl=http://www.flipkart.com/--

Output

HostForLIFE.eu IIS 10 Hosting
HostForLIFE.eu is European Windows Hosting Provider which focuses on Windows Platform only. We deliver on-demand hosting solutions including Shared hosting, Reseller Hosting, Cloud Hosting, Dedicated Servers, and IT as a Service for companies of all sizes.

Some of our clients sometimes ask about how to create URL Rewrite on their site. Previously, we have written about how to redirect HTTP to HTTPS in IIS. In this tutorial, we will advise how to create multiple redirection with a URL Rewrite Map.

URL Rewrite Module with IIS 7/IIS 8

Now there’s an easier solution, and one that offers better performance.  Starting with IIS 7 one can implement different kinds of url rewriting and redirecting with ease by using the URL Rewrite Module. The various rules can be configured using the IIS 7 Manager GUI or by directly editing the web.config. To open the URL Rewrite Module simply double click the URL Rewrite icon on your site properties as shown below.

From there you will be able to maintain your existing rules or add new ones as seen in this picture.

This is a pretty easy way to create server-side rules for rewriting and redirecting, but what happens when you have 30 or 40 legacy URLs that need to be redirected to new pages? Do you have to enter each one manually? Of course not. The solution to that is to use a URL Rewrite Map.

URL Rewrite Map

By using a URL Rewrite Map it has never been easier to create and maintain multiple 301 redirects for different pages on your web site.  The rewrite rules are stored in the <system.webServer> section of your web.config so you can quickly make changes as needed.

Here is all the code you need to accomplish this:

<system.webServer>
<rewrite>
<rewriteMaps>
<rewriteMap name=”Redirects”>
<add key=”/test.aspx” value=”/test2.aspx” />
<add key=”/aboutus.aspx” value=”/about” />
</rewriteMap>
</rewriteMaps>
<rules>
<rule name=”Redirect rule1 for Redirects”>
<match url=”.*” />
<conditions>
<add input=”{Redirects:{REQUEST_URI}}” pattern=”(.+)” />
</conditions>
<action type=”Redirect” url=”{C:1}” appendQueryString=”false” />
</rule>
</rules>
</rewrite>
</system.webServer>

In the example above I’m performing a 301 redirect on the test.aspx file to test2.aspx file. There’s also a 301 redirect for the aboutus.aspx file to folder called /about, however, in this case it’s important to note that the /about folder will also need a default page or else a 404 error will result.

As you add more URLs to your Rewrite Map you’ll notice that your web.config can become a bit cluttered. The solution to this will be to store the redirect rules in an external file. Let’s call this file myrewritemaps.config. This file will now contain this code block:

<rewriteMaps>
<rewriteMap name=”Redirects”>
<add key=”/test.aspx” value=”/test2.aspx” />
<add key=”/aboutus.aspx” value=”/about” />
</rewriteMap>
</rewriteMaps>

In your web.config you add the following line of code under the <rewrite> section referencing the external config file:

<rewriteMaps configSource=”myrewritemaps.config” />

Your web.config will now look nice and clean like this:

<system.webServer>
<rewrite>
<rewriteMaps configSource=”myrewritemaps.config” />
<rules>
<rule name=”Redirect rule1 for Redirects”>
<match url=”.*” />
<conditions>
<add input=”{Redirects:{REQUEST_URI}}” pattern=”(.+)” />
</conditions>
<action type=”Redirect” url=”{C:1}” appendQueryString=”false” />
</rule>
</rules>
</rewrite>
</system.webServer>

There is no real limit on how many URLs can be configured for redirecting with the URL Rewrite Map.  You should perform regular search engine analysis to see when the new URLs have been picked up. Once the old URL is no longer indexed and traffic has dropped off you could remove it from your map.

Trace \ Track is a vulnerability that is usually identified on an IIS server when we run PCI compliance and find this vulnerability. A hacker can run a Trace attack on IIS Website and get information about the Backend server and other important information.

In latest versions on IIS (IIS 6.0, 7.5) Trace is disabled by default but still it is good idea to make sure that Trace is disabled on IIS.

Testing if Trace \ Track is Enabled on a IIS website or not

Follow these steps :

1. Go to command Prompt of your Machine.
2. Type telnet <URL of the website> 80 (this will open a telnet session of that website on port 80)
3. Type following commands on the telnet session screen in exact same order: 

    TRACE / HTTP/1.0
    Host: <hostname_you_are_testing>
    TestA: Hello
    TestB: World

4. Press enter twice. 

If Trace is enabled on your server, you should see following results:

    HTTP/1.1 200 OK
    Server: Microsoft-IIS/7.5
    Date: Tue, 05 Dec 2016 08:17:15 GMT
    Content-Type: message/http
    Content-Length: 76 

And If you receive following results on the telnet screen, then Trace is enabled :

     HTTP/1.1 501 Not Implemented
    Content-Type: text/html
    Server: Microsoft-IIS/7.5
    X-Powered-By: ASP.NET
    Date: Tue, 06 Dec 2016 09:32:58 GMT
    Content-Length: 1508

    Connection: close

Disabling Trace or Track on IIS

The easiest way to mitigate the risk of Trace \ Track on iis is  : installing URLScan from Microsoft, 
The urlscan.ini file is included as part of URLScan . This sets by default a configuration setting "UseAllowVerbs=1".  In this [AllowVerbs] section of the ini file, only http methods that are allowed are GET, HEAD, and POST so simply by installing URLScan on an IIS server , we can assume that it  protected from TRACE or TRACK.  

One of our clients receive this error message when deploying his ASP.NET application.

“System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.”. Here is how we solved that issue.

There are 3 related and important issues:

1. the remote site uses a Server Name Indication (SNI) certificate, installed on a different domain name
2. the web application was published to a IIS 6.0 (Windows Server 2003) web server
3. a System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure. This error message is caused because the process is not able to validate the certificate supplied by the server during an HTTPS (SSL) request

IIS 6.0 + Server Name Indication (SNI) certificates = System.Net.WebException #

A Server Name Indication (SNI) certificate basically means that you can install oneSSL/TLS certificate on a web server, to use on multiple domain names. The TLS part takes the negotiation, and that enables the server to select the correct virtual domain early and present the browser with the certificate containing the correct name. Therefore with clients and servers that support SNI, a single IP address can be used to serve a group of domain names for which it is impractical to get a common certificate.

Windows Server 2003 (IIS 6.0), Windows Server 2008 (IIS 7.0) and Windows Server 2008 R2 (IIS 7.5) do not support SNI-certificates.

How to Solve this Error Message

You might wonder what the solution to this error message was. Well, simple: Move the website to an IIS 8.0+ (Windows Server 2012) web server. This version supports Server Name Indication certificates. Microsoft calls this SSL Scalability in IIS 8.0. Because of SNI, or SSL-scalability, support in Windows Server 2012, the ASP.NET System.Net.WebException went away.

It’s simple, right? :)

European leading web hosting provider, HostForLIFE.eu announces the launch of Visual Studio 2017 Hosting

HostForLIFE.eu was established to cater to an underserved market in the hosting industry; web hosting for customers who want excellent service. HostForLIFE.eu - a cheap, constant uptime, excellent customer service, quality, and also reliable hosting provider in advanced Windows and ASP.NET technology. HostForLIFE.eu proudly announces the availability of the Visual Studio 2017 hosting in their entire servers environment.

The smallest install is just a few hundred megabytes, yet still contains basic code editing support for more than twenty languages along with source code control. Most users will want to install more, and so customer can add one or more 'workloads' that represent common frameworks, languages and platforms - covering everything from .NET desktop development to data science with R, Python and F#.

System administrators can now create an offline layout of Visual Studio that contains all of the content needed to install the product without requiring Internet access. To do so, run the bootstrapper executable associated with the product customer want to make available offline using the --layout [path] switch (e.g. vs_enterprise.exe --layout c:\mylayout). This will download the packages required to install offline. Optionally, customer can specify a locale code for the product languages customer want included (e.g. --lang en-us). If not specified, support for all localized languages will be downloaded.

HostForLIFE.eu hosts its servers in top class data centers that is located in Amsterdam (NL), London (UK), Paris (FR), Frankfurt(DE) and Seattle (US) to guarantee 99.9% network uptime. All data center feature redundancies in network connectivity, power, HVAC, security, and fire suppression. All hosting plans from HostForLIFE.eu include 24×7 support and 30 days money back guarantee. The customers can start hosting their Visual Studio 2017 site on their environment from as just low €3.00/month only.

HostForLIFE.eu is a popular online ASP.NET based hosting service provider catering to those people who face such issues. The company has managed to build a strong client base in a very short period of time. It is known for offering ultra-fast, fully-managed and secured services in the competitive market.

HostForLIFE.eu offers the latest European Visual Studio 2017 hosting installation to all their new and existing customers. The customers can simply deploy their Visual Studio 2017 website via their world-class Control Panel or conventional FTP tool. HostForLIFE.eu is happy to be offering the most up to date Microsoft services and always had a great appreciation for the products that Microsoft offers.

Further information and the full range of features Visual Studio 2017 Hosting can be viewed here http://hostforlife.eu/European-Visual-Studio-2017-Hosting

That has been a question we have come across frequently. Before IIS 8, you could host multiple sites needing SSL on a single IP address if the sites utilized the same SSL certificate or used a wildcard SSL certificate.  A wildcard certificate was only beneficial if you needed SSL on the subdomain level of a current site/domain. But what if you had sites with different names? Well, you could get a Subject Alternative Names (SAN) SSL certificate.  This SSL certificate would allow you to protect multiple sites with a single SSL certificate. The last available option prior to IIS 8 required setting each additional SSL site on the same IP address but with a different SSL port number. This would allow you to utilize each site’s/domain’s SSL on the same IP address as another site.  By default, SSL certificates utilize port 443 for secure communication. This port doesn’t need to be specified in the URL since this is the standard port. When you use a different port number for SSL you will be required to add the non-standard SSL port number in the URL in order for it to work.  As you can imagine, this is not the way you want to run a public site. How would a user know to enter the port number and it’s not a common step that users are familiar with doing when browsing a site.

Adding an additional IP address to host another site needing SSL is the common method used but sometimes this isn’t an option for some people. With the inception of IIS 8 on Windows Server 2012, a new feature called Server Name Identification (SNI) was added. This feature offers an easier solution to hosting multiple sites that have a different or individual SSL on a single IP address. This feature is included in IIS 8 by default and doesn’t require the installation of any additional features to begin using it. Below, we will walk through the steps involved with configuring SNI. One thing to note with implementing SNI for your SSL solution, it will not work for those users running Internet Explorer on Windows XP. If your server has multiple IP addresses, you can implement SNI for some sites in addition to assigning individual sites to a single IP address for SSL. Both methods will work along side each other on different IP addresses without issue.

Steps:

1)  One of the first things you will need to do is import the SSL certificates for each site on the server if this hasn’t been done already
2)  Next, open IIS 8 Manager and add your first site that will need SSL
  a.  If the first site is already in place, proceed to step the next step
3)  After the site is added select the site and click Bindings… under the Actions menu pane on the right

4)  Click Add
  a.  Select https for the Type
  b.  You can leave the IP address to “All Unassigned” or choose the IP address you want to use
(If you have multiple IP’s on the server you will want to specify the one you want to use for SNI)
  c.  Enter your site/domain name for Host name
  d.  Check the box for “Require Server Name Indication”
  e.  Select the SSL certificate for the site from the drop down box
  f.  Click OK

5)  Create the second site and add the SSL binding following the steps below
6)  Select Bindings and click Add
  a.  Select https for the Type
  b.  You can leave the IP address to “All Unassigned” or choose the IP address you want to use
   (If you have multiple IP’s on the server you will want to specify the one you want to use for SNI)
  c.  Enter your site/domain name for Host name
  d.  Check the box for “Require Server Name Indication”
  e.  Select the SSL certificate for the site from the drop down box

7)  Click OK to complete the setup

That’s all that needs to be done.  Test SSL for the site to make sure each site is working properly.  If you have additional sites that need SSL added, you can continue following the steps above for adding the SSL binding for each new site.

In this tutorial, I will tell you about Manage IIS with Appcmd. What is Appcmd? The appcmd.exe is a single command, used to manage IIS 7 and above. It is used to manage the Server without using a graphical administration tool. The appcmd is located in C:\Windows\System32\inetsrv (%systemroot%\system32\inetsrv\) directory. By default, it will not add into environment variable. 

Key Features 

• Creating and configuring the sites.
• To list the running worker process.
• Backup and restoring the site configuration.
• Retrieve the information about the Application pools.

Object Types

• List
• Add
• Delete
• Set
• Hide

Syntax

appcmd <objecttypes> <parameters>   

set path=%path%;%systemroot%\system32\inetsrv; //used to set the environment variable   

To list all the sites, use the command, given below:

appcmd list sites     

To get the details of a specific site binding and status (stopped/start), use the command, given below:

appcmd list site "Default web site"  

To list all the sites, which had been stopped, use the command, given below:

appcmd list sites /state:Stopped   

To add a new site, use the command, given below:

appcmd add site /name:"added using appcmd" /bindings:"http/*:81:localhost" /physicalPath:"D:\test"

To add an https binding to the site, use the command, given below:

appcmd set site /site.name:"added using appcmd" /+bindings.[protocol='https',bindingInformation='127.0.0.1:444:localhost']  

To list all the applications, use the command, given below:

Appcmd list app  

To change an application pool, use the command, given below:

appcmd set app "added using appcmd/app1" /applicationPool:appcmdpool  

To view the application pool details including the username and password of the app account, use the command, given below:

appcmd list apppool "MyAppPool" /text:*  

Backup

appcmd add backup   

appcmd add backup "locahostbkup"  

appcmd list backup   

appcmd delete backup "backup name"  

Restore

appcmd restore backup "locahostbkup "  

appcmd restored configuration from backup "locahostbkup"  

To view the list of the worker process, which will help us to attach the debugger in Visual Studio, use the command, given below:

appcmd list wps  

To view the list of the physical path, use the command, given below:

appcmd list vdirs /text:physicalPath   

To start and stop the sites, use the command, given below:

appcmd start site "Default web site"  

appcmd stop site "Default web site"

HostForLIFE.eu IIS 7.5 Hosting
HostForLIFE.eu is European Windows Hosting Provider which focuses on Windows Platform only. We deliver on-demand hosting solutions including Shared hosting, Reseller Hosting, Cloud Hosting, Dedicated Servers, and IT as a Service for companies of all sizes. We have customers from around the globe, spread across every continent. We serve the hosting needs of the business and professional, government and nonprofit, entertainment and personal use market segments.

HostForLIFE.eu was established to cater to an underserved market in the hosting industry; web hosting for customers who want excellent service. HostForLIFE.eu - a cheap, constant uptime, excellent customer service, quality, and also reliable hosting provider in advanced Windows and ASP.NET technology. HostForLIFE.eu proudly announces the availability of the ASP.NET Core 1.0 RC2 hosting in their entire servers environment.

In this article, I will explain about how to deploy nopcommerce in IIS. Those who don't know NopCommerce is open source free Online stores application(just like flipcart,ebay). It is built on ASP.NET MVC. There are many features in NopCommerce. NopCommerce also support wide range of plug-ins. You can create your own plug-ins also. You can found more details about nopcommerce at http://www.nopcommerce.com/

Deployment methods

You can Deploy NopCommerce in two way

• Tools provided by NopCommerce(*.bat)
• Using Visual studio.

First method is very easy to implement. Second method need some extra work.

It is always better idea to deploy production code in local IIS host before deploying it in live server. If your developing asp.net application in visual studio you will use IISExpress to run the application. Most of the time IISExpress may not show those error which will be shown by IIS. For example when i run the nopCommerce in visual studio it worked properly but when i deployed it in Local IIS i fond a unknown error "Could not load type 'System.ServiceModel.Activation.HttpModule......."

Deploying using NopCommerce tools

• Assuming you already download NopCommerce with Source(At the time of writing this post nopCommerce_2.80_Source.rar is the latest version). You can download NopCommerce with source at http://www.nopcommerce.com/downloads.aspx
• Extract nopCommerce_2.80_Source.rar at your desired location. I am using F:\DotNetProjects.
• The extracted folder contains below items.
  
  

• In that folder Prepare.bat, Deploy.bat are the deployment tool given by NopCommerce.
• First Run prepate.bat it will display bunch of text in command prompt and finally Build success message.
  

• Now Run Deploy.bat again it will show you bunch of text in command prompt and finally Build success message. If you observe a new folder called Deployable is created automatically. This is our production code we need to deploy in Live Server.
• Before we deploy it in live server we will deploy it in local IIS. Now Just go to you iis manager.
• Expand the items in your left sidebar. Right click on Default Web Site and select Add Application form the menu.
• Enter details. Physical path field must be point to your Deployable folder.
• Now open your broser and enter http://localhost/nop.
  
• If there is no error it will redirect you to http://localhost/nop/install folder where you need to enter details like admin email,password, db connection details and click install.
• If everything is ok NopCommerse Will install successfully.
  
  Error1:Could not load type 'System.ServiceModel.Activation.HttpModule' ... Problem Fix
  At step 10 in above process you may get this error.
  Could not load type 'System.ServiceModel.Activation.HttpModule' from assembly 'System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
  

• If you got this error you can resolve it by using simple tool "aspnet_regiis.exe".
  Just go to C:\Windows\Microsoft.NET\Framework64\v4.0.30319 (path may different for 32 bit pc)in your command prompt. Run the the tool like this. "aspnet_regiis.exe -iru" this will execute some command and the problem should fixed.

ERROR2:Setup failed: An error occurred while creating the database: CREATE DATABASE permission denied in database 'master'. error. fix
If you got this error there are different alternative you can fix this error. But I will explain most simple one only.

• Run NopCommerce.sln under nopCommerce extracted folder(Refer step 2).
• Run the NopCommerce Application (ctrl+f5). 3)It will prompt you to enter db details(refer step 11). Enter details as shown in step 11 and click install.
• This time you wont face any problem (as i told earlier at beginning).
• No go to F:\DotNetProjects\nopCommerce_2.80_Source\Presentation\Nop.Web\App_Data (may different in your pc) and copy InstalledPlugins.txt,Settings.txt to F:\DotNetProjects\nopCommerce_2.80_Source\Deployable\nop_2.80\App_Data(this is our Deployable folder)
• Now Go to http://localhost/nop.
  
  If it asked for db details enter exact details you entered before.
• Voila! you successfully installed NopCommerce.

Deploying nopCommerce using Visual Studio

• Go back to your to Visual studio where you open nopCommerce solution and build the solution.
• Right click on Nop.Web click publish.
• This will prompt you through publish web wizard  Enter details like Publish Method:File System,Physical path
• Now right click on Nop.Admin and publish with sub-directory as /Admin under same directory you selected in previous step.
• copy all files you found under /admin/bin to /bin.
• Now copy copy InstalledPlugins.txt,Settings.txt text to add_data folder(Just follow steps i explained in Errror2 section of this post).
• That's it everything is great now.
  

HostForLIFE.eu IIS 7.5 Hosting
HostForLIFE.eu is European Windows Hosting Provider which focuses on Windows Platform only. We deliver on-demand hosting solutions including Shared hosting, Reseller Hosting, Cloud Hosting, Dedicated Servers, and IT as a Service for companies of all sizes. We have customers from around the globe, spread across every continent. We serve the hosting needs of the business and professional, government and nonprofit, entertainment and personal use market segments.