This article shares with the reader the steps on how to implement HTTP Public Key Pinning (HPKP) security policy/control. This article also includes the steps to create self signed certificate, implement the security control, and some tips to validate the control.

Please note that HPKP is not compatible with all browsers yet but there is nothing wrong with experimenting with it. You do not need to have an authentic certificate signed by a reputable CA in order to get an idea on how HPKP works. Hopefully this article will empower someone to implement this security policy in their environment or prepare them for a future opportunity.

Create self-signed certificate through IIS
To create SSL self signed server certificate through IIS,

• Under IIS Manager, click on the server name.
• On the Features View, click on Server Certificates.
• Under the Actions, click on Create Self-Signed Certificate.
• Specify a friendly Name for the certificate, in this example, I’ll name it MyCert1.

Create self-signed certificate using OpenSSL
To create SSL self signed server certificate using OpenSSL, see below

1. Download and install the OpenSSL for windows.
2. Open a command prompt and navigate to the OpenSSL bin folder.
3. Enter the command in listing 1 to set the environment variable.
Listing 1
    set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg  
    set RANDFILE=C:\OpenSSL-Win32\bin\.rnd 

4. Enter the following command to create a new self-signed certificate with 4096 bits using x509 structure and a key file. The certificate is valid for 365 days.
Listing 2
openssl req -newkey rsa:4096 -days 365 -x509 -nodes -out mycerts\myninja.ysa.cer -keyout mycerts\myninja.ysa.key 

5. You will be prompted to enter the Country Name, State, etc… Since the URL to my website is myninja.ysa, the Common Name will be myninja.ysa

6. Next, we will generate the PKCS#12/PFX using the certificate and key using the command in listing 3. This command will generate a .pfx file with a friendly name "myninja.ysa". We will import the certificate into IIS in later section.
Listing 3
openssl pkcs12 -export -out mycerts\myninja.ysa.pfx -inkey mycerts\myninja.ysa.key -in mycerts\myninja.ysa.cer -name "myninja.ysa" 

7. You will be prompted to enter the password to export the certificate. You can leave it blank by hitting enter twice,

Create certificate chain with OpenSSL
If you are interested to create self signed server certificate chain using OpenSSL, follow the below steps.

1. Let assume the Root/CA is myninja.ysa, enter the command in listing 4 to create a Certificate Signing Request (CSR) or certificate request
openssl req -newkey rsa:4096 -nodes -out mycerts\sub.myninja.ysa.csr -key mycerts\myninja.ysa.key 

2.  You will be prompted to enter the Country Name, State, etc… Let's assume the URL to my website is sub.myninja.ysa, and under the Common Name, I will enter sub.myninja.ysa

3.  Run the following command in listing 5 to complete the request. You can read more from here to find out the definition for the OpenSSL option/argument
openssl x509 -req -days 365 -in mycerts\sub.myninja.ysa.csr -CA mycerts\myninja.ysa.cer -CAkey mycerts\myninja.ysa.key -set_serial 01 -out mycerts\sub.myninja.ysa.cer 

4.  Shown in figure 6 is the output and the new certificate will be created under mycerts\sub.myninja.ysa.cer folder

5.  Let generate the PKCS#12/PFX using the command in listing 6 so that we can import it into the IIS Server Certificates
openssl pkcs12 -export -out mycerts\sub.myninja.ysa.pfx -inkey mycerts\myninja.ysa.key -in mycerts\sub.myninja.ysa.cer -name "sub.myninja.ysa" 

Next, we will spend a minute to examine the newly created certificate. Navigate to the mycerts folder and double click to open the myninja.ysa.cer and sub.myninja.ysa.cer certificates.

Click on the certificate Path tab. Under the Certificate status there will be a message "This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store." and "The issuer of this certificate could not be found." In addition, the child certificate path didn't show the myninja.ysa as root. Refer to figure 7 and 8
To remedy this, click on the General tab of the myninja.ysa certificate. Click on the Install Certificate button. Place the certificate in the Trusted Root Certification Authorities. At the end click Finish to complete the process. You will see a Security Warning prompt "You are about to install certificate from a certification authority (CA) claiming to represent myninja.ysa… Do you want to install this certificate", click Yes to continue. After that double click on the certificate and you should observer that the certificate status show "This certificate is OK." And the chain certificate path shows the myninja.ysa as root as shown in figure 9.

Import certificate into the IIS Server Certificates
In this section we will touch base on the steps to import the certificate into the IIS

• Under IIS Manager, click on the server name
• On the Features View, click on Server Certificates
• Under the Actions, click on Import…
• Browse to the MyCerts folder and select myninja.ysa.pfx, enter the password
• Repeat step 4 for sub.myninja.ysa.pfx
• At the end of the day, you should have three certificates listed under the Server Certificates

Bind SSL to a Site

To bind a SSL Certificate to a site

• Under IIS Manager, expand the server name.
• Select the site.
• Click on Bindings… under Action menu.
• Click on Add, Type, and select https. Enter a different port number if other than 443. Under SSL Certificate, choose myninja.ysa, Click OK and Close to complete the step.
• You can iterate the above step to try out other certificate

Configuring HPKP
Here is the HPKP syntax:
Public-Key-Pins: pin-sha256="base64_Primary_Key"; pin-sha256="base64_Backup_Key"; max-age=Expire_Time; includeSubdomains;

And here is a brief explanation to the parameters:

Pin-sha256 Directive - Base64 encoded Subject Public Key Information (SPKI) fingerprint.

The max-age Directive - the length in seconds the browser should store the pinning details .

Optional includeSubDomains directive - include all subdomains.

Create Primary Pin
There are several ways to generate the primary key fingerprint. Let's say the URL to my site is https://myninja.ysa/, and then I can run the command in listing 7 to generate the certificate fingerprint. In summary, the command connects to the host, read the public key from the certificate and encode it to base64.

openssl s_client -host myninja.ysa -connect myninja.ysa:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 

Shown In figure 12 is the output from command in listing 7. Press Control + C to return back to the prompt.

Primary pin
Alternately, since I have the certificate, I can also run the below command to generate the fingerprint by supplying the certificate

Listing 8
openssl x509 -in mycerts\myninja.ysa.cer -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 

Shown in figure 13 is the result from command in listing 8.
Ultimately, both methods will generate the identical fingerprint (aCJgrjda9Bvvpx791OQ8g6wksucYBFpmV3gX5sTEqyc=).

Create Backup Pin
I found some good reading from Scott Helme website regarding the backup pin. He pointed out that we can create some backup CSRs and includes their fingerprints in the header. To create a CSR, first run the following command.

openssl req -newkey rsa:4096 -nodes -out mycerts\MyBackup1.csr -keyout mycerts\MyBackup1.key 

Then run the following command to generate the fingerprint
openssl req -pubkey < mycerts\MyBackup1.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 

Shown in figure 14 is the output from command in listing 10
If you put everything together, the header will look something like in listing 11. The max-age was set to 10 seconds initially, you can set it to one year or 6 months once you have verify everything is working correctly.

pin-sha256='aCJgrjda9Bvvpx791OQ8g6wksucYBFpmV3gX5sTEqyc='; pin-sha256='Mq5prDs0m6V/+DEFM/ML3NysUtYTur+Pwoqzk8ZA0w0='; max-age=10; includeSubdomains;   

Configure HPKP in IIS

In this section, we will briefly discuss the steps to setup the HPKP on IIS.

• Under IIS Manager, expand the server name
• Select the site
• Under Features View, double click on HTTP Response Headers
• Under Actions, click on Add…
• Type in the Name: Pubic-Key-Pins and the value 

Another way to accomplish this is to add the header through the web.config. Refer to listing 12 to get an idea where to insert the headers

Listing 12
    <?xml version="1.0" encoding="UTF-8"?>  
    <configuration>  
        <system.webServer>  
            <httpProtocol>  
                <customHeaders>  
                    <clear />  
                    <add name="Public-Key-Pins" value="pin-sha256='aCJgrjda9Bvvpx791OQ8g6wksucYBFpmV3gX5sTEqyc='; pin-sha256='Mq5prDs0m6V/+DEFM/ML3NysUtYTur+Pwoqzk8ZA0w0='; max-age=10; includeSubdomains;" /> </customHeaders>  
            </httpProtocol>  
        </system.webServer>  
    </configuration>  

How to test it?
First we need to have a valid certificate or certificate that signs by a trusted CA. You will see a similar error message in figure 16 if the certificate not signed by a valid CA. That not an issue, we can manually add the certificate into the client machine trusted store. This section covers the steps to export and install the certificate on client machine.

Export the certificate
There are many ways to accomplish this task but for now, we will stick with Google Chrome. Let's start by opening the Google Chrome browser, navigate to the website. First thing you will see on the page is the "Your Connection is not private" warning. Click on the pad lock icon on the URL, then click on the Certification link under the Connection tab. Click on the Details tab, then click on Copy to file… button, click Next to continue. Under the Export File Format screen, select DER encoded binary X.509 (.CER), click on Next to continue. Pick a location to save the certificate file, click on Next and Finish to complete the certificate export process.

Install the Certificate
Browse to the location of the certificate, double click on it, Click on Install Certificate under the General tab. Leave the default option, click on Next to continue. On the Certificate Store screen, select Place all certificate in the following store, click on Browse and select Trusted Root Certificate Authorities and OK to close the window. Then click on the Next button to continue and Finish button to complete the installation. A warning message wills popup, click on Yes button to continue.

It will be much simpler to achieve the same on Internet Explorer (IE) browser. Here are the steps; right click the IE browser and then click on Run as administrator. Click on the Certificate error on the URL and then click on View certificates. Under the General tab, click on Install Certificate… button and repeat the step above to complete the certificate installation.

My other suggestion is, copy the certificate (myninja.ysa.cer) to the client machine and install it.

See the security control/policy in action
Now open the Google Chrome browser and navigate to https://myninja.ysa. You should see the difference between figure 16 and 18 where the certificate error no longer an issue.

On the same browser, open a new tab. Type in chrome://net-internals/#hsts on the URL, enter. Go back to previous tab and refresh the page, then click on the second tab (chrome://net-internals/#hsts), type in myninja.ysa in the domain textbox under query domain. Click on the query button and if everything is setup correctly you should see something similar to figure 19.

Next, open up the web.config, modify the primary key by adding a random character at the beginning of the key. Save it, restart the IIS to be sure. On the Chrome browser, refresh the first tab (https://myninja.ysa), on the second tab type in myninja.ysa in the domain textbox under query domain. Click on the query button and compare the result in figure 19 and 20. You will notice that the fields in blue dots were empty. In some situation, you will see the message "Not found" if the key is not valid.

Go ahead and remove the random character from the key in web.config. On the Chrome browser, refresh the first tab, on the second tab type in myninja.ysa in the domain textbox under query domain. You should see the result similar to figure 19 again.

If your site is public, you can scan the header through https://securityheaders.io/. Make sure to check the checkbox "Hide results" if you want to keep it private.

Remember early on, one of the purposes of certificate pinning is to prevent the adversary from carry on a Man-in-the-middle-attack (MITM) attack. One thing I can think of is using Fiddler as an example. If you don't have Fiddler, download a copy, it's free from telerik.com/fiddler. Open the fiddler and the refresh the site and you will see the result. Click on the advanced link to toggle the details. Close the Fiddler and refresh the page again. You will noticed that the page load normally without the warning message.

Next, open the web.config and tamper the public key pin by adding a random character to the primary key. Clear the browser cache (Ctrl + Shift + Del) and then navigate to the website again. Open the fiddler and the refresh the site and you should see the result in figure 22. Notice the different between the message in figure 21 and figure 22. The latter has a link "Proceed to myninja.ysa (unsafe)" which will allow the user to proceed to the site.

Point of Interest
If you pay attention to figure 21, the message said "You cannot visit myninja.ysa right now because the website uses HSTS". I'm not sure why it said HSTS instead of HPKP. HTTP Strict Transport Security (HSTS) is another important security policy which enforces all the communications to send over HTTPS. You can get information on how to implement it from here.

Another thing to keep in mind is that the HPKP configurations need to be updated each time we renew/replace the site SSL certificate. As mentioned in the beginning this security policy is not compatible with all the browsers yet and OWASP ranked it as low risk. Is always good to know how it works for future prosperity.

Conclusion
I hope someone will find this information useful and equip you for future opportunity. If you find any bugs or disagree with the contents or want to help improve this article, please drop me a line and I'll work with you to correct it.

A default document is the file that a web server displays when you browse to a folder without specifying a file name.

This is syntax:
<system.webServer>
    <defaultDocument>
      <files>
        <clear />
        <add value="Path of your Page" />
      </files>
    </defaultDocument>
</system.webServer>

Using IIS 7.5 you can set default document in Web.Config in easy way. Suppose i have to set CommingSoon.aspx page as default page then we should do like this in system.webserver tag.
<configuration>
<system.webServer>
<defaultDocument>
<files>
<add value="CommingSoon.aspx" />
</files>
</defaultDocument>
</system.webServer>
</configuration>

When IIS gets this new default document it adds with parent or global list of default documents.

To remove an individual default document from the list.
<files> 
<remove value="CommingSoon.aspx" /> 
</files>

To remove a default document entry from the inherited or parent list of default documents, do something like this: 
<files> 
<clear/> 
<add value="CommingSoon.aspx" /> 
</files>

At this article, I’m going to tell you how search out and replace any “_” (underscore) characters in a URL .htm file name and replace it with “-” (dash). The list I used to be given had file names with up to 7 underscores in any position in IIS 7.5. Example: my_file_name.htm

While I figured this might be a straight-forward task with IIS URL Rewrite, I used to be wrong. At the end I found that I either had to form one rule for every possible underscore count or write a custom rewrite rule. I went the one rule per count route. I scan in one journal you'll only spend to nine variables (). The other a part of the rule was they'd to be only in the “/articles/” directory.

My first challenge was simply to get regular expression in place. What I seen was that the IIS 7.5 UI’s “Test Pattern” utility doesn’t accurately test. Within the test this worked:
Input: http://www.webtest.com/articles/myfilename.htm
Pattern: ^.*\/articles\/(.*)_(.*).htm$
Capture Groups: {R:1} : "my", {R:2} : "test"

However, this doesn’t match in real-world testing. #1, don’t escape “/” (forward-slash). #2 the pattern is only matched against everything after the domain and first slash. So really, only this works:
Input: http://www.test.com/articles/myfilename.htm
Pattern: ^articles/(.*)_(.*).htm$
Capture Groups: {R:1} : "my", {R:2} : "test"

When  order to match against up to 8 underscores, you need 8 rules, each one looking for more underscores. So, Here is the code that I used:
Input: http://www.test.com/articles/myfilename.htm
Pattern: ^articles/(.*)_(.*)_(.*).htm$
Capture Groups: {R:1} : "my", {R:2} : "test", {R:3} : "file"

To do this with efficiency you only edit the web.config in the web root for that website. the end result concluded up being:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="AUSx1" stopProcessing="true">
                    <match url="^articles/(.*)_(.*).htm$" />
                    <action type="Redirect" url="articles/{R:1}-{R:2}.htm" />
                </rule>
                <rule name="AUSx2" stopProcessing="true">
                    <match url="^articles/(.*)_(.*)_(.*).htm$" />
                   <action type="Redirect" url="articles/{R:1}-{R:2}-{R:3}.htm" />
                </rule>
                <rule name="AUSx3" stopProcessing="true">
                    <match url="^articles/(.*)_(.*)_(.*)_(.*).htm$" />
                    <action type="Redirect" url="articles/{R:1}-{R:2}-{R:3}-{R:4}.htm" />
                </rule>
                <rule name="AUSx4" stopProcessing="true">
                    <match url="^articles/(.*)_(.*)_(.*)_(.*)_(.*).htm$" />
                    <action type="Redirect" url="articles/{R:1}-{R:2}-{R:3}-{R:4}-{R:5}.htm" />
                </rule>
                <rule name="AUSx5" stopProcessing="true">
                    <match url="^articles/(.*)_(.*)_(.*)_(.*)_(.*)_(.*).htm$" />
                    <action type="Redirect" url="articles/{R:1}-{R:2}-{R:3}-{R:4}-{R:5}-{R:6}.htm" />
                </rule>
                <rule name="AUSx6" stopProcessing="true">
                    <match url="^articles/(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*).htm$" />
                    <action type="Redirect" url="articles/{R:1}-{R:2}-{R:3}-{R:4}-{R:5}-{R:6}-{R:7}.htm" />
                </rule>
                <rule name="AUSx7" stopProcessing="true">
                    <match url="^articles/(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*).htm$" />
                    <action type="Redirect" url="articles/{R:1}-{R:2}-{R:3}-{R:4}-{R:5}-{R:6}-{R:7}-{R:8}.htm" />
                </rule>
                <rule name="AUSx8" stopProcessing="true">
                    <match url="^articles/(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*)_(.*).htm$" />
                    <action type="Redirect" url="articles/{R:1}-{R:2}-{R:3}-{R:4}-{R:5}-{R:6}-{R:7}-{R:8}-{R:9}.htm" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

In the end this URL:
http://www.yourdomain.com/articles/my_file_foo_bar.htm

Becomes:
http://www.yourdomain.com/articles/my-file-foo-bar.htm

In this tutorial, I will tell you about Manage IIS with Appcmd. What is Appcmd? The appcmd.exe is a single command, used to manage IIS 7 and above. It is used to manage the Server without using a graphical administration tool. The appcmd is located in C:\Windows\System32\inetsrv (%systemroot%\system32\inetsrv\) directory. By default, it will not add into environment variable. 

Key Features 

• Creating and configuring the sites.
• To list the running worker process.
• Backup and restoring the site configuration.
• Retrieve the information about the Application pools.

Object Types

• List
• Add
• Delete
• Set
• Hide

Syntax

appcmd <objecttypes> <parameters>   

set path=%path%;%systemroot%\system32\inetsrv; //used to set the environment variable   

To list all the sites, use the command, given below:

appcmd list sites     

To get the details of a specific site binding and status (stopped/start), use the command, given below:

appcmd list site "Default web site"  

To list all the sites, which had been stopped, use the command, given below:

appcmd list sites /state:Stopped   

To add a new site, use the command, given below:

appcmd add site /name:"added using appcmd" /bindings:"http/*:81:localhost" /physicalPath:"D:\test"

To add an https binding to the site, use the command, given below:

appcmd set site /site.name:"added using appcmd" /+bindings.[protocol='https',bindingInformation='127.0.0.1:444:localhost']  

To list all the applications, use the command, given below:

Appcmd list app  

To change an application pool, use the command, given below:

appcmd set app "added using appcmd/app1" /applicationPool:appcmdpool  

To view the application pool details including the username and password of the app account, use the command, given below:

appcmd list apppool "MyAppPool" /text:*  

Backup

appcmd add backup   

appcmd add backup "locahostbkup"  

appcmd list backup   

appcmd delete backup "backup name"  

Restore

appcmd restore backup "locahostbkup "  

appcmd restored configuration from backup "locahostbkup"  

To view the list of the worker process, which will help us to attach the debugger in Visual Studio, use the command, given below:

appcmd list wps  

To view the list of the physical path, use the command, given below:

appcmd list vdirs /text:physicalPath   

To start and stop the sites, use the command, given below:

appcmd start site "Default web site"  

appcmd stop site "Default web site"

HostForLIFE.eu IIS 7.5 Hosting
HostForLIFE.eu is European Windows Hosting Provider which focuses on Windows Platform only. We deliver on-demand hosting solutions including Shared hosting, Reseller Hosting, Cloud Hosting, Dedicated Servers, and IT as a Service for companies of all sizes. We have customers from around the globe, spread across every continent. We serve the hosting needs of the business and professional, government and nonprofit, entertainment and personal use market segments.

In this article, I will explain about how to deploy nopcommerce in IIS. Those who don't know NopCommerce is open source free Online stores application(just like flipcart,ebay). It is built on ASP.NET MVC. There are many features in NopCommerce. NopCommerce also support wide range of plug-ins. You can create your own plug-ins also. You can found more details about nopcommerce at http://www.nopcommerce.com/

Deployment methods

You can Deploy NopCommerce in two way

• Tools provided by NopCommerce(*.bat)
• Using Visual studio.

First method is very easy to implement. Second method need some extra work.

It is always better idea to deploy production code in local IIS host before deploying it in live server. If your developing asp.net application in visual studio you will use IISExpress to run the application. Most of the time IISExpress may not show those error which will be shown by IIS. For example when i run the nopCommerce in visual studio it worked properly but when i deployed it in Local IIS i fond a unknown error "Could not load type 'System.ServiceModel.Activation.HttpModule......."

Deploying using NopCommerce tools

• Assuming you already download NopCommerce with Source(At the time of writing this post nopCommerce_2.80_Source.rar is the latest version). You can download NopCommerce with source at http://www.nopcommerce.com/downloads.aspx
• Extract nopCommerce_2.80_Source.rar at your desired location. I am using F:\DotNetProjects.
• The extracted folder contains below items.
  
  

• In that folder Prepare.bat, Deploy.bat are the deployment tool given by NopCommerce.
• First Run prepate.bat it will display bunch of text in command prompt and finally Build success message.
  

• Now Run Deploy.bat again it will show you bunch of text in command prompt and finally Build success message. If you observe a new folder called Deployable is created automatically. This is our production code we need to deploy in Live Server.
• Before we deploy it in live server we will deploy it in local IIS. Now Just go to you iis manager.
• Expand the items in your left sidebar. Right click on Default Web Site and select Add Application form the menu.
• Enter details. Physical path field must be point to your Deployable folder.
• Now open your broser and enter http://localhost/nop.
  
• If there is no error it will redirect you to http://localhost/nop/install folder where you need to enter details like admin email,password, db connection details and click install.
• If everything is ok NopCommerse Will install successfully.
  
  Error1:Could not load type 'System.ServiceModel.Activation.HttpModule' ... Problem Fix
  At step 10 in above process you may get this error.
  Could not load type 'System.ServiceModel.Activation.HttpModule' from assembly 'System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
  

• If you got this error you can resolve it by using simple tool "aspnet_regiis.exe".
  Just go to C:\Windows\Microsoft.NET\Framework64\v4.0.30319 (path may different for 32 bit pc)in your command prompt. Run the the tool like this. "aspnet_regiis.exe -iru" this will execute some command and the problem should fixed.

ERROR2:Setup failed: An error occurred while creating the database: CREATE DATABASE permission denied in database 'master'. error. fix
If you got this error there are different alternative you can fix this error. But I will explain most simple one only.

• Run NopCommerce.sln under nopCommerce extracted folder(Refer step 2).
• Run the NopCommerce Application (ctrl+f5). 3)It will prompt you to enter db details(refer step 11). Enter details as shown in step 11 and click install.
• This time you wont face any problem (as i told earlier at beginning).
• No go to F:\DotNetProjects\nopCommerce_2.80_Source\Presentation\Nop.Web\App_Data (may different in your pc) and copy InstalledPlugins.txt,Settings.txt to F:\DotNetProjects\nopCommerce_2.80_Source\Deployable\nop_2.80\App_Data(this is our Deployable folder)
• Now Go to http://localhost/nop.
  
  If it asked for db details enter exact details you entered before.
• Voila! you successfully installed NopCommerce.

Deploying nopCommerce using Visual Studio

• Go back to your to Visual studio where you open nopCommerce solution and build the solution.
• Right click on Nop.Web click publish.
• This will prompt you through publish web wizard  Enter details like Publish Method:File System,Physical path
• Now right click on Nop.Admin and publish with sub-directory as /Admin under same directory you selected in previous step.
• copy all files you found under /admin/bin to /bin.
• Now copy copy InstalledPlugins.txt,Settings.txt text to add_data folder(Just follow steps i explained in Errror2 section of this post).
• That's it everything is great now.
  

HostForLIFE.eu IIS 7.5 Hosting
HostForLIFE.eu is European Windows Hosting Provider which focuses on Windows Platform only. We deliver on-demand hosting solutions including Shared hosting, Reseller Hosting, Cloud Hosting, Dedicated Servers, and IT as a Service for companies of all sizes. We have customers from around the globe, spread across every continent. We serve the hosting needs of the business and professional, government and nonprofit, entertainment and personal use market segments.

Today I will show you, how to install IIS 7.5 a SMTP service and securing it.  Often the applications we deploy have a requirement to send alerts or messages to end users via system generated e-mails. If you have a mail server, such as Microsoft Exchange, installed in the same environment this usually handles this functionality for you. However, if the application is a standalone application which will deployed into an environment where no e-mail services exist, you will either need to implement a mail server which might be overkill if you are just going to be sending alerts and system generated messages, or create an SMTP service on the application server. A simple way to get this done is to install the SMTP server feature that is part of Windows Server 2008 R2 as well as every version of Windows Server before that. Once installed you would need to configure the SMTP service, test it and secure it. Below are the steps to follow:

Step 1 – Install the SMTP Service

Open Server Manager and go to ‘Add Features’ and Select ‘SMTP Server’. If you do not have IIS installed the server will prompt you to ‘Add Role Services and Features Required for SMTP Server’

Click ‘Next’ and the wizard will install the SMTP Server for you.

Step 2 – Set the SMTP Service to Automatic Start

By default Windows installs the service and sets it to manual start. If you restart the server at any time the SMTP service will not start automatically which will result in your application not being able to send any e-mail. Open the MMC Services Snap-In, Find the ‘Simple Mail Transfer Protocol (SMTP)’ Service and double-click it.

Set the ‘Start-Up Type’ to ‘Automatic’ Apply and close the window.

Step 3 – Open IIS 6.0 Manager

You will note on Windows Server 2008 (& R2) that it will install two IIS Managers. The SMTP server is managed through IIS 6.0 and not IIS 7.5.

Step 4 – Add a new Mail Domain

You now need to configure the mail domain. Expand the virtual folders on the left pane and then right-click on the centre pane. Select ‘New’ and ‘Domain…"’

Select the ‘Remote’ radio button and then click ‘Next’

Type your domain name in the text box provided and click on ‘Finish’. Do not add the @ symbol as per the example below.

Step 5 – Configure the New Domain

You now need to configure your new domain. Right-Click on the domain you have created and select ‘Properties’

Click on ‘Outbound Security’ and select your authentication type. In this example I am leaving the authentication to ‘Anonymous Access’ as I will lock down the server through limiting relay. Click ‘Ok’ and close all the domain windows.

Step 6 – Configure the SMTP Server

You now need to configure the SMTP Virtual Server. Right-click on the Virtual Server in the left pane and select ‘Properties’

Select the ‘Access’ Tab and Click on ‘Authentication’. Your Authentication at this level must match the authentication set at the domain level as per Step 5. In this example Anonymous Access is our preferred method.

Click on ‘Ok’ which will take you back to the previous window. Now click on ‘Relay’

An ‘Open Relay’ is the greatest risk to your SMTP server as it could be used by SPAMMERS to send their malware and other unsolicited mail. We are going to restrict this server to only accept mail and relay it for the localhost on which the application resides.
Ensure the Radio Button which states ‘Only the list below’ is selected. Untick the box which states ‘Allow all computers that successfully authenticate to relay, regardless of the list above’. Click on ‘Add’ and in the window provided type in the IP address of your server. Once done click ‘OK’.

Your ‘Relay Restrictions’ dialogue box should now look like the one below.

Click ‘Ok’. Your SMTP Server is now ready to send e-mail. You can click through the other configurations and change mail size limits and retry intervals etc. But by default the settings are good enough for this example.

Step 7 – Testing the SMTP Service

You can test the service using a Telnet session from the Command Line. Note that since Windows Server 2008 the Telnet Client is not part of the base install. You will need to install it using the ‘Add Features’ wizard as we did to install the SMTP Server in Step 1 above. If the server is situated behind a Firewall ensure that it will allow SMTP (TCP Port 25) outbound from your SMTP server.
Follow these steps as per http://support.microsoft.com/kb/153119
Open the Command Prompt and type ‘Telnet’ to start the Telnet client.
Type ‘set localecho’ hit enter and then type ‘open 127.0.0.1 25’ and hit Enter.

You will be presented with the SMTP Server Header.Now type ‘helo me’ note the single ‘l’ and hit Enter. The server will respond with Hello and the IP Address.
Now type ‘mail from:<yourname>@<yourdomain.com>’ and hit Enter. 
Now enter the address you want to send mail to by typing ‘rcpt to:<name>@<senddomain.com>.
Now type ‘Data’ and hit Enter.
Type ‘Subject:This is a test’ and hit Enter twice.
Type ‘Testing’ or anything else you want to send as body text and hit Enter.
type ‘.’ i.e. full stop and hit Enter.
Your mail should now be sent and should be received within standard e-mail timeframes.

HostForLIFE.eu IIS 7.5 Hosting
HostForLIFE.eu is European Windows Hosting Provider which focuses on Windows Platform only. We deliver on-demand hosting solutions including Shared hosting, Reseller Hosting, Cloud Hosting, Dedicated Servers, and IT as a Service for companies of all sizes. We have customers from around the globe, spread across every continent. We serve the hosting needs of the business and professional, government and nonprofit, entertainment and personal use market segments.

In this short article, I am going to explain you about Retrieve IIS Application Pool Password. I had to induce the password for application pool account in SharePoint so as to require the control on an existing environment. Here are the tools helped me to get app pool password:

1. IIS Metabase explorer - a part of IIS Resource kit - ensure "Secure Data" is checked.

2. SharePoint Manager - excellent tool for exploring the server objects. simply navigate to the target application pool, get the password from properties pane.

3. using APPCMD command tool to get App Pool Password:
Appcmd could be a command tool for managing IIS 7 and higher than. you'll be able to notice it under: C:\Windows\System32\inetsrv.

To retrieve the IIS Application Pool's password enter this command:
appcmd list apppool “<Your Application Pool Name>” /text:*

HostForLIFE.eu IIS 8.0 Hosting
HostForLIFE.eu is European Windows Hosting Provider which focuses on Windows Platform only. We deliver on-demand hosting solutions including Shared hosting, Reseller Hosting, Cloud Hosting, Dedicated Servers, and IT as a Service for companies of all sizes. We have customers from around the globe, spread across every continent. We serve the hosting needs of the business and professional, government and nonprofit, entertainment and personal use market segments.

First, you may have to be compelled to purchase a 2048-bit SSL certificate(s) and configure IIS. you'll got to purchase a multi-domain or wildcard certificate based mostly upon your wants. There are free certificates obtainable for bloggers and non-commercial organizations.

Create certificate request file
First we want to create a certificate request file. Once making the certificate request, we'll copy/paste the contents of the certificate request file into the SSL provider web site. Once their verification we'll be ready to download the resulting SSL certificate files.

Create Certificate Request
On the primary screen of the wizard you may have to be compelled to give the details for your organization. The important part is to specify the Common name as your fully qualified domain name (FQDN) — together with appropriate subdomain. Here i'm simply using “www.example.com”.

Next, make certain to specify the bit length of your certificate to 2048. supported todays standards, this is often the length to decide on. Any shorter isn't secure enough, and any further isn't necessary and can produce unnecessary cpu cycles on your server.

The next step is to specify the file name for the certificate request file. I store all of my SSL certificates and associated files in folder on the C drive: C:\ssl. Then, merely click the finish button.

We will currently open up the resulting .txt file and copy and paste the contents into the SSL provider’s web site. however and wherever you do this can rely on the SSL provider you selected.

Install certificate in IIS
Once you have got completed the certificate signing request, your SSL supplier can notify you once the SSL certificate is prepared and accessible for you to transfer. After downloading the SSL certificate file (csr), complete the certificate request in IIS.

To complete the certificate request, choose the SSL certificate file (crt) and enter the Friendly name. The friendly name is for you to understand that SSL certificate is that in IIS. For best practices, I continuously name these to match the absolutely qualified domain name.

Add HTTPS Binding
The last step is to bind our web site in IIS to the HTTPS port (443). Note that the common name (FQDN) for the certificate should match the host name for the location that you just are configuring.  To get started right click on the site in IIS and choose Edit Bindings.

Then click the Add… button to add a replacement binding. we'll choose https because the kind, the suitable IP address on the server to bind the web site to, then choose the SSL certificate file and click on OK. you're now serving the web site using HTTPS. move and open your browser and enter the full domain with the https:// protocol specification to look at the location a new HTTPS.

HostForLIFE.eu IIS 7.5 Hosting
HostForLIFE.eu is European Windows Hosting Provider which focuses on Windows Platform only. We deliver on-demand hosting solutions including Shared hosting, Reseller Hosting, Cloud Hosting, Dedicated Servers, and IT as a Service for companies of all sizes. We have customers from around the globe, spread across every continent. We serve the hosting needs of the business and professional, government and nonprofit, entertainment and personal use market segments.

After following several posts and tutorials on properly fixing IIS dynamic compression for JSON responses, i used to be still reaching a dead finish. For no matter reason, my responses were still uncompressed. Apparently, using the NetworkService account doesn’t perpetually play nicely with static or dynamic content compression.

The NetworkService account doesn’t have permission to the IIS Temporary Compressed Files folder, preventing it from writing and reading out compressed streams. The best thanks to get around this can be by adding the NetworkService account to the IIS_IUSRS group (which already has permissions to the IIS temporary folder).

1. First step, Open the local Users and groups management console.

2. Next, Select Groups from the sidebar.

3. Now, open the IIS_IUSRS property window.

4. Click Add, then enter Network Service as the user. Make sure to have your nearby workstation as the area, then Check Names to make certain you entered everything effectively. Click OK.

5. Next, Click OK on the IIS_IUSRS property window.

6. Close the Local Users and Groups management console
7. Restart IIS

Dynamic compression should be working now!

By default, IIS can not upload large file size to the web server. For IIS 6 and IIS 7, the default maximum file size for upload is 4 MB and 28.6 MB respectively. IIS 7 will throw a 404 error (HTTP Error 404.13 - CONTENT_LENGTH_TOO_LARGE) if user upload file larger than 30MB. In order to allow for larger file size uploads, a few server changes are required.  You have three steps to increase the file upload limit:

1. Modify the maxAllowedContentLength setting in the web.config
You could increase the max file size by modify the maxAllowedContentLength setting in the web.config file: <system.webServer>
  <security>
    <requestFiltering>
      <requestLimits maxAllowedContentLength="2147483648" />
    </requestFiltering>
  </security>
</system.webServer>

With that maxAllowedContentLength, users can upload files that are 2 GB in size. This setting will work right away without restart IIS services.

2. Edit the request filtering feature settings and therefore the request limits using IIS manager

• Open IIS Manager.
• Choose the web site that you simply wish to configure.
• Check that you're in features view per the button at the lowest of the manager.
• Choose Requests Filtering and open it by double-clicking the icon. The Request Filtering pane displays.
• From the Actions pane on the right hand side of the screen click Edit Feature Settings... link. The Edit Request Filtering Settings window displays.
• In the Request Limits section, enter the appropriate maximum allowed content length (Bytes) then click the OK button.
• Next, Restart IIS.

3. Manually edit the ApplicationHost.config file

• Click start. In the start Search box, type notepad. Right-click notepad, and so click Run as administrator.
• On the File menu, click Open. within the File name box, type %windir%\system32\inetsrv\config\applicationhost.config, and so open.
• Within the ApplicationHost.config file, find the  node.
• Take away the maxAllowedContentLength property. Or, add a value that matches the scale of the Content-Length header that the client sends as a part of the request. By default, the worth of the maxAllowedContentLength property is 30000000.
  For instance, modify the subsequent configuration information within the  section.

  <requestLimits maxAllowedContentLength ="<length>" />
  

• Finally, Save the ApplicationHost.config file.