|
|
 |
When you look at the application mappings on an IIS server, it is not obvious what functions the extensions server. Nevertheless, it is a “best practice” to remove the extensions that you do not require.
In particular when ASP.net is installed, the .net application mappings are added to IIS presuming the web server is being used for application development. The function of ASP.net file extensions are not obvious and it is quite a task to figure out what each of them do. You will want to remove most of the extensions on a productions server.
Use this list to guide your selection. If you aren't sure if an application mapping is in use on your server, I would suggest you use the Log Parser tool to parse your live IIS logs looking for the extension.
Thanks to Rich Durso for this list.
IIS Page Extensions
Extension Description
.asa Active Server Application
Note: This extension is cannot be accessed via a browser. It is
prohibited by ASP for security reasons.
.asp Active Scripting Page, ASP code embedded in a HTML page.
.cer Certificate file. Useful when certificate services is installed.
.cdx Active Channel Definition File
.htm, .html Standard Hyper Text Markup Language pages
.htr WebBased Password Reset.
Note: If used, be sure this is mapped to .asp. This is automatically
done in Windows 2004 SP4.
.htw Index Server: Outdated technology for querying index server
Use ASP.
.ida Index Server: See .htw
.idc Internet database connector (very old, do not use)
.idq Index Server: See .htr and .htw
.printer Internet Printing: Does anybody use this?
.stm Server-Side Includes embedded in HTML page:
Most of these functions can be done with .asp
.shtm, .shtml Server-Side Includes embedded in HTML page: See .stm
ASP.net File Extensions
By default ASP.NET associates 18 extension mappings with the %SystemRoot%\Microsoft.NET\Framework\%VersionNumber%\Aspnet_isapi.dll file.
Extension Description
.asax ASP.NET version of the older .asa file
.ascx User Control, can be a full page or component.
.ashx ASP.NET Custom ASP.NET HTTP handler
.asmx ASP.NET Web Service
.aspx ASP.NET Web Pages
.axd Custom HTTP Handler – can be physical file
or dynamically generated file.
.config ASP.NET Configuration File
.cs C#.NET Source File
.csprorj C#.NET Project File
.licx Licensing file used by some assemblies
.rem ASP.NET Remoting Resource
.resources Resource file created by ResourceWriter class
or Resource Generator (Resgen.exe).
.resx Resource file, used for globalization.
Pairs to a similarly named .aspx file.
.soap Schema file for a Web Service.
.vb Visual Basic.NET Source File
.vbproj Visual Basic.NET Project File
.vsdisco Discovery file for Web Services.
.webinfo Contains path to project on development servers for Web Application or XML Web Services Projects.
|
|
|
Backup & Restore of the IIS Metabase - What tools can I use?
|
|
Conflicts between ZoneAlarm and IIS
|
|
Current Microsoft Security Patchs
|
|
Microsoft Security Columns
|
|
NTBugTraq
|
|
Designing and Planning Windows NT External Security
| |
A security policy should ensure the reliability, availability, and supportability of all systems and data on a Windows NT external network—the part of the network that is unsecured or exposed to the Internet.
|
|
|
Network Security Secrets
| |
Discusses Security practices with regard to Windows-based networks, as well as monitoring, encryption and firewalls
|
|
|
|
NT Security - Frequently Asked Questions
|
Security Services for Windows NT
| |
The Security section of the Windows NT site provides overviews, technical details and resources for Windows NT security.
|
|
|
|
Security Services in Windows 2000
|
Windows 2000 Security Services
| |
In-depth information and deployment procedures for the Windows 2000 Security Services, including security management using the Microsoft Security Configuration Tool Set, support for IP Security, the Encrypting File System, Public Key Infrastructure, smart cards, and Kerberos.
|
|
|
|
Windows 2000 Security Technical Overview
|
|
Authentication and Security White Paper for Internet Developers
| |
This article is a pointer to a white paper available for download. The white paper discusses Windows NT security as it relates to Internet Information Server (IIS) so that you can effectively troubleshoot security- related problems. It covers the three forms of authentication, how they differ, several ways of controlling access to key areas on your Web server, and the important, but almost universally misunderstood, concept of "delegation." Understanding delegation is mandatory for anyone building a data driven Web site using IIS. Understanding how Windows NT handles different "users" will potentially save you days or weeks of troubleshooting.
|
|
|
Basics Of Security for your Web Site
| |
When thinking about security for your site, you need to be concerned with several discrete areas, as well as a few basic concepts.
|
|
|
Configuring IIS 4.0 Certificate Authentications
| |
Wouldn't it be nice if you could give your trusted users transparent access to your secure Web site?
|
|
|
Front Page Security
| |
The Microsoft FrontPage built-in security management features allow you to set role-based permissions on FrontPage-extended webs (or nested subwebs).
|
|
|
How to Create Secure, Web-Based Business Solutions Based on Windows 2000 Server and IIS 5.0
| |
Leverage the Web, Windows 2000 Server and IIS 5.0 to create secure
intranet, extranet, and Internet business solutions for your employees, partners
and customers. We'll cover issues related to IPSEC, Certificates, Smart Cards,
Kerberos, Digest Authentication, Active Directory and Group Security Policy.
Also includes a link to an Interactive
Tutorial...
|
|
|
|
HTR and RDS Attacks
|
Immediate intrusion detection: Catching hackers red-handed on your web server!
| |
This white paper focuses on
how administrators can set up their web servers successfully and safely.
Describing the tools used by hackers to gain backdoor access to your IIS web
servers, this paper details the necessary steps to detect successful intrusions
on your network, as well as explaining how to prevent such attacks to your web
server, using LANguard Security Event Log Monitor.
|
|
|
|
Install and secure an NT IIS 4.0 Server:
|
|
Internet Server Security - How security issues apply to Active Server Pages.
|
|
Resources for Securing Internet Information Services
|
|
Securing IIS on Windows 2000
|
|
Showcode.asp - A lesson in Internet Security
|
|
Technet Web Site Security
|
|
The World Wide Web Security FAQ
|
|
Withstanding Denial of Service (DoS) Attacks
|
|
GFI LANguard Network Security Scanner
| |
LANguard Network and Port scanner is a freeware security & port scanner to audit your network security. It scans entire networks and provides NETBIOS information for each computer such as hostname, shares, logged on user name. It does OS detection, password strength testing, detects registry issues and more. Reports are outputted in HTML.
It allows you to scan your network from a 'hacker's' perspective: It will identify all machines, their NETBIOS info, open ports, shares and more - giving you exactly the same information that a hacker would have. With the information from GFI's security scanner, you can proactively start securing your network - shutting down unnecessary ports, shares, etc.
|
|
|
GFI LANguard Security Event Log Monitor
| |
LANguard SELM is a network wide event log monitor that retrieves logs from
all NT/2000 servers and workstations and immediately alerts the administrator of
possible intrusions. Through network wide reporting, you can identify machines
being targeted as well as local users trying to hack internal company
information. LANguard analyses the system event logs, therefore is not impaired
by switches, IP traffic encryption or high-speed data transfer. 1 server, 5
workstation version is free of charge.
|
|
|
GFI Mail Security for Exchange / SMTP
| |
Provides email content checking, exploit detection and anti-virus for Exchange. Can be deployed at the gateway level, or at information store level (based on the Exchange 2000 VS API). Key features include: Multiple virus engines - Don't depend on 1 only; Email content & attachment checking - Quarantine dangerous emails; Exploit shield - Email intrusion detection & defence; Email threats engine - Analyses & defuses HTML scripts, .exe files & more. Download your free eval!
|
|
|
|
N-Stealth® Security Scanner - Scan for over 19,000 vulnerabilities and exploits.
|
Security Planning Tool for IIS
| |
A tool is available for web designers that explains Windows NT security as
it relates to Internet Information Server (IIS). It covers authentication
mechanisms, how they differ, several ways of controlling access to key areas on
your Web server, and the important, but almost universally misunderstood,
concept of "delegation".
|
|
|
Windows 2000 IIS 5.0 Hotfix Checking Tool
| |
The HFCheck tool allows IIS 5.0 administrators to to ensure that their servers are up to
date on all security patches. The tool can be run continuously or periodically, against
the local machine or a remote one, using either a database on the Microsoft web site or a
locally-hosted copy. When the tool finds a patch that hasn't been installed, it can
display or dialogue or write a warning to the event log.
|
|
|
|
|
Defending against RDS (Remote Data Service) attacks
|
|
Microsoft Security Bulletin Search - IIS 4
|
|
Microsoft Security Bulletin Search - IIS 5
|
|
Up to date and accurate list of HOLES that affect Microsoft IIS Web Server
|
|
IIS 4.0 Security Checklist
| |
This table outlines some of the steps you should take to secure a Windows NT 4.0 Server running Microsoft Internet Information Server 4.0 on the Internet. Note, this document does not take into consideration firewalls or proxy servers. It also assumes the company has a security policy in place
|
|
|
INTERNET INFORMATION SERVER 4.0 SECURITY - Graded Security Configuration Document
| |
This document provides a series of recommendations on the choices or grades of security installation that are possible, using Internet Information Server version 4 on Windows NT. This document is designed to work hand in hand with the Windows NT security configuration document, also available from the InterSect Alliance web site. Some of the settings may be dependant on the patch level and service pack version in use, and therefore differencies may exist between this document and the actual registry settings and values on your machine.
|
|
|
|
Microsoft Internet Information Server 4.0 Security Checklist
|
|
Microsoft Internet Information Server 4.0 Security Checklist Further Details
|
|
Secure Internet Information Services 5 Checklist
|
Windows NT C2 Configuration Checklist
| |
This checklist outlines the steps you should take to duplicate the C2-evaluated configuration of Windows NT Server 4.0. Note that following this checklist does not make your installation C2-compliant; it merely assures you that the software configuration matches the configuration that the NCSC evaluated.
|
|
|
|
|
Exchange Server Security
|
|
Public Key Security in Windows 2000
|
|
SSPI and Cryptographic Layers
|
|
ASP.NET with Visual Studio.NET - Demo 3: Web Application Security
| |
This session will look at the ASP.NET, the next version of ASP. ASP.NET is
a compiled .NET Framework-based environment. This allows developers to author
applications in any .NET Framework compatible language, including Visual Basic®,
Visual C#™, and JScript®. ASP.NET improves deployment, scalability, security,
and reliability. ASP.NET also addresses the browser compatibility issues with
the Web Forms technology. It will demonstrate how to build Web applications with
Web Forms, using Visual Studio.NET. It will also discuss the ASP.NET Web
application security. Other advanced topics covered in this session include
configuration, caching and optimization.
|
|
|
|
Fundamental Cryptography and Certificates on the Internet
|
How to Optimize a Web Site for High Performance and Security with Internet Information Server 4.0
| |
Learn how to install and configure Internet Information Server (IIS) 4.0
and how to configure IIS security. Also covered are techniques for managing Web
sites, tips for determining server capacity, and methods to monitor the
performance of your Web server.
|
|
|
|
IIS5 Security Best Practices
|
IIS5 Security Guidelines
| |
A short presentation regarding designing secure Web
sites using Microsof®t Windows® 2000 and Internet Information Services 5
|
|
|
Inside Microsoft®, the deployment of Internet Security and Acceleration Server 2000 Enterprise Edition
| |
A first hand account of deploying Internet Security and
Acceleration Server (ISA) 2000 Enterprise Edition. Presented by one of the
engineers responsible for designing and implementing the computing
infrastructure used inside Microsoft®. This presentation provides insight as to
how ISA Server 2000 was actually deployed inside Microsoft
|
|
|
Managing and Deploying Office Server Extensions: Hosting Options, Security and Permissions
| |
Is Web security a concern for you and your company?
Discover the planning process for Microsoft® Office 2000 Server Extensions
(OSE), including hosting options, security, and permissions.
|
|
|
|
Microsoft Seminar OnLine Home Page
|
Microsoft Windows 2000 Public Key Security Part 1: Basic Concepts and Architecture
| |
Discover the basics of cryptography including symmetric
key cryptography, public key cryptography, and many more. July 20, 2000
|
|
|
Microsoft Windows 2000 Public Key Security Part 3: Protocols and Applications
| |
Join us as we spotlight the protocols and applications
that use the public key infrastructure built into Windows 2000. July 20,
2000
|
|
|
Microsoft Windows 2000 Security Architecture
| |
Explore enterprise single
sign-on within Windows 2000 Security Architecture. Plus integration, security
provider architecture, and the public key security components. Finally, the
encrypting file system, network data protection, and security policy. July 17,
2000
|
|
|
Microsoft Windows Public Key Security Part 2: Features and Functionality
| |
Utilize policy management to manage Public Key policies,
such as trust relationships and the certificate management infrastructure. July
20, 2000
|
|
|
Microsoft® Office XP Deployment And Administration - Module 11 -- Office XP Security
| |
This module provides a detailed look at the Security
enhancements and new Security features in Office XP designed to protect your
organization's confidential information and prevent malicious attacks from
malware. This module also includes recommendations for practical security
implementation.
|
|
|
|
What is the ISM (Internet Service Manager)
|
Windows 2000 Network Security Deployment
| |
Get an overview of how to deploy network security in the
Windows 2000 environment, and review basic security technologies in several
deployment scenarios. Feb 2000
|
|
|
Windows 2000 Security and Directory Overview
| |
Get an overview of Microsoft Windows implementations —
from Smart Cards to Server Clusters — and investigate three aspects of Windows
2000: Directory Services, Security Services, and Windows Terminal Services.
November 1999
|
|
|
|
|
Get EMAIL notification from Microsoft about Security Issues
|
|
SecurityFocus.COM - General Security for Microsoft, Sun, Linux, and IIS
|
|
TechNet Security Training Site
|
|
The latest security Security Alerts from GFI
|
The RSA Site
| |
The RSA Site is one of those places where the idea of Web security began. If you need information about encryption, this is a good place to look. The site includes some very technical information on encryption, as well as a complete set of all of the more common encryption standards.
|
|
|
The SANS Organization
| |
The SANS Organization is another resource with a wide variety of materials. They have technical papers, posts about security holes and attacks, software tools, links to other great resources, and more.
|
|
|
The Windows NT Security Site
| |
The Windows NT Security Site has up-to-date information of security issues in Windows NT and much more
|
|
|
|
From Blueprint to Fortress: A Guide to Securing IIS 5.0
| |
This document provides a blueprint for administrators and
system architects to secure a Microsoft® Internet Information Server (IIS) 5.0
Web server. This document helps you lay the framework to design and implement a
secure Web server on Microsoft technology. It is important that you carefully
review these suggestions and use them to derive your own corporate settings and
policies.
|
|
|
|
IIS 5.0's New Security Features
|
Securing IIS 5.0 Using Batch-Oriented Command Files
| |
This white paper describes the use of command files or
batch programs to automate the security settings on a Web server running Windows
2000 Server or Windows 2000 Advanced Server and Internet Information Services
5.0 in an enterprise environment. This white paper is intended for system
administrators and assumes familiarity with Windows 2000 Server and IIS 5.0,
registry settings in the operating system, and metadata settings in IIS 5.0.
This paper will not attempt a detailed explanation of registry settings or
metadata settings. For that information, turn to the documentation for Windows
2000 Server and IIS 5.0.
|
|
|
|
Accessing Network Files from IIS Applications
| |
Accessing files on a computer other than your Internet Information Server
(IIS) server from an Internet Server API (ISAPI) extension, Active Server Pages
(ASP) page, or Common Gateway Interface (CGI) application can be problematic.
This article lists the issues involved and some possible ways for getting this
to work
|
|
|
Authentication and Security White Paper for Internet Developers
| |
The white paper discusses Windows NT security as it relates to Internet Information Server (IIS) so that you can effectively troubleshoot security- related problems. It covers the three forms of authentication, how they differ, several ways of controlling access to key areas on your Web server, and the important, but almost universally misunderstood, concept of "delegation." Understanding delegation is mandatory for anyone building a data driven Web site using IIS. Understanding how Windows NT handles different "users" will potentially save you days or weeks of troubleshooting.
|
|
|
Learn More about Security!
| |
This page provides links to a large number of articles which explain specific aspects of security for the web site developer/administrator. Well worth a good read!
|
|
|
List of Services Needed to Run a Secure IIS Computer
| |
The following list outlines which services are required, as well as those that are NOT required, and those that MAY be required, to run Internet Information Server (IIS) version 4.0 on a secure server. Your particular network or system configuration can change some of the parameters. For example, some intranets require WINS and DHCP
|
|
|
|
Microsoft Security - Home Page
|
Security Ramifications for IIS Applications #1
| |
Securing Web sites is a critical issue for Web developers. It is also one of the most potentially confusing. A secure system requires careful planning, and Web site administrators and programmers must have a clear understanding of the options for securing their site. In addition, they need to understand how all of the various security subsystems interact.
|
|
|
Security Tool - What If
| |
The purpose of this article is to explain how to install, use, and uninstall the IIS Security "What If" tool. The IIS Security "What If" tool is a Dynamic HTML (DHTML) utility designed to assist in troubleshooting security issues with IIS.
Try it here
|
|
|
Security with Windows NT and IIS: A Primer
| |
Is setting up the proper level of security on your IIS installation proving to be a headache? This guide to your options can ease the pain.
|
|
|
|
Understanding Internet Information Server Security
|
Untangling Web Security: Getting the Most from IIS Security
| |
This article contains detailed explanations of some of the misunderstood security features in Microsoft® Internet Information Server (IIS) 4.0, including client certificate mapping, IP address restrictions, Secure Sockets Layer (SSL) server bindings, and Web permissions. You'll not only find out how these features work, but also how to optimize their configuration.
|
|
|
What sort of NTFS file permissions do I need to use an Access Database from ASP?
| |
When you write applications for Internet Information Server (IIS), you should be aware of the ramifications that security can play when your application is launched by Internet Information Server. When configuring IIS, many users make quick assumptions that will not resolve security issues in all circumstances. This article describes the details regarding security and IIS
|
|
|
|
Windows Media Player Presentations about IIS Security
|
|
|
COM and Security Packages
|
|
COM and Security Packages
|
COM Security Frequently Asked Questions
| |
The COM/DCOM security model enables the creation of secure distributed applications. COM security can be applied to both existing (legacy) COM components via external configuration as well as new COM code via the COM security APIs and interfaces. This document provides tips and techniques, as well as troubleshooting information, for developers of secure COM components.
|
|
|
|
Multiple Web sites under Professional?
|
|
Security in COM #1
|
|
Security in COM #2
|
|
Security in COM+
|
|
Implementing a Secure Site with ASP
| |
In order to develop a secure site one must understand the paradigm that IIS and ASP run under with Windows NT. That is what this article is devoted to
|
|
|
|
Information on Cross-Site Scripting Security Vulnerability
|
Patch Available for "Undelimited .HTR Request" and "File Fragment Reading via .HTR" Vulnerabilities
| |
This problem can allow web site visitors to view your ASP source code!!!!!
|
|
|
|
Sample Chapter 5: Internet Information Services Security Overview
|