Recent Discussions
IIS hardening with CIS standards - tools and options
Hello IIS experts. Please suggest on best strategy for hardening on-prem IIS farm to CIS standards. I'm also interested in recurring audit of the results. There is a number of commercial products allowing to scan IIS for CIS Benchmarks. The latest "CIS Benchmark for Microsoft IIS 10" available to download in PDF format free of charge at https://www.cisecurity.org/cis-benchmarks/. However in this instance CIS does not offer "Build kit". Depends on product to be hardened, CIS "build kit" can be set of scripts, GPO policy or similar to allow rapid hardening deployment. Since there is no Official build kit I'm looking for alternatives. Can you please share your experience on this subject? I found few blogs but those are quite old.
Disabling Certificate Revocation List (CRL) Caching on IIS 10.0
Background Hello, community members! I am trying to disable CRL caching on IIS 10.0 in order to be able to fetch updated version of CRL each time I make a request to my website. It is required for development purposes: I revoke or un-revoke client certificate, publish latest CRL on my CA and want IIS to check the latest information. Setup What I completed as a setup step: Exported root CA certificate and installed it on my computer by following these articles: HTTP Error 403.16 when you access a website - Internet Information Services | Microsoft Learn and Export Root Certification Authority Certificate - Windows Server | Microsoft Learn. Set "Accept" for client certificates on IIS. Checked following materials about IIS CRL settings: CRL checking by IIS - Microsoft Community Hub, HTTP_SERVICE_CONFIG_SSL_PARAM (http.h) - Win32 apps | Microsoft Learn, Disable Client Certificate Revocation (CRL) Check on IIS | Microsoft Learn. Actions What I am trying to do to disable CRL caching on IIS: Delete existing SSL binding for my website: netsh http delete sslcert ipport=0.0.0.0:3010. Add binding which tells IIS to download CRL each 10 seconds and not to cache it (see bold text): netsh http add sslcert ipport=0.0.0.0:3010 certhash=SOME_VALUE appid={SOME_VALUE} certstorename=My verifyclientcertrevocation=enable revocationfreshnesstime=10 urlretrievaltimeout=30000. Bold text parameters mean that we enable CRL checking, refresh CRL each 10 seconds and set HTTP timeout for CRL download to 30 seconds (30000 milliseconds). Verify that the information has been updated. If CertCheckMode is set to 4, certificate revocation verification will be done by downloading the remote CRL, even if we have the valid cached CRL on the server. It ignores the cached CRL completely. Restart IIS or reboot the machine: iisreset. Clear CRL cache: certutil -urlcache crl delete. Publish new CRL and verify that it doesn't contain our certificate. Send not revoked certificate: 403 status has been returned by IIS. This means that IIS uses cached CRL and above-mentioned settings for IIS doesn't work. If I disable CRL checking it works: verifyclientcertrevocation=disable. CRL is reachable. Question What settings should I change in order to disable CRL caching on IIS 10.0? I want IIS to download CRL each time I make a request to it.
Windows authentication with IIS
Can someone more familiar with IIS provide a link or a technical document that explains how to set up an IIS 10 server to reliably use Windows Authentication? I have two IIS servers, one which was set up by a previous admin, where I can open the site and my Windows credentials are recognized. The second site, where I've tried to duplicate the settings seen on the first, always presents the username/password challenge.using IIS URL Rewrite module for HTTP to HTTPS
I have installed the URL Rewrite module in IIS 10 to redirect HTTP calls to HTTPS, and I have attempted to set up the redirect but have not gotten it working on one server. Here is the issue: Server1 with IP 1.1.1.1 is running IIS with an https enabled website. An outside DNS has assigned gohere.com to IP 1.1.1.1. When users attempt to get to http://gohere.com the connection times out and it is not redirected to https://gohere.com Accessing https://gohere.com works without an issue. Here is the rewrite code from the web.config file. <rewrite> <rules> <rule name="HTTP to HTTPS" patternSyntax="Wildcard" stopProcessing="true"> <match url="http://gohere.com*" /> <conditions> <add input="{HTTPS}" pattern="^OFF$" /> </conditions> <action type="Redirect" url="https://gohere.com" appendQueryString="false" /> </rule> </rules> </rewrite> I have also tried using match url=".*" Any ideas on what might be causing the issue? Or something to try to get it working? Thanks! JimIIS Authentication Error
IIS is displaying Authentication status as retrieving status... for all the groups. when i tried to disable them, a pop up error (attached below) is displayed. i tried removing the authentication tag in web.config and it's not working. i tried removing the security tag and still not working. it was working two days back with the same config file
How to prevent Malicious HTTP Redirections on an Exchange server
Hello All! I am attempting to assist a customer who is trying to pass PCI scans. By default, their IP addresses redirects any HTTPS (443) requests to the Exchange server's OWA. This is fine, except the scan states that the server does not pass a couple of vulnerabilities, one of them being "Redirection via Arbitrary Host Header Manipulation". As a solution, they recommended whitelisting domains, only allow permitted domains to be included in the Host header. I (for the life of me) cannot figure out how to get this to work on a server who's default website is the Exchange OWA. Every time I try to implement a rule in IIS (see: https://techcommunity.microsoft.com/t5/iis-support-blog/host-header-vulnerability/ba-p/1031958) that would redirect any requests that don't match the supplied string to the desired domain name, the page won't load and I get "ERR_TOO_MANY_REDIRECTS" presumably because of Exchange's automatic OWA redirection. Is there a way I can prevent malicious HTTP redirections without breaking OWA? To clarify: there are two domain names on our DNS that lead to the IP address of the Exchange server: mail.domain.com and vpn.otherdomain.com, obviously one is meant for mail and the other one is meant for vpn access over port 8443. The main domain (domain.com) leads to a completely different IP address that hosts their public website. I would like to change the IIS settings on the Exchange server so that mail.domain.com is the only domain allowed to be requested through an HTTP request.
IIS : application fails when http redirect to https.
Hi guys, I don't know why but my C# ASP.NET ( .NET Framework 4.8 ) base application does a redirect to https. It calls another https C# ASP.NET ( .NET Core 3.1 ) application inside a IFRAME. It fails because the csrf token cookies cant be read when an ajax requests is sent from an http page. On code side no relevant issues found, but out it ops says that on our side is all ok. In the card I reported what I found in a wide-ranging search in the literature. The research I did revealed the following: SameSite should be as much as set to Lax. The ideal would be to make the site work by setting the authentication cookie to Strict even if there are cases that are difficult to manage. The ideal would be to run everything on https, but this does not mean solving the current problem we have. We do not recommend the use of iframes or otherwise doing everything possible so that the site can not be included in an iframe. Waiting for your replay. Thank's in advance. Simone
FTPS (FTP TLS) Using IIS on Windows server 2019 broken - Passive port connection or cert suspected?
Hi all I hope someone out there can help. I have an FTPS server set up using IIS explicit FTP over TLS. I don't use this a lot its mainly for getting files when I am out and about. Last time I tried to access the FTP site it had stopped working (a few months ago). I have had a bit of time to trouble shoot but am drawing a blank as to why it doesn't work. I believe it is something to do with he passive port range, or maybe a certificate issue? Just to be clear it was working and has now broken. There has been minimal changes on the server but nothing that should affect the FTP site. Updates etc. The FTP ports specified are open in the firewall. These ports are also forwarded in my router. The external IP address is specified for the FTP at site level. The passive post range (5000-5100) is specified at server level. SSL is set to required and a current certificate is selected. What I have tried: Created new firewall rules. Turned the firewall off. Made no difference. Set the SSL policy to allow SSL connections and I can connect without encryption, so the site still works. Upon setting back to required I can no longer connect. Used a port scanner on a mobile network and scanned the passive ports using both my ftp host name and external IP address with wireshark running on the server. Traffic is getting through on ports 5000-5100 as expected. When I try to connect from an external source I get traffic on port 21 on the server but nothing in the 5000-5100 range. My FTP client software (on my phone) hangs at 234AUTH command ok. Expecting TLS Negotiation. If I test the site using ftptest.net it connects and brings up the directory listing. There are a couple of warnings about IPv6 not implemented and MLSD. If I try to connect to the FTP site over the internal network using WinSCP or FileZilla it will connect but only in active mode (so not using passive ports). If I use my phone over the internal network it will connect using passive mode, but oddly only brings up the directory listing if I use the external IP address rather than the host name. Connecting using the host name on the phone gets stuck at LIST, 40 Opening ASCII mode data connection. FileZilla and WinSCP both work with hostname (active mode). This has left me scratching my head any ideas would be appreciated. ThanksIIS | APPCMD.exe nedir? (tr-TR)
AppCmd.exe, IIS 10.0 ve üstünde bulunan web sitelerini yönetmek için kullanılan komut satırı uygulama aracıdır. AppCmd, web sunucunuzu GUI kullanmadan kolayca kontrol etmenizi yönetmenizi kolaylaştıran komutlar bütünüdür. AppCmd başlıca kabiliyetleri aşağıdaki gibidir. Siteler, uygulamalar, uygulama havuzları ve sanal dizinler oluşturup yönetebilirsiniz. Siteleri, site havuzlarının işlemlerini başlatıp ve durdurabilirsiniz. Aktif işlemleri listeleyin ve anlık yürütülen işlemleri inceleyebilirsiniz. IIS yapılandırma ayarlarınızı import yada export edebilirsiniz. Appcmd.exe çalıştırmak için sisteminizde IIS 10.0 yüklü olması gerekmektedir. Ek bilgi olarak belirtmek isterim. IIS 7.0 ve sonrası web serverlarda appcmd.exe komutunu kullanabilirsiniz. Appcmd.exe komutunu çalıştırmak için CMD komut satırınızı yönetici olarak çalıştırınız ve "%windir%\system32\inetsrv\" dizinine gidiniz. Appcmd.exe yazıp enter basınız. C:\windows\System32\inetsrv>appcmd.exe General purpose IIS command line administration tool. APPCMD (command) (object-type) <identifier> </parameter1:value1 ...> Supported object types: SITE Administration of virtual sites APP Administration of applications VDIR Administration of virtual directories APPPOOL Administration of application pools CONFIG Administration of general configuration sections WP Administration of worker processes REQUEST Administration of HTTP requests MODULE Administration of server modules BACKUP Administration of server configuration backups TRACE Working with failed request trace logs BINDING Object for working with SSL bindings (To list commands supported by each object use /?, e.g. 'appcmd.exe site /?') General parameters: /? Display context-sensitive help message. /text<:value> Generate output in text format (default). /text:* shows all object properties in detail view. /text:<attribute> shows the value of the specified attribute for each object. /xml Generate output in XML format. Use this to produce output that can be sent to another command running in /in mode. /in or - Read and operate on XML input from standard input. Use this to operate on input produced by another command running in /xml mode. /config<:*> Show configuration for displayed objects. /config:* also includes inherited configuration. /metadata Show configuration metadata when displaying configuration. /commit Set config path where configuration changes are saved. Can specify either a specific configuration path, "site", "app", "parent", or "url" to save to the appropriate portion of the path being edited by the command, "apphost", "webroot", or "machine" for the corresponding configuration level. /apphostconfig Specify an alternate applicationHost.config file to edit. /debug Show debugging information for command execution. Use "!" to escape parameters that have same names as the general parameters, like "/!debug:value" to set a config property named "debug". C:\windows\System32\inetsrv> Appcmd komutu kullanımı sırasında parametre yada objelerle çalışırken yardım almak için tüm cmd komutlarında olduğu gibi appcmd.exe /? Yapmanız yeterli olacaktır. Örnek olarak en çok kullanılan appcmd site komutu ile başlayalım. appcmd site /? yaparak site komutu ile neler yapabilriz bakalım. C:\windows\System32\inetsrv>appcmd site /? Administration of virtual sites APPCMD (command) SITE <identifier> <-parameter1:value1 ...> Supported commands: list List virtual sites set Configure virtual site add Add new virtual site delete Delete virtual site start Start virtual site stop Stop virtual site (To get help for each command use /?, e.g. 'appcmd.exe add site /?'.) C:\windows\System32\inetsrv> Örneğimizi biraz dah geliştirip IIS10.0 üzerinde bulunan web sitelerimizin listesini alalım. appcmd list site komutu ile kontrol edelim. C:\windows\System32\inetsrv>appcmd list site SITE "Default Web Site" (id:1,bindings:http/*:80:,state:Started) SITE "Reporter" (id:2,bindings:https/:1239:,state:Started) SITE "ozan site" (id:7,bindings:http/*:80:ozantest.com,state:Unknown) C:\windows\System32\inetsrv> 3 adet web sitesi çalışmakta olduğunu görüntülüyorum. Web serverim üzerinde. Yeni bir tane site eklemek istediğimizde appcmd add site komutu ile bu işlemi gerçekleştirebilirsiniz. Ben bindings ve path yapılandırmasınıda bu komutuma ekleyeceğim sizlerinde bu şekilde yapmanızı tavsiye ederim. GUI üzerinde daha sonra hata almamanız için path ve bandings ayarlarınızı yapılandırmanız önemlidir. C:\windows\System32\inetsrv>AppCmd add site /name:ozan /id:18 /bindings:http/*:81: /physicalPath:C:\ozan SITE object "ozan" added APP object "ozan/" added VDIR object "ozan/" added C:\windows\System32\inetsrv> List komutu ile yeni web sitemi tekrar kontrol ediyorum. C:\windows\System32\inetsrv>appcmd list site SITE "Default Web Site" (id:1,bindings:http/*:80:,state:Started) SITE "VeeamReporter" (id:2,bindings:https/:1239:,state:Started) SITE "ozan site" (id:7,bindings:http/*:80:ozantest.com,state:Unknown) SITE "ozan" (id:18,bindings:http/*:81:,state:Started) C:\windows\System32\inetsrv> En son satırda eklediğimiz yeni web sitesini görebilirsiniz. Listeleme kapsamında çalışan durmuş olan yada bilinmeyen web uygulamalarını listeleyebilirsiniz. C:\windows\System32\inetsrv>appcmd list sites /state:started SITE "Default Web Site" (id:1,bindings:http/*:80:,state:Started) SITE "VeeamReporter" (id:2,bindings:https/:1239:,state:Started) SITE "ozan" (id:18,bindings:http/*:81:,state:Started) C:\windows\System32\inetsrv>appcmd list sites /state:stopped C:\windows\System32\inetsrv>appcmd list sites /state:unknown SITE "ozan site" (id:7,bindings:http/*:80:ozantest.com,state:Unknown) C:\windows\System32\inetsrv> Bir web sitenizin config görüntülemek için /config parametresini kullanabilrisiniz. C:\windows\System32\inetsrv>appcmd list sites "Default Web Site" /config <site name="Default Web Site" id="1"> <bindings> <binding protocol="http" bindingInformation="*:80:" /> </bindings> <limits /> <logFile> <customFields> </customFields> </logFile> <traceFailedRequestsLogging /> <hsts /> <applicationDefaults /> <virtualDirectoryDefaults /> <ftpServer> <connections /> <security> <dataChannelSecurity /> <commandFiltering> </commandFiltering> <ssl /> <sslClientCertificates /> <authentication> <anonymousAuthentication /> <basicAuthentication /> <clientCertAuthentication /> <customAuthentication> <providers> </providers> </customAuthentication> </authentication> <customAuthorization> <provider /> </customAuthorization> </security> <customFeatures> <providers> </providers> </customFeatures> <messages /> <fileHandling /> <firewallSupport /> <userIsolation> <activeDirectory /> </userIsolation> <directoryBrowse /> <logFile /> </ftpServer> <application path="/"> <virtualDirectoryDefaults /> <virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot" /> </application> </site> C:\windows\System32\inetsrv>DisableLoopbackCheck, registry setting not working in Windows 2022 IIS 10
We are upgrading windows in our environment from 2012 to 2022. Our application requires DisableLoopbackCheck, enabled. This setting is not working in Windows 2022. Has anyone encountered this issue and it there a workaround to get this working? These are the steps we follow: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/accessing-server-locally-with-fqdn-cname-alias-deniedAsp.net site hosted on IIS and https Redirect
Hello Asp.net website hosted on IIS 10 and URL redirect only to https. <rewrite> <rules> <rule name="Redirect HTTP to HTTPS" stopProcessing="true" enabled="true"> <match url="(.*)" /> <conditions logicalGrouping="MatchAny" trackAllCaptures="true"> <add input="{HTTPS}" pattern="off" ignoreCase="true" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" /> </rule> </rules> <outboundRules> <rule name="Add the STS header in HTTPS responses"> <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" /> <conditions> <add input="{HTTPS}" pattern="on" /> </conditions> <action type="Rewrite" value="max-age=31536000;preload=true;" /> </rule> </outboundRules> </rewrite> it works with IE but Edge/chrome browser show this error message and then displays actual page. Hmmm… can't reach this page. It looks like the webpage at https://URL might be having issues, or it may have moved permanently to a new web address.ERR_UNEXPECTED How to resolve this issue? Thank you
IIS reverse proxy slowness
Hi All, We have an application which is configured to run through IIS reverse proxy. Home page of the application takes more than 2.4+ minutes for loading, resulting with a performance issue. Troubleshooting the slowness ended up with the finding as the jQuery file "jquery-3.6.0.min.js" which is used in the home page is taking a lot of time compared to the other application files. other files loads with in milliseconds. When the same application is accessed directly without a IIS reverse proxy works with in seconds and that is the expected outcome. How can i get the application rendered in the browser faster using IIS reverse proxy ?. Is there a configuration which i can change in IIS for getting these file loaded faster ?. i have tried adding <script src="jquery-3.6.0.min.js" async></script> This render the page with all the html controls, but still it takes some time for the users to use the script functions in the home page as the files are loading in background. Could you please advice any alternatives for fixing this performance issue ? regards, zayee369Maintenance Page during deployment in IIS
Hi Team, Is there a way to display the Maintenance page for specific web site during IIS deployment and back to normal status once deployment completed. Please note I already tried it by placing the app_offline.htm in application root folder. And its working fine, but its not working where application pool .NET CLR version is No Managed Code. And also is there a way , so that I can place the app_offline.htm file in root folder and it should reflect for all the application inside the root folder. Or else do we have any other approach like redirecting to different static URL for all the website during deployment and change it to normal once deployment is completed.
Secure Client-Initiated Renegotiation fail
Hi, We've got a problem with the iis webserver on our windows server 2019. We got a penetration test with the followin error after a testssl check: Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat How can I fix this? Thanks a lot, IstvanMaintenance Page during deployment in IIS
Hi Team, Is there a way to display the Maintenance page for specific web site during IIS deployment and back to normal status once deployment completed. Please note I already tried it by placing the app_offline.htm in application root folder. And its working fine, but its not working where application pool .NET CLR version is No Managed Code. And also is there a way , so that I can place the app_offline.htm file in root folder and it should reflect for all the application inside the root folder. Or else do we have any other approach like redirecting to different static URL for all the website during deployment and change it to normal once deployment is completed.
IIS binding to different ports not behaving as expected
Hi, I am trying to do what I think is simple, but it's not working as expected. If I set 2 sites to 2 different ports, I can't access them on those ports. For example: site1 (the defaults website) is on port 80 and "All Unassigned" ip site2 (additional website) is on port 81 and "All Unassigned" ip For both, hostname is left blank Browsing to localhost takes me to the iis welcome page as expected. However, browsing to localhost:81 refreshes the screen and also takes me to the iis welcome page. Why doesn't localhost:81 take me to site2? I'm looking for a way to browse to a website that doesn't have a DNS record - I only want to browse to it on my local server. This is IIS 10 on server 2022. I've also tried using port 1999 for site2 with the same results.Active X can't create Object (Excel.application.16) from Classic ASP on Windows 2022 Server
I have a Classic ASP application that we have moved to a Windows 2022 server. The application reads uploaded excel files. Excel 16 is installed on the the server. When trying to read the file using CreateObject("Excel.Application.16") in vbscript, I get the following error: ActiveX component can't create object: 'Excel.Application.16' The log error is as follows: EXCEL.EXE 16.0.4266.1001 55ba1551 mso30win32client.dll 16.0.4266.1001 55ba121f c0000005 00000000000d623b 12e8 01d85405d4d54ddd C:\Program Files\Microsoft Office\Office16\EXCEL.EXE C:\Program Files\Common Files\Microsoft Shared\Office16\mso30win32client.dll 69de8bde-b2f1-4e97-8e8b-1b96ebc50531 Any help would be greatly appreciated. Thank you, Keith
Recent Blogs
- 8 MIN READThe Significance of OAuth 2.0 and OIDC in Contemporary Society. In today's digital landscape, securing user authentication and authorization is paramount. Modern authentication protocols like OAuth...Mar 11, 2025
- 3 MIN READIf you’ve ever worked on an ASP.NET Core application protected with Entra ID, you might have encountered an issue where the backend server URL appears as the redirect URI instead of the IIS Reverse P...Mar 04, 2025
