John Howard - Senior Program Manager in the Hyper-V team at Microsoft : Website design, production or operation

ISA 2004 Web Publishing HTTP Filter stops default website page URL redirection

jhoward — Tue, 25 Apr 2006 19:35:00 GMT

Quick questions: In a firewall, if you're presented with a checkbox asking if you want to block requests with ambigious extensions, what would you do? I'm guessing the answer from 99% of you would be "of course, I want to be as secure as I can be". Well, read on. Maybe you won't want to check that box after all.

Here's a real annoyance I found last night (I must be in rant mode, sorry!). What's more annoying is I couldn't find a solution on microsoft.com or newsgroups to solve it. As I explained yesterday, over the weekend I setup a web-server for photo hosting running at home.

To do this, I simply used the web-publishing wizard in ISA 2004 to publish my IIS server out on the internet, filtering the accessible paths. However, I didn't set any HTTP filtering on the web publishing rule. Being a consciensious (ha ha) administrator and as good practice, it's best to ensure only the methods and extensions you are actually using on the web-site are allowed through the rule, and to block unwanted signatures.

The first part of the ISA rule HTTP filtering lockdown is on the methods tab. As this web-site is serving static content only, the only method I need is GET.

Then it's on to the Extensions tab. As this is a photos web-site, jpg and gif are in there. Similarly htm and html for obvious reasons. The skinning for the site uses CSS (cascading style sheets). The ico is an interesting one and I certainly learnt something last hight. You may have noticed on certain web-sites, a seperate icon appears on the tab if you're using Internet Explorer tabbed browsing through MSN desktop search (and other browsers of course), which also is stored in your favourites if you bookmark the site. I'd been curious for a while how that was done - well, not that curious, but on the list of things to find out at some point in the dim distant future. It turns out that the browser (if you do a network trace) sends a request for favicon.ico. Although I don't have a custom icon yet, it made sense to allow requests for icons to go through.

Now here's the real gripe. If you leave the rule as-is shown above, everything works. Let's say I go to http://www.mysite.com, I have a default.html in that directory on the IIS server and I get a redirection request (HTTP 304 IIRC - I'm at work typing this) to http://www.mysite.com/default.html. This makes it much easier for people not to have to type in the full URL. BUT, I want to block requests containing ambiguous extensions - the ISA property page tells me I can, it sounds like a good thing to do, so I checked it and re-applied the rule.

Once you do this, the redirect is blocked by the ISA server HTTP filtering. I found a few articles, mainly relating to people griping about exactly the same thing but no answers. I'm going to track down someone internally from the ISA team who may be able to help here, but this struck me as a very strange thing to do. A redirect doesn't really have an extension as such, so what can you put into the list to allow the redirection to take place?

Rant over. Hopefully I'll find the answer soon. There's some info on configuring HTTP Filtering here, including a baseline Mail Server Pubishing HTTP policy - guess what I'm going to be doing this evening....

Cheers
John.

Virtual Server 2005 Cluster Resources, Chats and more

jhoward — Fri, 20 May 2005 17:54:00 GMT

There's an interesting article recently published by Mike Otey which leads you through building a virtualized Windows Server 2003 cluster. You will need to be a paidup member to view unfortunately. Thanks Adam for that link. You can find similar information on RoudyBob.NET's excellent blog and also on microsoft.com. As if that's not enough, there's also this on-demand webcast which I think I've mentioned before [sorry ;-)]. So, no excuses for not having enough information at your fingertips if this is something you want to experiment with.

Mike will also be holding an online chat on 25th May at 5PM UK-Time for the "Straight Story on Virtual Server" which will interesting. He has billed it as "Here's your chance to ask him your questions about Virtual Server and get the 'from the trenches' details on how it works and what problems it can and cannot solve. Michael gives you the straight story without pulling any punches."

Sadly, the timing doesn't work for me due to me presenting at the Technical Roadshow next week in Birmingham.

Managing your windows websites and web services

jhoward — Tue, 15 Mar 2005 16:50:00 GMT

If part of your job entails monitoring and management of Windows Websites and Web Services hosted on Windows Servers and are using MOM to manage that environment, take a look at the latest version of the free management pack download "Microsoft Web Sites and Web Services Management Pack for MOM 2005". http://www.microsoft.com/downloads/details.aspx?FamilyId=53BC39B6-756B-4F01-B0D2-A8CA9751011F&displaylang=en

How-To install a certificate for SSL Encryption under IIS

jhoward — Fri, 04 Feb 2005 11:56:00 GMT

Following on from my post a couple of days ago about using MakeCert to generate a self-signed certificate, this is one way in which you can test that the generated certificate is working correctly for SSL authentication within IIS. It was almost worthy of a blogcast (BTW, congratulations Mike for joining in the fun), but given I've all but lost my voice at the moment, here's the old fashioned way.

Create a new folder such as c:\test, and within it, create a new default.htm file using notepad. The content doesn't matter, but here's a very simple example
<BODY>
This is my SSL protected site
</BODY>
Start Internet Information Services (IIS) Manager from the Administrative Tools folder
(I'm going to lead you through creating a new web-site, although I could assign the certificate to the default web-site)
Right-click on Web-sites and select New Web-Site
Follow through the wizard. When you get to "Description", enter the name "Test"
Keep going through the wizard, and enter c:\test on the path step
On the newly created site, right-click and select properties and select the Directory Security tab
Click Server Certificate and work your way through the wizard
Select Assign an existing certificate
Select your newly created certificate
Choose port 443 (default SSL port)
Click Next/OK to finish the wizard and exit the site properties.
Currently the web-site is stopped. Right click the Test web-site and choose start
Open a browser and go to https://jhoward-5160/test, replacing jhoward-5160 with your machines DNS name. Note the MSN Toolbar :-)
Double-click the padlock icon in the bottom right to view the certificate for your site

Congratulations! If everything works this far, you have managed to create and protect a test web-site using SSL encryption and a self-signed certificate generated using MakeCert.exe