Windows Web Hosting, Web Technologies, etc
Windows Administration
Installing Windows 7 From a USB Thumb Drive
Jun 23rd
My most popular blog post is about installing Windows 2008 from a USB thumb drive. Over the weekend I decided to upgrade my Laptop from Windows Vista to Windows 7 and used the same instructions to do that upgrade. So the instructions for:
- Installing Vista from a USB Thumb Drive
- Installing Windows Server 2008 from a USB Thumb Drive
- Installing Windows 7 from a USB Thumb Drive
are all the same: http://jesscoburn.com/archives/2007/10/15/installing-windows-2008-via-usb-thumbdrive/
Terminal Services Across Multiple Monitors
Jan 14th
At work and home I have the same setup, dual monitors. I always RDP into my desktop these days instead of installing Outlook, Office, etc at home and I’ve always found myself not working in dual monitor mode because of this when working remotely.
Turns out you can use multiple monitors in Terminal Services afterall.
Enabling Multiple Monitors via RDP
To enable multiple monitors in an RDP session you’ll use the switch: /span so you’ll start RDP with the command:
mstsc /span
When it loads just log into the machine as you normally do and your display will now span both monitors. The monitors will have to be the same resolution, only supports side-by-side configuration and a maximum resolution of 4096×2048
Remotely Kill Process on a Windows Server
Oct 10th
Ran into a problem today where I needed to kill a process on a server that I didn’t have remote KVM access to and couldn’t RDP into. This particular machine had only VNC and the VNC service was hung.
Windows Server includes two commands tasklist and taskkill that allow you to remotely list the processes running on a machine and then kill these processes.
Viewing Tasks on Remote Computer
To view the processes just use the command:
tasklist.exe /S SYSTEM /U USERNAME /P PASSWORD
Killing Tasks on Remote Computer
Once you have the PID of a process you can execute
taskkill.exe /S SYSTEM /U USERNAME /P PASSWORD /PID PID_NUMBER
I found this great tool by googling it and finding the watching the net blog article on it, there’s more information on their blog (along with a ton of google adsense ads..).
Quickly Configure or Disable ETags in IIS7 or IIS6
Oct 2nd
With the move of my blog to a new server, so comes a few new tweaks. Fortunately, I’m on an Windows 2008 Hosting account and I have had delegation enabled so I can remotely manage all the features in my IIS7 website with the IIS7 manager (but more on that in a later post).
Earlier this year I fired up firebug and the Y!Slow application from Yahoo to really dial in my website’s performance. One of these changes was to disable ETags. On the IIS6 server I was on I found an ISAPI filter that I could load on the site and call it a day. Turns out there’s an even easier way to disable ETags. Before we go disabling ETags though it’s probably a good idea to learn just what they are.
Just what are ETags?
An Entity Tag is a validator which can be used instead of, or in addition to, the Last-Modified header. An entity tag is a quoted string which can be used to identify different versions of a particular resource.
By sending an entity tag you promise the recipient that you will not send the same ETag for the same resource again unless the content is ‘equal’ to what you are sending now (see below for what equality means).
The above was taken from the mod_perl documentation on Issuing Correct HTTP Headers. So basically an ETag is a unique identifier your webserver sends to a web browser and will only change that ETag if the content it’s assigned to is changed.
Here’s how it works in IIS
- Client request static resource (gif for example) for the first time. IIS serve it to client with response code 200. Resource stored in IE cache.
- Client make additional request for the same resource. IIS responds with code 304. Client use resource from IE cache.
- In some point in time, IIS service restarts.
- All subsequent requests from client for the same resource will end up with code 200 and file being downloaded on the wire. Why? What is happening?
- Situation will return to normal when client will clean IE cache.
The above taken from LangleyBen Leon’s blog. So any time the service restarts (and I need to check if this is affected by application pool restarts but I suspect it may be) the ETag is actually reset regardless to whether the content changed or not.
What Yahoo actually recommends is you use the Last-Modified-Date or set an Expires header.
How to disable ETags easily in IIS6 and IIS7
I’ll leave it up to you to decide if you want to disable your ETags or not and up to you to do the necessary research. I have decided to disable ETags and here’s how I’m going to do it. I’m going to add a custom header to web server named ETag with a value of “” (nothing in there). So every item sent will have a blank ETag (and thus mission accomplished).
In IIS7 you do this as follows
First select HTTP Response Headers
Then add an HTTP Response Header as mentioned earlier called ETag with a value of “” (yes, that’s two double quotes):
Next browse your site with Firebug or some other tool and you’ll see the Etags are gone! No ISAPI’s, no use of a metabase editor, just a quick added header.
In IIS6 you would do this as follows:
From within the MMC you select the HTTP Headers tab
Select the Add button and enter a new HTTP Header
Enter Etag and “” and then click ok and close out the MMC saving your changes.
That’s all you need to do to disable your ETags.
SQL Injection Help .. Microsoft to the rescue with URLScan 3.0.
Jun 26th
The number of SQL Injection attacks across the Internet continue to rise. I’m seeing regular posting on the SANS RSS feed related to SQL Injection and XSS these days and clients are finding that applications they thought were not vulnerable turn out to be vulnerable because of patches and custom mods they’ve had made to them. For most site owners this meant going back to the developers and getting updates and this is generally costly and time consuming. Fortunately, Microsoft has stepped up to the plate and brought us a little relief in the form of URLScan 3.0 beta/go-live release.
Here’s a few links to get you to good stuff and hopefully save the day:
Microsoft Security Bulletin: http://www.microsoft.com/technet/security/advisory/954462.mspx
Link to download HP’s custom SQL injection scanner and how to use it. They created this for Microsoft to help you identify possible vulnerabilities in your site.
A source code analysis application that can help identify vulnerable code in your application.
UrlScan 3.0 Beta. I’m generally opposed to installing beta software on a production webserver but I think if you’re getting hammered, it’s probably better to just bite the bullet and do it. As you probably know UrlScan was for the most part built into IIS 6 but it doesn’t have querystring filtering, this build does and it works with IIS5.1 and later including our beloved IIS 7.0. Kudos to the IIS Team!
Word of caution
Word of caution, I’ve installed this for a few people and a couple times it wouldn’t load after the initial install (Beta software). My fix for this was to install the ISAPI filter directly on the website in question. I used Filemon to watch for when it triggered and referenced the log files to tweak out false positives from there. Each site is unique so you’ll need to tweak your settings accordingly.
Another useful tool
LogParser is another great tool for reviewing your server logs and searching for information such as hack attempts. Steve Schofield has a nice write up about using LogParser and URLScan.
A few FAQ’s on this subject:
Q: Is it Microsoft’s fault and if not then who’s fault is it?
A: It’s yours and your developer’s fault. As hackers evolve so much our techniques to combat them. Coding methods and ways to access SQL server have changed over the years as a result of this and if you haven’t had your site updated, then it’s your fault.
Q: I just moved my website to a new server and I’m getting hacked now and I wasn’t before. It’s the new server right?
A: No. This is a new type of worm if you will that affecting websites the fact that you changed hosts, websites or applications probably doesn’t have anything to do with it at all. This really started to become a huge problem around late April of this year and we’ve watched it grow into a bigger problem since then.
Q: Is URLScan the answer to my prayers?
A: Consider it a stopgap you’ll be able to employ until you’ve had your web applications updated. You really need to get your application secured.
Q: I haven’t been attacked, how do I know if I’m vulnerable?
A: Use the two tools above and also you might want to hire a service to do website security scans. If you’re hosted with Applied Innovations you can you get free quarterly security scans from scanalert.com.
Q: What kinds of applications are vulnerable? Is it just shopping carts?
A: Every application that accesses a database server of any kind is potentially vulnerable.
Q: My website is written in XXXX language and it’s supposed to be very secure, am I vulnerable?
A: Potentially, YES! Any web application that uses a database can be vulnerable.
