Windows Web Hosting, Web Technologies, etc
Windows Webhosting
Quickly Configure or Disable ETags in IIS7 or IIS6
Oct 2nd
With the move of my blog to a new server, so comes a few new tweaks. Fortunately, I’m on an Windows 2008 Hosting account and I have had delegation enabled so I can remotely manage all the features in my IIS7 website with the IIS7 manager (but more on that in a later post).
Earlier this year I fired up firebug and the Y!Slow application from Yahoo to really dial in my website’s performance. One of these changes was to disable ETags. On the IIS6 server I was on I found an ISAPI filter that I could load on the site and call it a day. Turns out there’s an even easier way to disable ETags. Before we go disabling ETags though it’s probably a good idea to learn just what they are.
Just what are ETags?
An Entity Tag is a validator which can be used instead of, or in addition to, the Last-Modified header. An entity tag is a quoted string which can be used to identify different versions of a particular resource.
By sending an entity tag you promise the recipient that you will not send the same ETag for the same resource again unless the content is ‘equal’ to what you are sending now (see below for what equality means).
The above was taken from the mod_perl documentation on Issuing Correct HTTP Headers. So basically an ETag is a unique identifier your webserver sends to a web browser and will only change that ETag if the content it’s assigned to is changed.
Here’s how it works in IIS
- Client request static resource (gif for example) for the first time. IIS serve it to client with response code 200. Resource stored in IE cache.
- Client make additional request for the same resource. IIS responds with code 304. Client use resource from IE cache.
- In some point in time, IIS service restarts.
- All subsequent requests from client for the same resource will end up with code 200 and file being downloaded on the wire. Why? What is happening?
- Situation will return to normal when client will clean IE cache.
The above taken from LangleyBen Leon’s blog. So any time the service restarts (and I need to check if this is affected by application pool restarts but I suspect it may be) the ETag is actually reset regardless to whether the content changed or not.
What Yahoo actually recommends is you use the Last-Modified-Date or set an Expires header.
How to disable ETags easily in IIS6 and IIS7
I’ll leave it up to you to decide if you want to disable your ETags or not and up to you to do the necessary research. I have decided to disable ETags and here’s how I’m going to do it. I’m going to add a custom header to web server named ETag with a value of “” (nothing in there). So every item sent will have a blank ETag (and thus mission accomplished).
In IIS7 you do this as follows
First select HTTP Response Headers
Then add an HTTP Response Header as mentioned earlier called ETag with a value of “” (yes, that’s two double quotes):
Next browse your site with Firebug or some other tool and you’ll see the Etags are gone! No ISAPI’s, no use of a metabase editor, just a quick added header.
In IIS6 you would do this as follows:
From within the MMC you select the HTTP Headers tab
Select the Add button and enter a new HTTP Header
Enter Etag and “” and then click ok and close out the MMC saving your changes.
That’s all you need to do to disable your ETags.
Microsoft releases Hyper-V 2008 Server.
Oct 2nd
Microsoft released Hyper-V Server 2008 yesterday and it’s now available for FREE download. This is a bare-metal standalone hypervisor, meaning that you don’t install a host OS on the machine before installing this. You just install this and then create your VM’s and install the OS of choice into your VMs.
I think the best way to think of this is as Server Core but with only one role: Virtualization. Or think Hyper-V without the overhead of a full Host OS. Here’s a few cool facts:
The maximum number of guest instances is 192.
The maximum number of Logical processors supported is 24.
The maximum amount of Memory? I don’t know but I know it supports more than 32GB!
Licensing for Hyper-V Server is free however you’ll have to have a license for each guest instance of Windows you install. The screen cap below shows the different licensing options for Hyper-V:
(my advice: Go datacenter and save on licensing).
JessCoburn.com now running in Windows 2008 Shared Hosting
Sep 25th
Last week AppliedI.net announced support for Windows 2008 shared hosting and SQL Server 2008 shared hosting and I have immediately moved JessCoburn.com over to the new platform.
My blog is based on WordPress which is a PHP application. On the IIS7 platform we’ve enabled FastCGI and are using the newest build of PHP5 with the ‘non-thread safe’ DLLs for better performance in a CGI type environment.
What’s the big deal?
Speed: because of the new DLLs and the FastCGI infrastructure.
Security: IIS7 is even more secure with only those components needing to be enabled, enabled.
Management: Thanks to delegated management I’m not locked to using some control panel. I have full access to the IIS7 Management tools remotely and can tweak just about everything available in IIS. If I want new mime-types, I got it. If I want to change my error pages, I got it. If I need to set a directory as a virtual directory, DONE! What about enabling content cacheing? I got full control over that.
Those are my favorites. There’s more of course and there will be many other blog posts but you just gotta love Windows 2008 shared hosting. I have the ability to use the integrated pipeline and full support for ASP, ASP.NET as well as PHP. Plus with delegated management I can update my website’s settings in a shared hosting environment just like I would locally and am not locked to just a handful of settings some control panel thinks I find useful.
SQL Injection attacks and what you can do
Apr 24th
It’s a shame but not many website owners or for that matter, web developers are familiar with what SQL Injection is and just why it’s something they need to worry about. I’m noticing through various forums, friends, etc an increased number of sites being exploited for Cross Site Scripting through SQL Injection. Most blog readers are going to say “HUH? Cross Eyed Scripting? What Injection?”
Here’s what I’m talking about, a hacker will come to your website and use SQL injection to gain access to your database so he can then run SQL queries against your database directly. He not only will have full read access to your database contents (if it’s an e-commerce site you are encrypting your customer information, right?) but he’ll be able to modify your database and place his own code in there. What you might find is some iframe HTML code that’s calling some JavaScript file (www.domain.com/hackerscript.js) trying to make that load in your site instead of your actual content. Then some website visitor comes to your site and their browser attempts to run this JavaScript which downloads and installs a Trojan on their computer. Now not only is your site hacked but you’re spreading malware all over the Internet and if you don’t do something about it soon, you’re going to get flagged by Google and the other search engines.
Yes this is a bad bad thing.
UPDATE: Moments after posting this blog post I found a blog post about the United Nations Events page being marked as malware through SQL Injection
Learning more about SQL Injection
I’m not going to rehash all the gory details on SQL Injection but instead recommend you read the following references:
A great article on SQL Injection by Paul Litwin (he’s a programming superhero)
Neil Carpenter’s Blog articles on: Anatomy of a SQL Injection Incident Part 1, and Part 2, and SQL Injection a Comment.
ScottGu’s Blog: Tip/Trick: Guard Against SQL Injection Attacks
Michael Sutton’s Blog: How Prevalent are SQL Injection Vulnerabilities?
These articles all have links to other great articles and you’ll learn more than you ever wanted to know about SQL Injection
How do I know if I’m vulnerable to SQL Injection
The problem with SQL Injection is so many people out there are using scripts that they not only don’t know if they’re vulnerable but they don’t know how to fix it. So step #1 is to find out if you’re vulnerable and here’s my recommendations for that:
#1 ScanAlert.com – If you’re hosted at AppliedI.net they’ll provide you a year of quarterly scans for free and then reduced renewal. They also have a service called HackerSafe that does daily scans of your site and I highly recommend you use a service like this as they’ll really dig through your site and alert you that you’re vulnerable before it’s too late.
#2 Secunia.com – They provide a great resource cataloging vulnerable sites and providing frequent updates as new vulnerabilities are discovered. If you’re using any 3rd party applications (freeware, opensource, commercial, anything) I recommend you punch it in and take a look. For a quick reference, here’s a graphic representation of vulnerabilities in OSCommerce
And here’s one for all the Anti-Windows Hosting people.. Here’s all the vulnerabilities found in IIS6 since 2003 to today (there was one released just recently) there’s been 5 and all are either patched or workarounds provided:
Here’s the same graphic for Apache 2.0.X, there’s been 35 and looks like some are still unpatched or only partially fixed:
From the Secunia Site you can get more information on security holes and the impact they have. BTW, I did a quick search on advisories for SQL Injection, there were 2072 returned results. Yes, it’s a problem.
#3 Use another security scanner like Nessus, Acunetix, Elanize’s Web Security Scanner, etc.
How do I protect my site from SQL Injection?
So the big question is how do I protect my site from SQL Injection? The answer: YOU FIX YOUR CODE! The problem is not all website operators are website developers and they don’t know how to fix their site or they don’t have the resources (money, experience, etc) to fix their site. What are they to do? THEY HAVE TO FIX THEIR CODE! If you can’t fix it, I recommend you find a replacement application that’s not susceptible for SQL Injection. If you can’t find a replacement application and can’t fix your code here’s a few tips that might help but this really needs to be address at the application itself:
IIS 6 SQL Injection Sanitation ISAPI Wildcard – It’s an ISAPI filter that intercepts all requests and cleans out the dirty SQL injection code.
Port 80′s Server Defender – It protects against a lot more than just SQL injection and is billed as a Web application firewall.
A little ASP Script for cleaning inputs that you can incorporate into your application.
A little guidance from MSDN.
And numerous other resources out there for your review.
Conclusion
I don’t know why I always have a conclusion but you have to close your article somehow. In conclusion, I hope you spend some time and read a few of the articles linked to in this blog post. You’ll learn more about SQL Injection and hopefully avoid being compromised by it.
Tips on Configuring and Using Windows Firewall in your VPS and Dedicated Server
Apr 22nd
A question that’s been coming up rather often lately is: “How do I configure the Windows Firewall on my Dedicated Server / VPS Server?” Not many people realize that in SP1 Windows 2003 got a software firewall feature added and even fewer are familiar with how to configure it correctly. Because of this I wanted to provide a few tips on how to configure your Windows Firewall. Please note that this is NOT the all encompassing tutorial on how to secure your server or how to use Windows Firewall but it’s a great starting point.
Introducing the Windows Server 2003 Firewall
Many people are aware that Windows Server 2003 has a GUI for the firewall. You can access it from the start menu as shown below:
When you first click that icon it’s going to enable Windows firewall and present you with a nice GUI and if you’re not careful you’ll proceed to get yourself in a lot of trouble!
I really don’t advise you configure Windows Firewall from the GUI, atleast initially. The reason for this is if you go to exceptions you’ll only get a few options:
Sure you can enable an Exception for Remote Desktop but what about IIS, DNS, maybe Mail? In fact, the most common support question regarding Windows Firewall is “I turned on Windows Firewall and now I can’t connect to my server via Remote Desktop any more, HELP!” It happens 
Thus enters the Command Line Interface (or CLI as we like to call it).
Managing the Windows Firewall via CLI
The real beauty of configuring the Windows Firewall via CLI is that you have much more control over it. In fact if you open a dos window and type: netsh firewall set portopening
you’ll get output like this:
Which provides all the gory details on how to configure the Windows Firewall port openings. A few things about the Windows Firewall in Windows Server 2003,
1. you can only block inbound packets (you have no control over outbound packets, that is available in Windows Server 2008 though).
2. In a normal firewall you can block a port for specific IPs. So let’s say you’re getting attacked on port 80 from 10.5.5.5 you can block that IP on just that port. You can’t do this with Windows Firewall In 2003. So with Windows Server 2003′s firewall you can do the following with a port:
- a. block it for everyone from the outside
- b. allow it open for everyone from the outside.
- c. allow it open for only certain IP addresses.
That’s the bad news, that’s really all we have to work with, the good news is in Server 2008 so much more is available and I’ll blog about that later.
If you want a full list of what you can do, you can go to this article on technet:
Windows Firewall Tools and Settings (server 2003)
Windows Firewall Tools and Settings (server 2008)
The AppliedI Quickie Firewall Ruleset
In an earlier blog post on the AppliedI blog, I spoke about Joe Healy and mentioned a little cookbook of firewall rules I like to enable on my own personal VPS servers. These rules are here:
1: netsh firewall set opmode enable 2: netsh firewall set portopening TCP 80 HTTP 3: netsh firewall set portopening TCP 53 DNS-TCP 4: netsh firewall set portopening UDP 53 DNS-UDP 5: netsh firewall set portopening TCP 21 FTP-Server 6: netsh firewall set portopening TCP 220 IMAP3 7: netsh firewall set portopening TCP 143 IMAP4 8: netsh firewall set portopening TCP 25 SMTP 9: netsh firewall set portopening TCP 110 POP3 10: netsh firewall set portopening TCP 3389 RDP 11: netsh firewall set portopening TCP 443 HTTPS 12: netsh firewall set portopening TCP 9999 SmarterMail 13: netsh firewall set portopening TCP 9998 SmarterStats 14: netsh firewall set logging droppedpackets=enableLine #1 turns on the firewall. Lines #2-13 enable various port openings for all IP Addresses and Line #14 enables logging.
The only caveat I’ve run into this set of rules is that passive FTP no longer works as a result of this change. The workaround for this is to enable Passive FTP on a given set of ports and then open these ports in the firewall as well. Here’s a KB article on how to do this. You’ll also want to open these 100+ ports on the firewall and here’s a little code (from here) on how to do that:
To add a range of ports to Windows Firewall from the Command Line
- Click Start, click Run, type cmd, and then click OK.
- Type in the following where the range is specified in ( ) and the name of the firewall entry is in ” “.
FOR /L %I IN (5001,1,5201) DO netsh firewall add portopening TCP %I “Passive FTP”%I - Each port in the range will be added with an “OK” confirmation.
This opens more ports than you’ll probably need and you can adjust these accordingly.
Opening a Port for a specific IP Address
A fairly common request we get is how do I open a port for only specific IP addresses and block it for everything else. This comes when a user wants to open port 1433 to their SQL Service so they are able to access it remotely using SQL Management Studio but leave it closed to the rest of the world.
Let’s assume we want to open PORT 1433 for TCP requests only and only to the IP address 10.5.5.5 the way to do that is with this CLI command:
1: netsh firewall set portopening protocol=TCP port=1433 name=MySQLAccess mode=ENABLE scope=CUSTOM addresses=10.5.5.5
This opens that port for a custom scope of addresses which in this case is only 10.5.5.5
What else can I do?
Well, there’s a lot more you can do with Windows Server 2003′s Firewall and this really just scratches the surface on what can be configured and how. Many people complain a software firewall is not a good firewalling solution because if a hacker can get into your server they can disable it or do what they wish to it. But I believe the added layer of security a software firewall brings to the table in addition to other network security features in place (such as network firewalls, IPS, IDS, etc) that it’s only wise to run it as well.
