My ASP MVC web site effected from URL redirect malware recently.There are several web site hosted in IIS in azure server and only one web site opens unwanted popups and redirecting. I have checked same site within local IIS by hosting and it also gave the same result . This is not happening always but it happens suddenly.Any body has idea how I can figure out what is the reason and how I can prevent these issue ?
Since the issue occurs locally and also an Azure VM evidently not an Azure issue. As Adyson rightly mentioned “the site is infected and you need to restore a non-infected version from a backup or re-deploy from the correct version of the source.
In an IaaS deployment, you are still responsible for the management of the systems that you deploy, just like any other server or workstation in your environment. Patching, hardening, rights assignments, and any other activity related to the maintenance of your system are still your responsibility. For systems that are tightly integrated with your on-premises resources, you might want to use the same tools and procedures that you're using on-premises for things like antivirus, antimalware, patching, and backup.
Check the document Security best practices for IaaS workloads in Azure for more details: https://learn.microsoft.com/en-us/azure/security/azure-security-iaas
IIS security: At the level of Internet Information Services (IIS), you set content permissions, authentication controls, and operator privileges. Refer Managing Web Server Security (https://msdn.microsoft.com/en-us/library/bb727096.aspx?f=255&MSPPError=-2147217396) for more details.
Related
I've seen a web application running by Classic App Pool with Network Service identity. What should be the reason behind? what issue we face if use Local System/Local Service or other.
Please share your knowledge if anyone knows.
IIS 4.x/5.x used to use Local System/Local Service as default identity for IIS processes, which became a system-wide risk, as web servers like IIS can be hacked. Once hacked, malicious code would be executed under those powerful accounts to hack the whole Windows machine, and possible other resources in the same domain.
Thus, when Microsoft designed IIS 6, they switched to Network Service, which has significantly less permissions than the old options. Further on in IIS 7 and above, Microsoft introduced Application Pool Identities accounts to reduce more permissions. That's what #mason commented as "the principle of least privilege".
However, the whole IIS security story does not end here. Concepts such as DMZ and so on would bring more security to your web environment, which you should spend some time learning via specific materials (IIS security books and so on), not simply via a web forum.
I am not clear that what is the purpose of running asp.net application in IIS. Why we go for IIS. Any difference amoung running in VS and IIS?
Please suggest me.
Simply because you won't run asp.net in VS on production !
IIS Express and the VS Development Server are designed to emulate IIS, but they are configured differently and may fail to reveal errors that can occur when you deploy to a production version of IIS.
Visual Studio Development Server, also known as Cassini, is very limited. It does not have all IIS features and we will have a few problems when resolving References to Root-Level Resources or on security.
For example, when you run a page using IIS Express/VS Development Server, the page runs in the context of your current user account (often Admin). In IIS 7, by default ASP.NET runs in an account that has limited privileges (know as AppPool Identity, see here). This difference can be a source of problems when you deploy on production a web application.
A complete list of Hosting options is available here.
Internet Information Services (IIS) for Windows® Server is a flexible, secure and manageable Web server for hosting anything on the Web. From media streaming to web applications, IIS's scalable and open architecture is ready to handle the most demanding tasks.
Application pools allow you to isolate your applications from one another, even if they are running on the same server. This way, if there is an error in one app, it won't take down other applications.
Additionally, applications pools allow you to seperate different apps which require different levels of security.
Here's a good resource: http://www.advancedinstaller.com/user-guide/tutorial-iis.html
http://www.iis.net/learn
I need to show customer an ASP.NET MVC3 website, but they don't have IIS or Visual Studio installed. only .NET Framework 4 is installed.
So my question is: Is there any tiny little IIS server (like IIS Express), but don't require installation, that can run the compiled site just on local machine?
PS: I don't need advanced features. But HttpHanlders and HttpModules should be working fine.
I back Shan's suggestion to host your website on a server somewhere and access it over the Internet. I don't see why it wouldn't work for Intranet applications either unless you have dependencies on some services like SMB shares or network printers.
The Cassini ASP.NET webserver is portable and doesn't require installation, but it doesn't run the same as IIS and there are things that will break (because it invokes ASP.NET for every request unlike IIS, so if you've blocked unauthenticated visitors then they wouldn't be able to download site images and stylesheets, for example, until they've logged in).
I have ASP.NET applications deployed on a number of different environments (AppHarbor, Azure, DiscountASP.NET, GoDaddy, etc...) and one thing that bothers me with my deployments on Azure is that my low-traffic websites get JIT-compliled if there hasn't been a request for more than a couple of hours.
Obviously I could solve this by increasing the amount of traffic to my site (I'm being facetious) or by trying to do some hacky things with precompilation, but I'd rather understand why the site needs to be compiled constantly in Azure. I've never noticed this issue on other providers (even GoDaddy) for low-traffic sites - is there some reason for this, and is there anything I can do in the Azure config files to stop this?
Bump your app pool timeout settings with a web role startup task. Steve Marx has a post on how to do this in Azure. You can login with remote desktop to change this to verify - but that setting would get blown away next time you deploy.
On other environments, the app pool settings are probably configured differently. This bugged me for a while when I first set up my Azure site.
I have a remote web server that I have full administrator access over, and I want to deploy a website.
When I use Visual Studio's Publish tool, among other things which seem a bit less convenient (FTP etc), I have the option of using either Windows Management Service or Remote Agent Service. All the documentation says is this:
To publish remotely through Remote
Agent Service, use
http://RemoteComputerName. This option
is typically used to deploy a Web
application inside a network (in an
intranet scenario). You must have
appropriate permissions to perform the
deployment on the destination server.
To publish to a hosting site using
Windows Management Service, use the
value that is specified by the hosting
provider. You can typically use just a
server name (HostedRemoteServer) or a
complete URL that includes a server
name, a port number, and the Web
Deploy handler name
(https://HostedRemoteServer:8172/MsDeploy.axd).
The hosting provider can tell you the
name of the server and the port
number, if applicable.
This isn't enough information for me to decide, though. Yeah, I'm not publishing over a network, but I do have full access over the machine I'm deploying to. At the same time, MsDeploy is the big fancy thing that Scott Hanselman describes in his talk and that I've been convinced as being the awesome way to deploy.
So which should I do? Are there any obscure security considerations or anything?
I recommend going the Management Service route. In addition to the msdeploy features, the Management Service feature gives you the ability to remotely administer IIS 7/7.5 from your machine. With all of your IIS servers in one console, you can easily export an application on one machine and import it onto another.
It seems like the most sophisticated msdeploy implementation from a security provisioning perspective and from a configuration perspective. The IIS manager allows you to easily configure details around the endpoint (SSL certificate, port, etc.). Well.. this is true on IIS 7/7.5 on Windows 2008 and R2, but not on Windows Vista or 7. For some strange reason, there is no UI for the Web Management settings on non-server SKU's.
The agent is basically a self contained web server without any of the user-level permissions capabilities. This is why it requires that the person doing the remote deployment has admin privileges on the target machine. It's feels like a simpler, bare metal implementation. Since you've already got IIS serving up HTTP/HTTPS and since IIS' HTTP implementation has kernel-level optimizations, you're not really gaining anything by going the agent route.
If you want to remotely administer Windows 2008 or R2 from Windows Vista/7, install this on your workstation: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=32c54c37-7530-4fc0-bd20-177a3e5330b7 ... this was the icing on the cake for me.