473,803 Members | 4,157 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

IIS 6 security - anyone can explain this for me ?

Hi,
It said that IIS 6 use HTTP.sys as the front end for
handling HTTP request, and pass ASP.NET requests
to w3wp.exe, but after some simple experiments,
I found the security settings (e.g. Authentication method)
in IIS metabase is still applied before the HTTP request
reach my ASP.NET application.

Anyone one can explain this for me? or point to an
article that explains: when a user requests an ASP.NET
page, what happened between HTTP.sys and IIS metabase?

Michael
Nov 19 '05 #1
3 1467
Michael, what do you find odd in that ?

http.sys does *not* load any application code,
it only parses and routes requests.

Please review these documents :

"Security Enhancements in Internet Information Services 6.0" :
http://download.microsoft.com/downlo...IISEnhance.doc

"Technical Overview of Internet Information Services (IIS) 6.0" :
http://download.microsoft.com/downlo...ISOverview.doc

They will be of use in understanding how http.sys works within IIS.

Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
=============== =======

"Michael Tsai" <hu**********@g mail.com> wrote in message
news:%2******** ********@TK2MSF TNGP10.phx.gbl. ..
Hi,
It said that IIS 6 use HTTP.sys as the front end for
handling HTTP request, and pass ASP.NET requests
to w3wp.exe, but after some simple experiments,
I found the security settings (e.g. Authentication method)
in IIS metabase is still applied before the HTTP request
reach my ASP.NET application.

Anyone one can explain this for me? or point to an
article that explains: when a user requests an ASP.NET
page, what happened between HTTP.sys and IIS metabase?

Michael

Nov 19 '05 #2
I should have added these 2 links. They have additional info.

"HTTP Protocol Stack (IIS 6.0)" :
http://www.microsoft.com/technet/pro...2cda661b4.mspx

"Http.sys.d oc" (Changes to HTTP API in Windows Server 2003 SP1) :
http://download.microsoft.com/downlo...6/HTTP.SYS.doc


Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
=============== =======

"Juan T. Llibre" <no***********@ nowhere.com> wrote in message
news:eh******** ******@TK2MSFTN GP14.phx.gbl...
Michael, what do you find odd in that ?

http.sys does *not* load any application code,
it only parses and routes requests.

Please review these documents :

"Security Enhancements in Internet Information Services 6.0" :
http://download.microsoft.com/downlo...IISEnhance.doc

"Technical Overview of Internet Information Services (IIS) 6.0" :
http://download.microsoft.com/downlo...ISOverview.doc

They will be of use in understanding how http.sys works within IIS.

Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
=============== =======

"Michael Tsai" <hu**********@g mail.com> wrote in message
news:%2******** ********@TK2MSF TNGP10.phx.gbl. ..
Hi,
It said that IIS 6 use HTTP.sys as the front end for
handling HTTP request, and pass ASP.NET requests
to w3wp.exe, but after some simple experiments,
I found the security settings (e.g. Authentication method)
in IIS metabase is still applied before the HTTP request
reach my ASP.NET application.

Anyone one can explain this for me? or point to an
article that explains: when a user requests an ASP.NET
page, what happened between HTTP.sys and IIS metabase?

Michael


Nov 19 '05 #3
Juan, thank you very much for the information.
I've read them quickly and I still confused,
maybe I didnot describe my question clearly.

In Fritz's "Essential ASP.NET with Examples",
section 3.1.5, he said:

"IIS is always listening for requests and dispatching
them to the ASP.NET worker process if they are
ASP.NET requests. This is important to realize because
the configuration settings in the IIS metabase are applied
<i>before</i> the request to the ASP.NET worker process
is dispatched.
....
For example, if you specify in the IIS metabase that users
must be authenticated using Windows authentication, but
in your ASP.NET application application web.config file
you have granted anonymous access, user will always be
required to authenticate before thay can access pages.."

I experiment it both with IIS 5 and IIS 6, and I get the same
result as Fritz said. But why? All the documents say that in
IIS 6, HTTP.sys is only a "gate" to pass requests to w3wp.exe,
so in the above example, when and who checked the IIS
metabase for the authentication? Is it WAS or aspnet_isapi.dl l
in w3wp process? This is what I really want to know.

Hope I made my question clear (English is not my mother tongue).

Michael

"Juan T. Llibre" <no***********@ nowhere.com> wrote in message
news:Oc******** ******@TK2MSFTN GP14.phx.gbl...
I should have added these 2 links. They have additional info.

"HTTP Protocol Stack (IIS 6.0)" :
http://www.microsoft.com/technet/pro...2cda661b4.mspx

"Http.sys.d oc" (Changes to HTTP API in Windows Server 2003 SP1) :
http://download.microsoft.com/downlo...6/HTTP.SYS.doc


Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
=============== =======

"Juan T. Llibre" <no***********@ nowhere.com> wrote in message
news:eh******** ******@TK2MSFTN GP14.phx.gbl...
Michael, what do you find odd in that ?

http.sys does *not* load any application code,
it only parses and routes requests.

Please review these documents :

"Security Enhancements in Internet Information Services 6.0" :
http://download.microsoft.com/downlo...IISEnhance.doc

"Technical Overview of Internet Information Services (IIS) 6.0" :
http://download.microsoft.com/downlo...ISOverview.doc

They will be of use in understanding how http.sys works within IIS.

Juan T. Llibre
ASP.NET MVP
http://asp.net.do/foros/
Foros de ASP.NET en Español
Ven, y hablemos de ASP.NET...
=============== =======

"Michael Tsai" <hu**********@g mail.com> wrote in message
news:%2******** ********@TK2MSF TNGP10.phx.gbl. ..
Hi,
It said that IIS 6 use HTTP.sys as the front end for
handling HTTP request, and pass ASP.NET requests
to w3wp.exe, but after some simple experiments,
I found the security settings (e.g. Authentication method)
in IIS metabase is still applied before the HTTP request
reach my ASP.NET application.

Anyone one can explain this for me? or point to an
article that explains: when a user requests an ASP.NET
page, what happened between HTTP.sys and IIS metabase?

Michael



Nov 19 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
5
1522
Security design questions
by: Wescotte | last post by:
I'm currently working on desiging several web based applications that would be grouped into a larger web based menu system. However I'm not sure exactly how to go about making it as secure as possible. I'm guessing most systems are setup in the following fashion. Create a single user account (I'll reference this account as ROOT) that has access to all the tables my applications will use. Create a table for storage of...
PHP
2
2143
Security of code in view of disassembler
by: Rama Sharma | last post by:
One can disassemble the code of an assembly (in say Visual C# language) complied by using Visual Studio .NET even if it is a Release build. This can be done by using the disassembler "ILDASM.EXE" provided with the VS .NET . It shows all details of the code giving vivid details of all methods, properties, fields, classes, structs, etc. What then is the security of a complied assembly which is in the MSIL version? Tomorrow, anybody can copy...
C# / C Sharp
5
1984
dll security
by: nicholas | last post by:
I have a website designed in ASP.NET In my BIN-folder I have several .NET dll-files: DreamweaverCtrls.dll FreeTextBox.dll WebXelMail.dll Now, for "security" reason my hoster told me it is prohibited to put .dll files on the webspace. So, right now they deleted all the dll files and blocked my bin folder.
ASP.NET
3
415
Design Issue: Separating Application Security Model from the Application (Custom or User) Controls
by: Earl Teigrob | last post by:
Background: When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is comprised of a DataGrid may have separate permissions for adding, deleting and updating a news item. Problem Up until now, I have been implementing security directly inside the control. I will test directly against the security model to see if...
ASP.NET
2
3103
Server cannot access application directory D:\xxx. The directorydoes not exist or is not accessible because of security settings.
by: Matthias Wohlmann | last post by:
Hi, I'm getting the following error when trying to start my application using Internet Explorer: "Server cannot access application directory D:\xxx. The directory does not exist or is not accessible because of security settings." In IIS I have set Directory Security for my application to allow Anonymous access (using IUSR_<Server>) and Integrated Windows authentication. In the web.config i have set impersonation="true" userName="test"....
ASP.NET
6
1969
Allowing certain users to administer users via code, and other security questions
by: google | last post by:
I have a few general questions. I am working on a new database to be used within my company. I would like to give a couple of people, particularly HR, the ability to add and delete Access users, and add/remove them to groups, so as people join and leave the company, they can be added/removed as database users at that time. However, I don't want them to have to do it through the standard Access users/groups interface, and I don't want...
Microsoft Access / VBA
1
1499
security question(s)
by: nancy | last post by:
I am new to PHP but have done other programming can someone please hold my hand and slowly talk me through some simple security issues? I have seen in PHP documents that there are 'strip slashes' commands and so on but I dont understand where the security issues actually are. i am writing some scripts that will shell out and call different linux shell programs such as 'ls' or 'grep' or 'sed' and so on and possibly update a 'mysql'...
PHP
2
2813
Session Timeout Security Risk?
by: Doogie | last post by:
Hi, We have a page we want to refresh every 30 minutes so that users can get up to date info. The problem is that there is information within the session that we need in each refresh to determine what roles the user belongs to so that we can get the data they need. The page times out because we lose our session info after 20 minutes. Resetting that timeout value is not an option (I've been told we aren't allowed).
ASP.NET
18
2037
Is UserLevel Security Really Necessary?
by: Earl Anderson | last post by:
First, I feel somewhat embarrassed and apologetic that this post is lengthy, but in an effort to furnish sufficient information (as opposed to too little information) to you, I wanted to supply all of the relevant facts. Second, despite the fact that I think the obvious 'quick' answer to my question would be 'Yes', I am seeking your wisdom and recommendation to the question as to this particular set of circumstances. I have 20 Security...
Microsoft Access / VBA
0
9564
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
10548
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
10316
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
0
9125
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
7604
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6842
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5500
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
1
4275
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
3
2970
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us