IIS Secure Firewall

May 1, 2013

A little background on what I enjoy doing. I enjoy may aspects of managing a large IIS server farm. One of those aspects is security. Having used URLScan for so long and learning the best practices of using URLScan I decided it doesn’t provide me with the information or capabilities I am actually looking for. That being said I also enjoy development. I decided to take my programming skills and create a service where it reads in the raw tcp data, parses out the information.

For Non-SSL related requests this works great because I get both the GET requests, and POST requests with actual content for both. This allows me the flexibility to create unique Rules to block traffic based off of more than just the basic URL, QueryString, Cookie, UserAgent or other bit of information you can get with an ISAPI filter. In fact I can be even more specific and say if the URL has a specific value, and the POST data has a specific value in it, then block the request.

If anyone is interested in running tests on non-production servers I would be happy to let you guys test it out. Please send me a comment and I’ll put together something for you.

+1 this post if it helped you!

Cannot adjust logon rights for vzagent user

April 28, 2013

This could happen if you failed to properly reinstall the service container. This could also happen if you are impatient like me, and kill the task off before it was finished because of a different issue all together ;-).

Breif information

Anyhow the resolution is to delete the vzagent user account, then reinstall the service container.

Detailed Information

  1. If you want to fix this issue simply go to START > PROGRAMS > then ADMINISTRATIVE TOOLS. Select the COMPUTER MANAGEMENT option.
  2. Expand System Tools > Local Users and Groups and select the Users folder.
  3. Right click on the user vzagent and choose Delete. Confirm you want to Delete the vzagent user.
  4. Try to reinstall the service container again using the method you tried previously.
+1 this post if it helped you!

IIS: How to find a spammer using log files

November 13, 2012

So you have a server that is sending out spam. First thing you should do, is make sure you have IIS website logging enabled. If you don’t have logging enabled it’s going to be extremely hard to figure out who did what.

  1. Lets hope you have IIS website logging enabled first thing you will need to do is view the headers of the spam message and get the date and time stamp. Notice the date and time stamp is in UTC. You will likely notice the SMTP server also is -X:00 hours. Where X is the time zone you live in, for example if you live in AZ it will be -7:00.
  2. Take the time stamp and find any IIS log entries that are around that time frame. Lets say the time you found in the email was 2012-11-13 23:26:00. You could very easily search the logs for 2012-11-13 23:2.
  3. Spammers who use websites to spam are fairly obvious. You can usually figure out who is spamming by looking for POST commands instead of GET commands. If you are logging all aspects including time taken you can also use the time taken information to better match. The time taken is in milliseconds which means if you see 3000 it is really 3 seconds. So if your log time stamp shows 2012-11-13 23:29:00, take 3 seconds off and you may have the abusive script.

Just a few notes you should know about:

  • Hackers use exploits in open sourced software to gain access into perfectly innocent websites.
  • Remember IIS logs as well as headers show UTC time stamps.
  • They make unix command line tools that work on windows, like grep.exe, gawk.exe, sed.exe, cat.exe, sort.exe, uniq.exe, tail.exe, and many more.
+1 this post if it helped you!