Category Archives: Servers

All about servers that includes but not limited to server hardware, software, server software, web server, email server, DNS, WINS, RAS, Windows Server, Linux server, Apache, IIS, Bind, Proxy server, Exchange server, Smartermail, stats server, database server

Fedora Server Installation Guide

After reading this article you you should able to configure Fedore server for post installation and configuration of\r\n

    \r\n
  • NTP Server
  • \r\n

  • SSH Server
  • \r\n

  • Apache Web Server
  • \r\n

  • SSL installation and Configuration
  • \r\n

  • FTP Server
  • \r\n

  • Setup Samba File Server
  • \r\n

  • MySQL Server
  • \r\n

  • PHPmyAdmin to manage mySQL database from remote locations.
  • \r\n

\r\n[1] Download Fedora and Make a DVD for installing Fedora. \r\n\r\nDownload Fedora installation DVD ISO-file from Fedora website http://fedoraproject.org/get-fedora. Burn DVD according to instructions described on Fedora website and install Fedora according to instructions. Documentation for Fedora installation is available at their web sites and links are listed as below: \r\n

\r\n[2] Install Fedora\r\n\r\nIn this article we’re focussing to setup Fedora 11 Server.\r\n\r\n[3] Configure Fedora 11\r\nInitial Configuration After Installing Fedora.\r\n\r\n[a] Add a new user. \r\n\r\nI used user name as ‘fedora’ on following examples, but set any names you like to use.\r\n\r\n[root@dlp ~]#useradd fedora\r\n[root@dlp ~]#passwd fedora\r\nChanging password for user fedora.\r\nNew UNIX password: # input password you want to set\r\nRetype new UNIX password: # verify\r\npasswd: all authentication tokens updated successfully.\r\n[root@dlp ~]#exit # logout\r\n\r\n[b] Try to switch by user that was added in section [1].\r\n\r\nns login: fedora # input user name\r\npassword: # input password\r\n[pixel@dlp ~]$su - # switch to root\r\nPassword: # input password for root\r\n[root@dlp ~]# # done to switching to root\r\n\r\n[c] Make ‘fedora’ user that was added in section [1] be only a user who can switch to root.\r\n\r\n[root@dlp ~]#vi /etc/group\r\n\r\n# line 11: add user\r\nWheel:x:10:root,fedora\r\n[root@dlp ~]#vi /etc/pam.d/su\r\n#%PAM-1.0\r\nauth sufficient pam_rootok.so\r\n# Uncomment the following line to implicitly trust users in the “wheel” group.\r\n#auth sufficient pam_wheel.so trust use_uid\r\n# Uncomment the following line to require a user to be in the “wheel” group.\r\n# remove ‘#’ that was on the head of line\r\nauth required pam_wheel.so use_uid\r\nauth include system-auth\r\naccount sufficient pam_succeed_if.so uid = 0 use_uid quiet\r\naccount include system-auth\r\npassword include system-auth\r\nsession include system-auth\r\nsession optional pam_xauth.so\r\n\r\n[root@dlp ~]#vi /etc/login.defs\r\n\r\n# add this line at the bottom\r\nSU_WHEEL_ONLY yes\r\n\r\n[d] Set config to forward mails for root to a user who is a system administrator you set as.\r\n\r\n[root@dlp ~]#vi /etc/aliases\r\n\r\n# Person who should get root’s mail\r\n# bottom: remove ‘#’ and add user name\r\nroot:fedora\r\n\r\n[root@dlp ~]#newaliases # set new aliases\r\n/etc/aliases: 77 aliases, longest 10 bytes, 776 bytes total\r\n\r\nFw & SELinux :\r\n\r\n[1] It’s unnecessarry to enable FireWall because it’s enable on the Routers, so Change it to disabled.\r\n\r\n[root@dlp ~]#/etc/rc.d/init.d/iptables stop\r\niptables: Flushing firewall rules: [OK]\r\niptables: Setting chains to policy ACCEPT: filter [OK]\r\niptables: Unloading iptables modules: [OK]\r\n\r\n[root@dlp ~]#chkconfig iptables off\r\n[root@dlp ~]#chkconfig ip6tables off\r\n\r\n[2] Change to disabled SELinux (Security-Enhanced Linux).\r\n\r\n[root@dlp ~]#vi /etc/sysconfig/selinux\r\n# This file controls the state of SELinux on the system.\r\n# SELINUX= can take one of these three values:\r\n# enforcing – SELinux security policy is enforced.\r\n# permissive – SELinux prints warnings instead of enforcing.\r\n# disabled – SELinux is fully disabled.\r\nSELINUX=disabled # change\r\n# SELINUXTYPE= type of policy in use. Possible values are:\r\n# targeted – Only targeted network daemons are protected.\r\n# strict – Full SELinux protection.\r\nSELINUXTYPE=targeted\r\n\r\n[4] Installing NTP Server :\r\n

It’s an example to install and Configure NTP server for system clock.

\r\n[root@dlp ~]#yum -y install ntp\r\nIt will install NTP packages\r\n\r\n[root@dlp ~]#mv /etc/ntp.conf /etc/ntp.conf.bk\r\n[root@dlp ~]#vi /etc/ntp.conf\r\n

# Set servers for synchronizing

\r\n

server ntp1.ssysadmin.com

\r\n

server ntp2.ssysadmin.com

\r\n[root@dlp ~]#/etc/rc.d/init.d/ntpd start\r\nStarting ntpd: [ OK ]\r\n\r\n[root@dlp ~]#chkconfig ntpd on\r\n[root@dlp ~]#ntpq -p\r\n\r\n[5] Installing SSH Server\r\n\r\n[1] Configure SSH server for Windows clietnts computer to be able to login from them. This is the way with Password Authentication.\r\n\r\n[root@dlp ~]#vi /etc/ssh/sshd_config\r\n

\r\n
# line 42: make valid and change ‘no’

\r\nPermitRootLogin no\r\n

# line 63: make valid

\r\nPermitEmptyPasswords no\r\nPasswordAuthentication yes\r\n[root@dlp ~]#/etc/rc.d/init.d/sshd restart\r\n\r\n[2] Get an appreciation which you can login from Windows clients by using PUTTY.\r\n\r\n

\r\n[6] Installing Apache Web Server\r\n\r\nThis is an example to build Web Server. Install Apache for it. In addition to do it, Install PHP and SSL because there are often used with Web Server. And it’s also neccessary to configure router so that TCP and UDP packets to 80 and 443 can pass through.\r\n\r\n[root@www ~]#yum -y install httpd php php-mbstring php-pear mod_ssl\r\n\r\n[root@www ~]#rm -f /etc/httpd/conf.d/welcome.conf\r\n\r\n[root@www ~]#rm -f /var/www/error/noindex.html\r\n[root@www ~]#ln -s /usr/bin/perl /usr/local/bin/perl\r\n\r\nHere is an example to configure Apache. I set it that users can open to the public their Web site and can execute CGI in any directories. ( SSI is disabled because it’s not used so often )\r\n\r\n[root@www ~]#vi /etc/httpd/conf/httpd.conf\r\n\r\nServerTokens Prod // line 44: change\r\nKeepAlive On // line 74: change to ON\r\nServerAdmin root@server-linux.info // line 250: Admin’s address\r\nServerName www.server-linux.info:80 // line 264: server’s name\r\nOptions FollowSymLinks ExecCGI // line 319: change (disable Indexes)\r\nAllowOverride All // line 326: change\r\n

#UserDir disable // line 354: make it comment

\r\nUserDir public_html // line 361: make valid\r\n

// line 369 – 380 : remove # and make valid

\r\nAllowOverride All // change\r\nOptions ExecCGI // CGI enabled\r\nOrder allow,deny\r\nAllow from all\r\nOrder deny,allow\r\nDeny from all\r\n

// line 390: add file name that it can access only with directory’s name

\r\nDirectoryIndex index.html index.cgi index.php\r\nServerSignature Off // line 523: change\r\n

#AddDefaultCharset UTF-8 // line 746: make it comment

\r\n

// line 777: make valid and add file-type that apache looks them CGI

\r\nAddHandler cgi-script .cgi.pl\r\n\r\n[root@www ~]#/etc/rc.d/init.d/httpd start\r\nStarting httpd:[ OK ]\r\n[root@www ~]#chkconfig httpd on\r\n\r\n[2] Create HTML test page to make sure Apache is working.\r\n\r\n[7] Config SSL\r\n\r\nConfigure for SSL that is installed in above section. We made a Certification File for SSL in this example, but if you use server for business, It’s better to buy and use a Certification File from CA like verisign.com, thawte.com, etc…\r\n\r\n[root@www ~]#cd /etc/pki/tls/certs\r\n[root@www certs]#make server.key\r\numask 77 ; \\r\n

/usr/bin/openssl genrsa -des3 1024 > server.key

\r\nGenerating RSA private key, 1024 bit long modulus\r\n………………………………………………++++++\r\n………….++++++\r\ne is 61251 (0x10001)\r\nEnter pass phrase: // input pass phrase\r\nVerifying – Enter pass phrase: // verify\r\n

// it’s troublesome to input pass phrase always, so remove it from private key

\r\n[root@www certs]#openssl rsa -in server.key -out server.key\r\nEnter pass phrase for server.key: // input pass phrase\r\nwriting RSA key\r\n[root@www certs]#make server.csr\r\numask 77 ; \\r\n

/usr/bin/openssl req -utf8 -new -key server.key -out server.csr

\r\nYou are about to be asked to enter information that will be incorporated\r\ninto your certificate request.\r\nWhat you are about to enter is what is called a Distinguished Name or a DN.\r\nThere are quite a few fields but you can leave some blank\r\nFor some fields there will be a default value,\r\nIf you enter ‘.’, the field will be left blank.\r\n—–\r\nCountry Name (2 letter code) [GB]: US\r\nState or Province Name (full name) [Berkshire]:CO\r\nLocality Name (eg, city) [Newbury]:Denver\r\nOrganization Name (eg, company) [My Company Ltd]:sSysAdmin\r\nOrganizational Unit Name (eg, section) []:Security\r\nCommon Name (eg, your server’s hostname) []:www.ssysadmin.com\r\nEmail Address []:root@ssysadmin.com\r\nPlease enter the following ‘extra’ attributes\r\nto be sent with your certificate request\r\nA challenge password []: // Enter with empty\r\nAn optional company name []:// Enter with empty\r\n\r\n[root@www certs]#openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650 // make CertificateFile\r\nSignature ok\r\nsubject=/C=US/ST=CO/L=Denver/O=sSysAdmin/OU=Security/CN=www.ssysadmin.com/\r\nemailAddress=root@ssysadmin.com Getting Private key\r\n[root@www certs]#chmod 400 server.*\r\n[root@www certs]#vi /etc/httpd/conf.d/ssl.conf\r\n\r\nDocumentRoot “/var/www/html” // line 84: make valid\r\nServerName www.ssysadmin.com:443 // line 85: make valid and change\r\nSSLCertificateFile /etc/pki/tls/certs/server.crt // line 112: change\r\nSSLCertificateKeyFile /etc/pki/tls/certs/server.key // line 119: change\r\n

[root@www certs]#/etc/rc.d/init.d/httpd restart\r\nStopping httpd: [ OK ]\r\nStarting httpd: [ OK ]

\r\n

\r\n
\r\n
\r\n

\r\n

\r\n

\r\n

\r\n

  Access to the page that is made in section (2) with https. Following window is shown because Certification File is not by CA. Click Ok to proceed.

\r\n[8] Installing FTP Server\r\n[1] Build FTP server to transfer files. Install and configure vsftpd for it.\r\n\r\n[root@www ~]#yum -y install vsftpd\r\n\r\n[root@www ~]#vi /etc/vsftpd/vsftpd.conf\r\n\r\nanonymous_enable= NO // line 12: no anonymous\r\nascii_upload_enable=YES // line 79: make valid\r\nascii_download_enable=YES (permit ascii mode transfer)\r\nchroot_list_enable=YES // line 94: make valid\r\n

\r\n
(enable chroot list)

\r\n

\r\nchroot_list_file=/etc/vsftpd/chroot_list // line 96: make valid\r\nls_recurse_enable=YES // line 102: make valid\r\nchroot_local_user=YES // bottom: enable chroot\r\n

local_root=public_html // root directory

\r\n

use_localtime=YES // use local time

\r\n[root@www ~]#vi /etc/vsftpd/chroot_list\r\n

fedora // write users you permit

\r\n[root@www ~]# /etc/rc.d/init.d/vsftpd start\r\nStarting vsftpd for vsftpd: [ OK ]\r\n[root@www ~]#chkconfig vsftpd on\r\n\r\n[9] Samba File Server\r\n\r\nBuild File server to share files between Windows computer and Linux Server computer. Install Samba for it. I created this File server in a GuestOS named ‘lan’ in this example.\r\n\r\n[root@lan ~]#yum -y install samba\r\nCreate a shared directory that anybody can read and write, and authentication is not needed.\r\n\r\n[1] Configure Samba\r\n[root@lan ~]#mkdir /home/share\r\n[root@lan ~]#chmod 777 /home/share\r\n[root@lan ~]#vi /etc/samba/smb.conf\r\n\r\nunix charset = UTF-8 // line 24: add the line\r\nworkgroup =WORKGROUP // line 27: change (Windows’ default)\r\nsecurity =share// line 35: change\r\nhosts allow =192.168.0. 127. // line 41: change IP address you permit\r\n

// add these lines at the bottom

\r\n

[Share] // any name you like\r\npath = /home/share // shared directory\r\nwritable = yes // OK to write\r\nguest ok = yes // guest OK\r\nguest only = yes // guest only\r\ncreate mode = 0777 // fully accessed\r\ndirectory mode = 0777 // fully accessed\r\nshare modes = yes

\r\n[root@lan ~]#/etc/rc.d/init.d/smb start\r\nStarting SMB services:[ OK ]\r\nStarting NMB services:[ OK ]\r\n[root@lan ~]#chkconfig smb on\r\n\r\n[10] Mysql\r\n\r\nInstall MySQL for database server.\r\n\r\n[root@www1 ~]# yum -y install mysql-server\r\n[root@www1 ~]# /etc/rc.d/init.d/mysqld start\r\n\r\n[root@www1 ~]#mysql -u root # login to MySQL\r\nWelcome to the MySQL monitor. Commands end with ; or \g.\r\nYour MySQL connection id is 2 to server version: 5.0.22\r\n\r\nType ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.\r\n

# show user info

\r\nmysql>select user, host, password from mysql.user;\r\n

# delete user that has no password

\r\nmysql>delete from mysql.user where user=”;\r\nQuery OK, 2 rows affected (0.00 sec)\r\n

# set root password

\r\nmysql>set password for root@localhost=password(‘password’);\r\nQuery OK, 0 rows affected (0.00 sec)\r\n

# set root password

\r\nmysql>set password for root@’www1.server-linux.info’=password(‘password’);\r\nQuery OK, 0 rows affected (0.00 sec)\r\n

# set root password

\r\nmysql>set password for root@127.0.0.1=password(‘password’);\r\nQuery OK, 0 rows affected (0.00 sec)\r\n

# show user info

\r\nmysql>select user,host,password from mysql.user;\r\n\r\nmysql>exit # logout\r\nBye\r\n[root@www1 ~]#mysql -u root -p # login with root\r\nEnter password: # password\r\nWelcome to the MySQL monitor. Commands end with ; or \g.\r\nYour MySQL connection id is 4 to server version: 5.0.22\r\n\r\nType ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.\r\n\r\nmysql>exit\r\nBye\r\n\r\nInstall phpmyadmin to operate MySQL from Web browser. Webserver is also needed.\r\n\r\n[1] Install and configure phpmyadmin\r\n\r\n[root@www1 ~]#yum -y install phpMyAdmin php-mysql php-mcrypt\r\n[root@www1 ~]#vi /etc/phpMyAdmin/config.inc.php\r\n

# add this line around line 13

\r\n

# set password

\r\n

$cfg[‘blowfish_secret’] = ‘password';

\r\n

# line 28: change

\r\n$cfg[‘Servers’][$i][‘auth_type’] = ‘cookie';\r\n\r\n[root@www1 ~]#vi /etc/httpd/conf.d/phpMyAdmin.conf\r\n

# line 8: change

\r\nAlias /mysql /usr/share/phpMyAdmin\r\n# line 13: add IPs you permit\r\nAllow from 127.0.0.1 192.168.0.0/24\r\n\r\n[root@www1 ~]#/etc/rc.d/init.d/httpd reload\r\nReloading httpd: [ OK ]\r\n\r\n[2] Access to ‘http://(your hostname)/(alias name you set)/’  i.e. http://localhost/phpMyAdmin through  web browser.\r\n\r\nCredits: yuvalinux @ bs

ASP.NET MVC 3 Extension less URLs on IIS 6

The part that makes it easier has nothing to do with ASP.NET MVC 3 and everything to do with a little known new feature of ASP.NET 4 creatively called the ASP.NET 4 Extensionless URL feature. ASP.NET MVC 3 requires ASP.NET 4 so it naturally benefits from this new feature.\r\n\r\n\r\nIf you have a server running IIS 6, ASP.NET 4, and ASP.NET MVC 3 (or even ASP.NET MVC 2), your website should just work with the default extensionless URLs generated by ASP.NET MVC applications. No need to configure wildcard mappings nor *.mvc mappings. In fact, you don’t even need to set RAMMFAR to true. RAMMFAR is our pet name for the runAllManagedModulesForAllRequests setting within thesystem.webserver setting in web.config. You can feel free to set this to false.\r\n\r\n

<modules\r\nrunAllManagedModulesForAllRequests=”false”/>\r\n

\r\nWhen installing ASP.NET 4, this is enabled by default. So if you have a hosting provider still using IIS 6, but does have ASP.NET 4 installed, then this should work for you.\r\n\r\n\r\nHow does this work?\r\n\r\n

Here is how the v4.0 ASP.NET extensionless URL features works on IIS 6.  We have an ISAPI Filter named aspnet_filter.dll that appends “/eurl.axd/GUID” to extensionless URLs.  This happens early on in the request processing.  We also have a script mapping so that “*.axd” requests are handled by our ISAPI, aspnet_isapi.dll.  When we append “/eurl.axd/GUID” to extensionless URLs, it causes them to be mapped to our aspnet_isapi.dll, as long as the script map exists as expected.  These requests then enter ASP.NET where we remove “/eurl.axd/GUID” from the URL, that is, we restore the original URL.  The restoration of the original URL happens very early.  Now the URL is extensionless again and if no further changes are made\r\n

\r\nHe also has a list of conditions that must be true for this feature to work. If any one of them is false, then you’re back to the old extensionfull URLs with IIS 6.\r\n\r\n\r\nI’m Getting a 403 Forbidden\r\n\r\n\r\nThis is not technically related, but if you face 403 Forbidden error message. Here is how to fix it.\r\n\r\n\r\nIn IIS Manager, right clicked on the Web Services Extension node and selected the menu option labeled Allow all Web Service extensions for a specific application:\r\n\r\n\r\n\r\n\r\n\r\nIn the resulting dialog, select the ASP.NET v4.0.30319 option.\r\n\r\n\r\n\r\n\r\n\r\nTo double check that everything was configured correctly, look at the properties for my website and ensured that Scripts were enabled.\r\n\r\n\r\n\r\n\r\n\r\nAlso click on the Configuration… button and made sure that *.axd was mapped to the proper ASP.NET ISAPI DLL (aspnet_isapi.dll).\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\nWith all that in place, able to run standard ASP.NET MVC web application and make requests for /, /home/about/, etc. without any problems!\r\n

How To Fix ‘Microsoft.Jet.OLEDB.4.0′ error

\r\n

Problem:

\r\n

\r\n
Server Error in ‘/’ Application.

\r\n

——————————————————————–

\r\n

The ‘Microsoft.Jet.OLEDB.4.0′ provider is not registered on the local machine.

\r\n

Description: An unhandled exception occurred during the execution of the current web request.

\r\n

Please review the stack trace for more information about the error and where it originated in the code.

\r\n

Exception Details: System.InvalidOperationException: The ‘Microsoft.Jet.OLEDB.4.0′

\r\n

provider is not registered on the local machine.

\r\nSolution:\r\n\r\nYou will get this error on Windows Server 2008 R2 or Windows 7 64 bit. To fix it, switch your Application Pool from Native 64 bit to 32 Bit more under Advanced Settings.\r\n\r\nSuggestion:\r\n\r\nIt is also suggested that you upgrade your application to new ACE OLEDB provider, you can download from here.

Backup IIS7 ApplicationHost.config and Settings

\r\n
Internet Information Services 7 (IIS7) doesn’t use metabase-like file from IIS6. Instead the settings and configuration are stored in schema files and applicationHost.config files.\r\n\r\nSince the configuration files are different, the old IIS6 tools will not be able to backup IIS7 settings.\r\n\r\nThis is the new script that you can use to backup your IIS7 web servers.\r\n\r\n1. Using notepad or any text editor create a file backupiis7.cmd\r\n\r\n2. Insert the following code and save the file:\r\n
\r\n
Code:

\r\n

@echo off\r\ncls\r\n\r\npushd "%WinDir%\System32\inetsrv"\r\n\r\necho.| date | find /i "current">datetime1.tmp\r\necho.| time | find /i "current">datetime2.tmp\r\n\r\nfor /f "tokens=1,2,3,4,5,6" %%i in (datetime1.tmp) do (\r\n  echo %%n>datetime1.tmp\r\n)\r\nfor /f "tokens=1,2,3,4,5,6" %%i in (datetime2.tmp) do (\r\n  echo %%m>datetime2.tmp\r\n)\r\nfor /f "delims=/ tokens=1,2,3" %%i in (datetime1.tmp) do (\r\n  set TMPDATETIME=%%k%%i%%j\r\n)\r\nfor /f "delims=:. tokens=1,2,3,4" %%i in (datetime2.tmp) do (\r\n  set TMPDATETIME=D%TMPDATETIME%T%%i%%j%%k%%l\r\n)\r\n\r\nappcmd add backups %TMPDATETIME%\r\n\r\ndel datetime1.tmp\r\ndel datetime2.tmp\r\n\r\nset TMPDATETIME=\r\n\r\npopd\r\necho.

\r\n

\r\n3. The IIS7 configuration will be backed up at the following path:\r\n

\r\n
C:\Windows\System32\inetsrv\backup

\r\n

\r\nNOTE: you can also use Task Scheduler to automate backups.

\r\n

Arabic Language Shows ??? in Smartermail Web interface

\r\n
Problem: When someone send email through smartermail web interface anything with Arabic Language shows ????. Is this SM related or something we need to set server side?\r\n\r\nSolution: This can be controlled at the User’s Inbox through Settings > My Settings > Account Settings >> Compose. Set the Text Encoding to “Unicode (UTF-8)” (“Arabic (ISO)” might work too) and then try sending the email again. This will affect any outgoing mail after the settings are saved, existing messages will not be changed.\r\n\r\nNote: This is per user setting.

\r\n

ASP.Net Vulnerability Patch released: Microsoft Security Bulletin MS10-070

Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)

\r\n

\r\n\r\nMicrosoft released ASP.net Vulnerability path through Download centre, for details please click here.\r\n
\r\n\r\nThis security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.\r\n\r\nThis security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. For more information, see the subsection,Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nThis security update also addresses the vulnerability first described in Microsoft Security Advisory 2416728.\r\n\r\nRecommendation. Microsoft recommends that customers apply the update at the earliest opportunity.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. Microsoft Knowledge Base Article 2418042 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.\r\n\r\nThe patch is available through Microsoft download centre\r\n\r\n

\r\n

Important: ASP.NET Security Vulnerability

\r\n\r\nA few hours ago Microsoft released a Microsoft Security Advisory about a security vulnerability in ASP.NET.  This vulnerability exists in all versions of ASP.NET.\r\n\r\nThis vulnerability was publically disclosed late Friday at a security conference.  We recommend that all customers immediately apply a workaround (described below) to prevent attackers from using this vulnerability against your ASP.NET applications.\r\n

What does the vulnerability enable?

\r\nAn attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).\r\n\r\nAt attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).\r\n

How the Vulnerability Works

\r\nTo understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server.  By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text.\r\n

How to Workaround The Vulnerability

\r\nA workaround you can use to prevent this vulnerability is to enable the <customErrors> feature of ASP.NET, and explicitly configure your applications to always return the same error page – regardless of the error encountered on the server. By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server.\r\n\r\nImportant: It is not enough to simply turn on CustomErrors or have it set to RemoteOnly. You also need to make sure that all errors are configured to return the same error page.  This requires you to explicitly set the “defaultRedirect” attribute on the <customErrors> section and ensure that no per-status codes are set.\r\n

Enabling the Workaround on ASP.NET V1.0 to V3.5

\r\nIf you are using ASP.NET 1.0, ASP.NET 1.1, ASP.NET 2.0, or ASP.NET 3.5 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:\r\n\r\n1) Edit your ASP.NET Application’s root Web.Config file.  If the file doesn’t exist, then create one in the root directory of the application.\r\n\r\n2) Create or modify the <customErrors> section of the web.config file to have the below settings:\r\n

\r\n
<configuration>\r\n   <system.web>\r\n      <customErrors mode="On" defaultRedirect="~/error.html" />\r\n   </system.web>\r\n</configuration>

\r\n

\r\n3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like).  This file will be displayed anytime an error occurs within the web application.\r\n\r\nNotes: The important things to note above is that customErrors is set to “on”, and that all errors are handled by the defaultRedirect error page.  There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section.  This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.\r\n

Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0

\r\nIf you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:\r\n\r\n1) Edit your ASP.NET Application’s root Web.Config file.  If the file doesn’t exist, then create one in the root directory of the application.\r\n\r\n2) Create or modify the <customErrors> section of the web.config file to have the below settings.  Note the use of redirectMode=”ResponseRewrite” with .NET 3.5 SP1 and .NET 4.0:\r\n

\r\n
<configuration>\r\n   <system.web>\r\n     <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />\r\n   </system.web>\r\n</configuration>

\r\n

\r\n3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like).  This file will be displayed anytime an error occurs within the web application.\r\n\r\n4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.\r\n\r\nVB Version\r\n\r\nBelow is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it.  You do not need to compile this into an application – you can optionally just save this Error.aspx file into the application directory on your web-server:\r\n

\r\n
<%@ Page Language="VB" AutoEventWireup="true" %>\r\n<%@ Import Namespace="System.Security.Cryptography" %>\r\n<%@ Import Namespace="System.Threading" %>\r\n\r\n<script runat="server">\r\n    Sub Page_Load()\r\n        Dim delay As Byte() = New Byte(0) {}\r\n        Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()\r\n\r\n        prng.GetBytes(delay)\r\n        Thread.Sleep(CType(delay(0), Integer))\r\n\r\n        Dim disposable As IDisposable = TryCast(prng, IDisposable)\r\n        If Not disposable Is Nothing Then\r\n            disposable.Dispose()\r\n        End If\r\n    End Sub\r\n</script>\r\n\r\n<html>\r\n<head runat="server">\r\n    <title>Error</title>\r\n</head>\r\n<body>\r\n    <div>\r\n        Sorry - an error occured\r\n    </div>\r\n</body>\r\n</html>

\r\n

\r\nC# Version\r\n\r\nBelow is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it.  You do not need to compile this into an application – you can optionally just save it into the application directory on your web-server:\r\n

\r\n
<%@ Page Language="C#" AutoEventWireup="true" %>\r\n<%@ Import Namespace="System.Security.Cryptography" %>\r\n<%@ Import Namespace="System.Threading" %>\r\n\r\n<script runat="server">\r\n   void Page_Load() {\r\n      byte[] delay = new byte[1];\r\n      RandomNumberGenerator prng = new RNGCryptoServiceProvider();\r\n\r\n      prng.GetBytes(delay);\r\n      Thread.Sleep((int)delay[0]);\r\n\r\n      IDisposable disposable = prng as IDisposable;\r\n      if (disposable != null) { disposable.Dispose(); }\r\n    }\r\n</script>\r\n\r\n<html>\r\n<head runat="server">\r\n    <title>Error</title>\r\n</head>\r\n<body>\r\n    <div>\r\n        An error occurred while processing your request.\r\n    </div>\r\n</body>\r\n</html>

\r\n

\r\n

How to Verify if the Workaround is Enabled

\r\nOnce you have applied the above workaround, you can test to make sure the <customErrors> section is correctly configured by requesting a URL like this from your site: http://mysite.com/pagethatdoesnotexist.aspx\r\n\r\nIf you see the custom error page appear (because the file you requested doesn’t exist) then your configuration should be setup correctly.  If you see a standard ASP.NET error then it is likely that you missed one of the steps above.  To see more information about what might be the cause of the problem, you can try setting <customErrors mode=”remoteOnly”/> – which will enable you to see the error message if you are connecting to the site from a local browser.\r\n

How to Find Vulnerable ASP.NET Applications on Your Web Server

\r\nhttp://asp.net have published a .vbs script that you can save and run on your web-server to determine if there are ASP.NET applications installed on it that either have <customErrors> turned off, or which differentiate error messages depending on status codes.\r\n\r\nYou can download the .vbs script here.  Simply copy/paste the script into a text file called “DetectCustomErrors.vbs” and save it to disk.  Then launch a command window that is elevated as admin and run “cscript DetectCustomErrors.vbs” to run it against your local web-server.  It will enumerate all of the applications within your web server and verify that the correct <customErrors> configuration has been specified.\r\n\r\ncommand[1]\r\n\r\nIt will flag any application where it finds that an application’s web.config file doesn’t have the <customErrors> section (in which case you need to add it), or doesn’t have it set correctly to workaround this attack (in which case you need to update it).  It will print “ok” for each application web.config file it finds that is fine.  This should hopefully make it easier to locate issues.\r\n\r\nNote: http://asp.net have developed this detection script over the last few hours, and will be refining it further in the future.  I will post an update in this section each time we make a change to it.\r\n

How to Find More Information about this Vulnerability

\r\nYou can learn more about this vulnerability from:\r\n

\r\n

Forum for Questions

\r\nThere is a dedicated forum on the www.asp.net site to help answer questions about this vulnerability.\r\n\r\nPost questions here to ask questions and get help about this vulnerability.\r\n

Summary

\r\nI will post more details as I learn more, and will also be post the patch that can be used to correct the root cause of the issue (and avoid the need for the above workaround).\r\n\r\nUntil then, please apply the above workaround to all of your ASP.NET applications to prevent attackers from exploiting it.\r\n\r\nThis article applies on:\r\n

\r\n
\r\n
\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

\r\n

Operating System Component
Windows XP
Windows XP Media Center Edition 2005 and Windows XP Tablet PC Edition 2005 Microsoft .NET Framework 1.0 Service Pack 3
Windows XP Service Pack 3 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 2.0 Service Pack 2\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows XP Professional x64 Edition Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 2.0 Service Pack 2\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2003
Windows Server 2003 Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 2.0 Service Pack 2\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2003 x64 Edition Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 2.0 Service Pack 2\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2003 with SP2 for Itanium-based Systems Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 2.0 Service Pack 2\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Vista
Windows Vista Service Pack 1 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Vista Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Vista x64 Edition Service Pack 1 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Vista x64 Edition Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008
Windows Server 2008 for 32-bit Systems** Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008 for 32-bit Systems Service Pack 2** Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008 for x64-based Systems** Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008 for x64-based Systems Service Pack 2** Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008 for Itanium-based Systems Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008 for Itanium-based Systems Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1\r\nMicrosoft .NET Framework 3.5 Service Pack 1\r\nMicrosoft .NET Framework 4.0
Windows 7
Windows 7 for 32-bit Systems Microsoft .NET Framework 3.5.1\r\nMicrosoft .NET Framework 4.0
Windows 7 for x64-based Systems Microsoft .NET Framework 3.5.1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems* Microsoft .NET Framework 3.5.1\r\nMicrosoft .NET Framework 4.0
Windows Server 2008 R2 for Itanium-based systems Microsoft .NET Framework 3.5.1\r\nMicrosoft .NET Framework 4.0

\r\n*Server Core installation affected. This vulnerability applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\n\r\n**Server Core installation not affected. This vulnerability does not affect supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\n\r\n