Is IIS giving up your private IP address?
Hackers love information about your network. If you are not using Host Headers on your IIS website then IIS could be returning the IP address of the machine in the TCP header of the response. In single server situations where the server is in a DMZ of a firewall, the machine is most likely using the same address that DNS resolves. If this is the case, it may not matter as much because it is giving away information that that is freely available through DNS anyway.
This becomes more of an issue where you have a load balancing device like a Cisco CSS or ACE device distributing the traffic across multiple servers. In this situation you would not want the server to return it’s configured IP address because you would be providing information about your network that could be used against you.
Microsoft in Q834141 states there are 2 options to fix this issue. Two solutions provided have a patch requirement. This shouldn’t be a problem because no one in their right mind would run a server accessible on the Internet that wasn’t fully patched.. Right? I will also provide another option that I will call Option TRF.
Here are the Options for your reading pleasure…
Option TRF (easiest):
- Configure all your websites to use Host Headers. Most if not all modern browsers support host headers. This will fix the issue and will not require a reboot or force you to confirm patch levels. I do still recommend that you keep your sever patched.
Microsoft Option 1: Set the UseHostName property
To set the UseHostName property, follow these steps:
- Click Start, click Run, type cmd, and then click OK to open a command prompt.
- Change to the folder where the Adsutil.vbs tool is located. By default, this folder is the following: %SYSTEMROOT%\Inetpub\AdminScripts
- Type the following command, where x is your site identifier: cscript adsutil.vbs set w3svc/x/UseHostName true
Microsoft Option 2: Set the SetHostName property
To set the SetHostName property, follow these steps:
- Click Start, click Run, type cmd, and then click OK to open a command prompt.
- Change to the folder where the Adsutil.vbs tool is located. By default, this folder is the following: %SYSTEMROOT%\Inetpub\AdminScripts
- Type the following command, where x is your site identifier and hostname is the alternate host name that you want to use: cscript adsutil.vbs set w3svc/x/SetHostName hostname
Disable Caching on an ASP.Net Page
I have been working on database driven ASP.Net site lately and have been having problems with the browser caching pages variables. This is causing issues when the user uses the back command to navigate to the previous page instead of using the provided command button to return to the page they need.
In order to prevent the page from being cached and force it to be loaded as a new page each time, add the following code to the Page_Load event :
VB.Net:
Response.Buffer = True Response.ExpiresAbsolute = Now().Subtract(New TimeSpan(1, 0, 0, 0)) Response.Expires = 0 Response.CacheControl = "no-cache"
C#:
Response.Buffer = true; Response.ExpiresAbsolute = DateTime.Now.Subtract(new TimeSpan(1, 0, 0, 0)); Response.Expires = 0; Response.CacheControl = "no-cache";
So simple, yet so effective.
WordPress 2.5.1, its time to update.
The creators of WordPress has released a very important security update for their blogging platform. Anyone running WordPress 2.5 must upgrade to this latest release.
Version 2.5.1 of WordPress is now available. It includes a number of bug fixes, performance enhancements, and one very important security fix. We recommend everyone update immediately, particularly if your blog has open registration. The vulnerability is not public but it will be shortly.
In addition to the security fix, WordPress 2.5.1 contains over 70 bug fixes. Here are some highlights.
- Performance improvements for the Dashboard, Write Post, and Edit Comments pages.
- Better performance for those who have many categories
- Media Uploader fixes
- An upgrade to TinyMCE 3.0.7
- Widget Administration fixes
- Various usability improvements
- Layout fixes for IE
