This article describes a non-security update that implements Extended Protection for Authentication in Internet Information Services (IIS).

When Extended Protection for Authentication is enabled, authentication requests are bound to both the Service Principal Names (SPN) of the server to which the client tries to connect and to the outer Transport Layer Security (TLS) channel over which Integrated Windows Authentication happens.

Description: This security update resolves two publicly disclosed vulnerabilities in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, Microsoft Internet Information Services (IIS) 5.1, Microsoft Internet Information Services (IIS) 6.0, and Microsoft Internet Information Services (IIS) 7.0. On IIS 7.0, only FTP Service 6.0 is affected. The vulnerabilities could allow remote code execution (RCE) on systems running FTP Service on IIS 5.0, or denial of service (DoS) on systems running FTP Service on IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0. The security update addresses the vulnerabilities by modifying the way that the FTP Service handles list operations. Keep reading →

Consider the following scenario:

• You have a Web application that is running in Internet Information Services (IIS) 7.0 on a Windows Vista-based computer or on a Windows Server 2008-based computer.
• You have both Windows Authentication and Kernel Mode authentication enabled.
  Note: This is by default.
• You have the useAppPoolCredentials attribute set to true in the authentication section in the Applicationhost.config file. You may have added this attribute to allow the use of Kerberos authentication when you use a domain account for the application pool identity. For example, this attribute must be added when you are running a Microsoft Office SharePoint Server site. The authentication section resembles the following.
  

  [windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true"/]

  Note: The Applicationhost.config file is located in the Drive:\Windows\System32\inetsrv\config folder.

In this scenario, the operating system may crash. Additionally, you receive a Stop 0×0000007e error message on a blue screen.

Note: This problem typically occurs on Web servers that host Office SharePoint Server 2007. This problem occurs because of the configuration requirements of Office SharePoint Server 2007 when Kerberos authentication is used. However, the problem may occur for any kind of Web site that is using Kernel Mode authentication, Kerberos authentication, and a domain account as the custom application pool identity.

Microsoft Web Administration (MWA) may return an “Out of Memory” error when the MWA console is used to configure more than 1,000 users to a single Secure Sockets Layer (SSL) connection in Windows Vista. The error in MWA resembles the following:

System.OutOfMemoryException: Retrieving the COM class factory

You may also see the “Out of Memory” error in any application that is using DCOM. The error in a DCOM application resembles the following:

8007000e (ERROR_OUTOFMEMORY)

Note: This problem also occurs in Internet Information Services (IIS) 7.0.

You could not install the Autodesk Web Server (AWS) after you removed Microsoft® Internet Information Services (IIS) 7.0 from your Windows Vista™ operating system.

For more information on this issue, including potential causes, workarounds, and resolutions, see: AutoDesk Knowledge Base Article TS1078907.

In Internet Information Services (IIS) 7.0, request routing modules such as Microsoft Application Request Routing can transform the server that is running IIS into a proxy server. In this case, the IIS proxy server can forward requests to other destinations. However, a request is rejected if the following conditions are true:

• The requested file already exists on the local IIS proxy server.
• The system access control list (SACL) of the requested file does not give the access permission to the user who makes the request.

Additionally, the performance is decreased if the following conditions are true:

• The requested file already exists on the local IIS proxy server.
• The system access control list (SACL) of the requested file gives the access permission to the user who makes the request.

Note: The performance is decreased even if the requested file does not exist on the IIS proxy server.

• TechBlog: Apple changes the way it pushes Safari at Windows users
  Apple makes a token jesture to make it's pushing of Safari to Windows machines more palatable.
  (tags: Apple Safari Updates )
• Businesses warned not to skip Vista – CIO UK Magazine
  Forrester Research issued a report saying don't wait for Windows 7, plan your rollout of Vista now.
  (tags: Deployment Review )

Keep reading →

Corrine explains a security advisory issued yesterday that could allow elevation of privileges in Vista if you run IIS or SQL Server. Microsoft has a few workaround suggestions. Keep reading →

Microsoft Internet Information Services: A set of Internet-based services for servers using Microsoft Windows.

You have an application that is built on the Microsoft .NET Framework 2.0 and that is hosted on Internet Information Services (IIS) 7.0. The first time that you access a Microsoft ASP.NET page in the application, you receive an HTTP 400 error message. However, later requests succeed.