IIS exploits in Windows Server and how you can fix them

This is a really good article from techtarget:



I believe it’s safe to say that a common goal of Windows server administrators is to have reasonably resilient systems. There’s a lot going on in the world of online security threats. The last thing you need is someone on the other side of the world, or internal to your organization, exploit something in IIS or Windows server that could’ve been prevented.

Your hands may be tied in terms of application-specific flaws but there’s plenty you can do at the server level to make your IIS-based systems more secure. In reviewing my Web security assessment projects over the past year, here are the top IIS vulnerabilities afflicting Windows servers:

Unhandled exceptions (HTTP 500 errors) are generated.
This can disclose sensitive configuration information and facilitate SQL injection. The server-side fix is to disable detailed error messages via the following in the server’s web.config file:

<customErrors mode=”RemoteOnly” defaultRedirect=”AppErrors.aspx”>

<error statusCode=”404″ redirect=”NoSuchPage.aspx”/>

<error statusCode=”403″ redirect=”NoAccessAllowed.aspx”/>

<error statusCode=”500″ redirect=”RequestNotAllowed.aspx”/>


Viewstate parameter encryption and MAC are disabled.
This can allow an attack to manipulate sensitive parameters and gain unauthorized access. The server-side fix is to enable viewstate hashing and MAC on all pages of the application via the following to the server’s web.config file:


<pages viewStateEncryptionMode=”Always”>

<pages enableViewStateMac=”true”/>

<machineKey validation=”3DES”/>


Unencrypted HTTP connections can be made.
This can lead to the exposure of login credentials and other sensitive information because everything to and from the Web server is transmitted plaintext communications. The server-side fix is to require TLS version 1.1+ encryption across the entire website/application.



Find more PRO+ content and other member only offers, here.

SSL versions 2 and 3 and weak encryption ciphers are enabled.
This can facilitate man-in-the-middle attacks and lead to the compromise of sensitive information. The server-side fix is to require TLS version 1.1+ and disable weak ciphers such as RC4.

Cross-frame scripting is possible.
This can facilitate clickjacking and trick users into clicking on something different from what they perceive they are clicking on. The server-side fix is to set the X-Frame-Options header to DENY, SAMEORIGIN or ALLOW-FROM based on your specific needs.

Sensitive server directories and files are publicly-accessible.
This can expose system configuration, code or sensitive data. The server-side fix is to ensure that only the necessary permissions are enabled for public access.

Windows patches are missing.
This can lead to anything from denial of service to full remote access to the Web server using a tool such as Metasploit. The server-side fix is to patch your servers. It’s that simple. Even if you’re concerned about taking production servers offline, patching needs to be performed consistently across the board if you’re going to have a secure Web environment.

Most of these vulnerabilities may not be considered “critical” but they can certainly be problematic long term. As you can see, they’re relatively easily to resolve. In fact, the only thing it will cost you to fix them is your time. Find and fix these issues — they’re easy security wins for your business and will help keep your vulnerability scan and security assessment reports as clean as possible.

Once you tackle these website security server fundamentals you can more on to bigger — often more complex — security flaws within your Web applications themselves. This includes everything from cross-site scripting (an all too common vulnerability) to SQL injection (a less common yet lethal flaw) to weak user authentication and session management. That’s where the real fun begins.

Converting NDRs to x500


You ran a script to modify SMTP addresses on an Exchange 2010 user and accidentally overwrote all of their previous SMTP addresses including the legacyexchangeDN aka x500. (or you accidentally deleted a user and created their mailbox to the same AD account)

Now internal users are reporting that they’re receiving NDRs about the user no longer exists, even though you’ve already added the same exact SMTP address to their mailbox

Cause: Internal users typically caches the x500 address for internal communication instead of using SMTP addresses.


Not so efficient solution: Have every users that have this person’s contact autofilled in their Outlook client delete the contact from the autofill and re-enter their SMTP address.

Better: Have someone send a NDR to you for this particular user and recreate the x500 from that NDR on this user’s mailbox



Delivery has failed to these recipients or distribution lists:

Nguyen, Peter
The recipient’s e-mail address was not found in the recipient’s e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator.

If you click on the name, the NDR will get resolved to:


EXCH is the Exchange Organization name

So now we need to convert the above address into proper x500


First step: Replace all underscores “_” to “/”


Then replace all +28 to “(” and +29 to “)”

Replace all +20 to space ” ”

Replace all +2E to a period “.”

The final x500 would look like this:


Now just add this new string to the user’s Alias under the Exchange console as a custom address and you’re golden.

Amazon Glacier is a Tape driven archival storage solution

Storage Servers

Amazon Web Services much famous Glacier, which was launched a couple of months ago is a cloud based storage solution offered to the enterprises as a Cloud based archival solution. All the cold data which is not in frequent use in an enterprise can be fed to Glacier and can be retrieved on demand.

All these days, enterprises were maintaining their cold data on tape libraries and had to deal with the painful management and maintenance of these cost efficient storage solutions. In order to ease the job of the enterprise IT team, AWS released Glacier which allowed its users to store data at just one cent per gig/month cost. This cloud based storage solution was termed to be as the low cost archival solution available in the data storage market till date.

Glacier has the potential to accept any amounts of data at a cost that even the traditional…

View original post 279 more words

The default transaction resource manager on volume C: encountered an error while starting and its metadata was reset. The data contains the error code.

The default transaction resource manager on volume C: encountered an error while starting and its metadata was reset. The data contains the error code.

EventID: 134

Log Name: System

Issue: This will happen whenever the Windows file system transaction log is corrupted. The Windows file system uses the transaction log to recover system transactions when a file error occurs.The Common Log File System (CLFS) transaction logs may be left in an inconsistent state. When the CLFS transaction logs are in an inconsistent state



delete the .blf files and the .regtrans-ms files from the %Windir%\System32\SMI\Store\Machine folder.


The run CMD as Admin

at the command prompt type: fsutil resource setautoreset true c:\
 These steps assume that Windows is installed in the default location, on drive C. If this is not the case, adjust the drive letter of the folder path to match your configuration.


remove stuck mailbox move

When Remove-moverequest fails

1. Open ADSIEDIT and navigate to the OU where your broken user account is stored. (Under: Default Naming Context)
2. Locate the user account, right-click on it and then choose “Properties”.
3. Click on the “Filter” button and make sure “Show only attributes that have values” is checked.
4. Scroll down the attributes and search for an entry called “msExchMailboxMoveRemoteHostName”.
5. Click on the “Edit” button.
6. Click on the “Clear” button.
7. Click the “OK” button.

SOURCE: http://www.nonstop.co.il/kb/view.php?kb=66





Force removing Exchange 2010 database – ADSIEDIT.MSC

Run Get-Mailbox -Database “Database Name” –Arbitration command to find all the arbitration mailboxes

If there are some arbitration mailboxes, move them to different databases and then delete the database again

If all above don’t work, you can use ADSIEDIT tool to delete mailbox database:

1. Open Adsiedit.msc

2. Connect to the configuration partition.

3. Expand Configuration-Services-Microsoft Exchange–Administrative Groups-Servers–Information Stores.

4. Delete the appropriate database.

I ran Set-AdServerSettings -ViewEntireForest $True then ran get-mailbox -database db1 -arbitration and all of a sudden I now see a mailbox!!! How annoying.

I moved the arbitraion mailbox to another DB and I was then able to delete the DB.

I was not aware of the Set-AdServerSettings command.

get-mailboxstatistics -database |fl