15 comments

[ 2.1 ms ] story [ 51.8 ms ] thread
I front all my honeypots with the IIS landing page precisely because it attracts black hat jagoffs.

Nothing makes me happier than knowing I've wasted hours of their time chasing their own tails.

The tone of this is something else
Ah webpage formatting cooked but otherwise a fun read
This is extremely well done design (at least on full desktop browsers). Amazing content as well.
Would love to see a write yo on nginx!
> IIS has a legacy behavior inherited from the old DOS 8.3 filename convention.

Is this exposing the underlying OS's behavior coupled with the fact that the IIS document root is `C:\Inetpub` by default? Eight-dot-three filenames are enabled by default on the C drive but disabled by default on all other drives on Windows 10/11:

  PS> (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').DisplayVersion
  24H2

  PS> fsutil 8dot3name query C:
  The volume state is: 0 (8dot3 name creation is ENABLED)
  The registry state is: 2 (Per volume setting - the default)
  Based on the above settings, 8dot3 name creation is ENABLED on "C:"

  PS> fsutil 8dot3name query U:
  The volume state is: 1 (8dot3 name creation is DISABLED)
  The registry state is: 2 (Per volume setting - the default)
  Based on the above settings, 8dot3 name creation is DISABLED on "U:"
Does anyone use IIS anymore?
I do. As others have replied, Windows Server--including IIS, means you have a domain joined machine, likely with an SPN of HOST/MACHINE.DOMAIN. Windows services and IIS App Pool Identities log in with an (g)MSA or virtual accounts (NT Service*) and you get a fully working and managed Kerberos experience without having to deal with 30, 60, 90 day password rotations. Log into your MS SQL Server with Kerberos, log into some other webapp's oauth2 flow with Kerberos, etc, it all just works. You can use WinRM with your native Windows shell without having to do anything special, and even technically bypass 2FA since that's just how it really works.

Can you do all this on Linux? Yes. Will it ever be set up correctly? Depends where you work, but based on my experience so far, not likely.

Yep.

And as an ignoramus: what it is that you are supposed to be using nowadays?

Think in the context of a small company making enterprise .NET (framework) code where Windows is the world, cloud wouldn't fly with the customers, SOAP is still king and your one IT guy is too busy to notice anything happened after 2010. Suppose also that entire software rewrites are impossibly impractical, and that while you'd love to take some security gains, you just don't have the capacity to do configuration deep dives let alone to gamble on something complex like Kubernetes.

(comment deleted)
I've seen it used to deliver 'apps' that 90% of a business's employees use. (EX: Met/Team) in the Metrology (calibration) space.
Yes, plenty of Microsoft shops still depend on .NET Framework based applications, or even classical ASP.

For modern .NET no one is really using IIS any longer.

what's the deal with left sidebar overlapping the main text?
Oh man this takes me back.

Once upon a time, all server logs were basically unusable because of the amount of IIS scanners out there. There was a directory traversal that was literally just url encoding “../“ that absolutely lit the internet on fire for many months.