Using web.config transforms on assembly binding redirects

2021-12-10 Andy BurnsIIS, web transformsLeave a comment

Right, I keep having to do this, and keep having to look this up, so here it is.

If you want to do a web transform for an assembly binding redirect it can be a bit tricky. The assembly details are in an <assemblyIdentity /> element, and the <bindingRedirect /> is its sibling. Yeah, I don’t know why it was designed this way; I’m assuming alcohol was involved. Yes, having the oldVersion and newVersion attributes in the same element at the assembly’s identity would be much simpler.

Anyway, it is what it is. An alternative is to replace the entire <dependentAssembly /> element, but the locator becomes a bit more fiddly. Still, it works. See this example – the locator on the parent element is checking the name of the child assemblyIdentity.

<dependentAssembly xdt:Transform="Replace" xdt:Locator="Condition(./_defaultNamespace:assemblyIdentity/@name='System.Runtime')">
    <assemblyIdentity name="System.Runtime" publicKeyToken="b03f5f7f11d50a3a" />
    <bindingRedirect oldVersion="0.0.0.0-4.1.2.0" newVersion="4.1.2.0" />
</dependentAssembly>

IIS Redirect HTTP to HTTPS

2016-04-06 Andy BurnsHTTP, IISLeave a comment

Just a quick note – if you want to use an IIS rule to redirect users from HTTP to HTTPS, the following rule seems to work pretty well. You’ll need the IIS URL Rewrite module installed.

<rule name="Redirect to HTTPS" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="^OFF$" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="SeeOther" /> </rule>

Lock down your HTTP Verbs

2016-01-222015-12-16 Andy BurnsHTTP, IIS, SecurityLeave a comment

Something that has come up in some of our testing recently is that some of our websites have HTTP verbs allowed that probably should be blocked – and with IIS they can be.

To recap, we’re use to the idea of GET or POST requests, but there are a lot more… Continue reading “Lock down your HTTP Verbs” →

Lockdown Sitecore Administration

2016-01-152015-12-15 Andy BurnsIIS, SecurityLeave a comment

The Sitecore security hardening guide 6.0 (or version 7.5 here) describes:

You should prevent anonymous users from accessing the following folders:

/App_Config

/sitecore/admin

/sitecore/debug

/sitecore/shell/WebService

And then goes on to describe removing anonymous access to those areas in IIS.

The version 7.5 document goes on to say… Continue reading “Lockdown Sitecore Administration” →

Configuring a Content-Security-Policy

2016-01-072015-12-09 Andy BurnsContentSecurityPolicy, HTTP, HTTPHeaders, IIS, SecurityLeave a comment

I’ve talked about how to how to remove HTTP Headers that you don’t need from IIS – but there are some that you probably will want. This particular post is about the Content Security Policy (CSP).

I’m not going to describe what one is. @Scott_Helme has already described what a Content Security Policy is far better than I can. Rather, I’m going to describe how to figure out what your policy should be… Continue reading “Configuring a Content-Security-Policy” →

Removing Chatty IIS Headers

2016-01-062015-12-09 Andy BurnsHTTP, HTTPHeaders, IIS, SecurityLeave a comment

IIS is, by default, a bit too damn chatty, which isn’t what you want if you’re trying to harden your server:

You can check this with a site like SecurityHeaders.io, which will review all your HTTP Headers for you. It’s very good, I recommend it.

Why would I need to tell the world what ASP version, webserver, etc. that I’m using? Isn’t this just helping potential attackers? Well, yes. How do you remove these headers, though? Continue reading “Removing Chatty IIS Headers” →

You’re checking your HTTP Headers, right?

2016-01-052015-11-27 Andy BurnsHTTP, HTTPHeaders, IISLeave a comment

In the rush to build a website, it’s pretty easy to overlook something as mundane as HTTP headers – until someone runs an automated pen-test against the site you’ve built and starts asking about why you’re not using them – or why you are. Then you have to run around quickly trying to fix this – and some of these tasks aren’t so easy.

All of this can be fixed with a little testing beforehand, and there is a nifty site called SecurityHeaders.io…

This will tell you:

What headers you’re using and probably shouldn’t. IIS seems determined to include lots of HTTP Headers that you don’t need. This just leaks information to someone who is potentially malicious, and wastes a little bandwidth.

What headers you should use. There are a number of slightly obscure security related headers, and some new (and good) ones, such as a Content Security Policy, or HTTP Public Key Pinning.

Also, for what it’s worth, SecurityHeaders.io is by a chap called Scott Helme – https://scotthelme.co.uk/ (@Scott_Helme). He’s written about a lot of this stuff quite extensively, and also has written report-uri.io, which as we’ll see is fantastically useful.

Other ways of seeing your HTTP Headers…

Fiddler (Of course)
Browser Developer tools – such as Chrome’s – can show the response headers
Chrome’s HTTP Headers plugin – there are other plugins (and plugins for other browsers), but I find it very good for just doing what it says.

How to set the Locale of a Network Service (or other System) Account

2015-11-272015-11-04 Andy BurnsDates, IISLeave a comment

I had a problem recently with a Sitecore system I was working on. We had 4 machines involved – a development server, a content management server (CM), and two content delivery (CD) servers. The problem was, for the ‘News Search’ page we would get different number of items on the CD servers than the CM or development systems.

CM and Dev would return 8 items for a search of news from 1st April to 30th April. The CDs would return 54 items… Continue reading “How to set the Locale of a Network Service (or other System) Account” →

Check your app pool recycling before rebuilding indexes

2015-10-302015-10-06 Andy BurnsIIS, IndexesLeave a comment

So, I have been working on the upgrade of a very large Sitecore instance. As part of the upgrade, you have to rebuild the search indexes. This is a very time consuming process, so I was starting it at the end of the working day – but it kept failing. Continue reading “Check your app pool recycling before rebuilding indexes” →

Creating a Web Application Times Out

2015-01-122015-01-08 Andy BurnsIIS, SPWebApplicationLeave a comment

I was having a problem creating a new SPWebApplication through Central Admin in SharePoint. It would run for a fair while – longer than I’m used to as this machine seems quite slow – and then I’d be shown the IE ‘timeout’ page within the ‘Create Web App’ iframe. The Web App seemed to have created, including creation of the IIS app pool and site, but they never worked correctly – for example, on different attempts I couldn’t:

See the web application’s settings in central admin
Create a Site collection
Login to a site collection that had created successfully, despite being site collection admin.

Fortunately, I’m not the first person to have seen this. Some folks suggest using PowerShell to provision the web application – which I’m guessing doesn’t suffer IIS timeouts – and others suggest increasing the time outs on the application pool itself. I set:

Ping Maximum Response Time
Shutdown Time Limit
Startup Time Limit

… to 900 (instead of 90), I was able to create and successfully access my new site collection!

Andy Burns' Blog

Whatever I'm working on

IIS