Author Archives: Tobint

Hacking jQuery Slider into WordPress Theme

I have just finished converting most (all?) of my posts from various blogs around the intertubes into WordPress. My previous blog on this domain was running Oxite. I created a theme called ‘Titus’ (yeah, I know) for Oxite that included a little jQuery ‘Slider’ plugin that I wrote. The control shows my last ‘n’ number of twitter posts, one at a time in a rotating fashion. I named it slider because I originally intended for the content to ‘slide’ up from the bottom continuously. Instead, I decided to fade them in/out. I was too lazy to rename it after I decided on my desired effect. After moving to wordpress, I was slightly upset that I was losing my hard work. However, this was a jQuery plugin so I didn’t see why this couldn’t just plug into my WordPress theme. I’m NOT a PHP developer, nor do I pretend to know how to do anything in WordPress. That said, I forged forward in my attempt to get this plugin working. You should see this plugin working right now on this site (unless you are reading this through RSS).

First let’s define the content of my plugin. I have a Javascript file containing my plugin, a CSS file containing the styling I’m using on the site, a little HTML markup to add my ‘placeholder’ for twitter feed, and of course the dependency on jQuery.

Installing jQuery into your Theme

First let’s tackle the jQuery item.  A current version of the WordPress distribution includes jQuery. The trick is to include jQuery in your site. After a little investigation I found that jQuery was already ‘registered’ in WordPress code, but does not, by default, render to the browser.  Somewhere in /wp-includes/script-loader.php you’ll find:

$scripts->add( 'jquery', '/wp-includes/js/jquery/jquery.js', false, '1.3.2');

This line registers the script we want in a dictionary with the key ‘jquery’. After digging further, I found a funcation called ‘wp_enqueue_script’ in /wp-includes/functions.wp-scripts.php.

/**
 * Enqueues script.
 *
 * Registers the script if src provided (does NOT overwrite) and enqueues.
 *
 * @since r16
 * @see WP_Script::add(), WP_Script::enqueue()
*/
function wp_enqueue_script( $handle, $src = false,
                            $deps = array(),
                            $ver = false,
                            $in_footer = false ) {
   global $wp_scripts;
   if ( !is_a($wp_scripts, 'WP_Scripts') )
      $wp_scripts = new WP_Scripts();
   if ( $src ) {
      $_handle = explode('?', $handle);
      $wp_scripts->add( $_handle[0], $src, $deps, $ver );
      if ( $in_footer )
         $wp_scripts->add_data( $_handle[0], 'group', 1 );
   }
   $wp_scripts->enqueue( $handle );
}

I put two-and-two together and with a little trial and error, I added the following line to /wp-content/themes/inove/header.php right before the call to wp_head():

<?php wp_enqueue_script('jquery'); ?>

This method gets the script location from the dictionary and renders a script tag with the location details.

Installing the slider jQuery Plugin

If the core did not register our script in the dictionary, we can provide the location details ourself with a second parameter. That is precisely what I needed to do to get the slider.js file added to the template. I added the following line just after the previous line I added in header.php.

<?php wp_enqueue_script('slider',
                      (get_bloginfo('template_url') . '/js/slider.js') ); ?>

The contents of this file are:

function($) {
   $.fn.twitterClient = $.fn.twitterClient = function(params) {
      var t = $.extend({}, $.fn.twitterClient.defaults, params);
      $(this).append('<ul id="twitter_update_list"><li></li></ul>');
      $.getScript("http://twitter.com/javascripts/blogger.js");
      $.getScript("http://twitter.com/statuses/user_timeline/"
                   + t.userName
                   + ".json?callback=twitterCallback2&count="
                   + t.tweetCount,
                   function() {
                      var list = $("ul#twitter_update_list");
                      stopTick(list);
                      list.items = $("li", list);
                      list.items.not(":eq(0)").hide().end();
                      list.currentitem = 0;
                      startTick(list);
                  }
      );
      startTick = function(list) {
         list.tick = setInterval(
            function() { tickFunction(list) },
            (t.delaySeconds * 1000)
         )};
      stopTick = function(list) {
         clearInterval(list.tick);
         };
      tickFunction = function(list) {
         if (list.pause) return;
         list.pause = true;
         $(list.items[list.currentitem]).fadeOut("slow",
            function() {
               $(this).hide();
               list.currentitem = ++list.currentitem % (list.items.size());
               $(list.items[list.currentitem]).fadeIn( "slow",
                  function() {
                     list.pause = false;
                  });
        });
     };
     this.each( function() {
                 if (this.nodeName.toLowerCase() != "ul") return;
                }).addClass(t.cssClass)
             return $("ul#twitter_update_list");
     };
     $.fn.twitterClient.defaults = {
         userName: null,
         tweetCount: 10,
         delaySeconds: 5,
         cssClass: "twitterClient"
     };
})(jQuery);

Next, I needed to add my styles for the twitter stream into my template. A method intuitively similar to that for scripts was found called ‘wp_enqueue_style’ that allowed me to register my CSS for rendering:

<?php wp_enqueue_style('slider',
                     (get_bloginfo('template_url') . '/js/slider.css') ); ?>

The contents of this file were:

/*ID:   slider  Elements: slider UL, slider LI, slider LI A */
#slider {
      position: relative; top: 5px;  width: 470px;  color: #bbbbbb;
}
#slider ul, #slider li{
   margin:0;  padding:0;  list-style:none;
}
#slider li {
   width:470px;  height:70px;  overflow:hidden;
}
#slider li a {
   text-decoration: none;
}

I saved the header file and closed it.

Add the jQuery plug-in Placeholder

All of our infrastructure is in place. Now I need to add a placeholder, and tell jQuery to call my plugin against the placeholder. Luckily, this style already has the ability to add content to the header region of the template. I simply went into WordPress addmen, and went to “Current Theme Options” under ‘Appearance’ and added the following to the “Banner” section:

<!-- Slider -->
 <div id="slider"><div id="twitterClient"></div></div>
 <script type="text/javascript">
  jQuery(document).ready(function($) {
    $("#twitterClient").twitterClient({
                        userName: "tobint",
                        tweetCount: 10,
                        delaySeconds: 5
                        });
    });
 </script>
<!-- /Slider -->

I also checked the boxes above to display this content for registered users, commenters, and visitors. I saved the file header options and viewed my site. Much to my glee, everything worked just great. My next steps are to turn this into a widget so others can just add this to any registered sidebar for a given theme.

Let me know if you have any questions.

Review: Bose Wave music system with SoundLink

My parents sent me a Bose® Wave® music system with SoundLink for Christmas. It arrived a bit early so I took it into my office and set it up. I listen to music while writing software into the early hours of the morning. This isn’t something I would have bought for myself, but it was a well-appreciated gift as I’m listening through some small Altec Lansing speakers currently.

I took a couple of notes about the product below:

  • Aesthetics – The system looks like an oversided alarm clock. If I were frozen in the 80’s to be thawed out today, I would have reason to believe that nothing had changed as far as alarm clocks go. That said, this is more than just an alarm clock so this is slightly forgiven. I was surprised to see that the SoundLink device was an external device. It seems to me that a SoundLink receiver could easily be internalized into the main radio appliance. While the Wave music system is more than an alarm clock, you wouldn’t know that much by the clock interface on the front. The big LED numbers with an AM/PM indicator and accompanying LED indicator of the source seem out of touch with the realitiy of a device this costly in this modern era. Compare the aesthetics of this device vs the elegance of other devices costing the same. I think you’ll agree that ‘looks’ were likely the last thing on the Bose technicians’ minds.
  • Setup – This was likely one of the easiest devices I’ve set up in ages. I expected there to be, at the minimum, some software to install and some cumbersome UI to work through to get sound pumping from my computer to the appliance. This wasn’t the case. I literally plugged the power and the SoundLink device into the appliance, plugged the USB transmitter into my computer and I was off to the races! That said, I was confused why the SoundLink device had a DC power input, but no DC power cord. Perhaps there is something I’m missing in why the input is needed but it wasn’t a big deal since the system works without one.
  • Use – The appliance itself has no buttons on it which bothers me a bit. Perhaps Bose was trying to avoid the complete appearance that this was just an alarm-clock radio. That said, the concern is that if I lose my remote control, I’m screwed till I find a replacement. Since this device is sitting on my side desk (literally right beside me) the effect of using my remote control to use the device seems absurd. This wouldn’t be so bad if Bose had thought to make the remote control dockable to the system and allow you to use the remote as a front or top panel control when docked as such. Setting the time and alarms on the system is also very archaic. This uses that same tired ‘rewind/fast forward’ type alarm setting that your clock radio does — again reinforcing that this is just an expensive version of the same. Apart from that, I was happy with how easily my music just seemlessly streams from my computer to the appliance. I don’t need to configure my software. I just run my normal apps (Zune Software, iTunes, etc) and it just works!
  • Sound Quality – When I first plugged this in, I was quite happy with the sound. However, shortly into my first song, I started hearing frequent cracking and popping. I didn’t have the device cranked. I’m at work so I couldn’t possibly put it above 50% output on my computer with 30-50 on the device itself without the music starting to waft out of my office and into the hallways. That said, the cracking and popping was actually louder than the music which makes the device output more annoying than soothing. I tried listening to a variety of music from classical to heavy metal. I tried adjusting the volumn. I even tried cranking it a bit higher at other times of the night when no one else is here. No matter the volumn levels on the computer or the radio, the crackling and popping persists making this device practically useless for my purposes. Looking at the website, this appears to be a regularly enough occuring event that they included it in the FAQ. Their solution was to ‘reset’ the device by recycling the power. I tried this and the popping persisted. Lest you think this is was just a bad unit, start searching the internet for other unhappy users and you won’t have to look far. On top of the cracking and popping there appears to be an occasional ‘skip’ in sound. I haven’t yet determined if this is caused by the SoundLink transmission or the radio itself.
  • Summary – The Bose Wave radio is, in my opinion overpriced for what it provides. The aesthetics are behind the times. Their is no ‘wow’ feature to the device and that unfortunately includes the sound which is the primary purpose of the system. The remote-only controll of the device is scary. There is a lot of wasted potential here.

My recommendation to you :

Buy a regular clock radio. At least if it crackles and pops, you won’t be out so much money.

My recommendations for Bose: 

  1. Integrate the SoundLink receiver into the main appliance or make it work over Bluetooth or WiFi. No reason to have a proprietary extra device just for transmission — particularly since it doesn’t appear to be doing your sound quality any good.
  2. Make the remote control dockable/lockable into the top of the system so it can be used as a front/top panel input on the device itself .
  3. Bring the front-instrumentation of the device into the modern era with some music visualization options and a less static LCD-centric display.
  4. Fix the primary purpose of the system. There is absolutely no reason why I should spend several hundred dollars to hear this when there are many other lower-cost music-listening options at my disposal.
  5. Allow me to set alarms a bit more reasonably than scrolling through a 60-minute-times-24-hour-rolling interface. Perhaps put Bluetooth (again) in the device and let me set it through my phone or computer. Or just give me an easy hour-then-minute-then-am/pm interface.

Experiencing Orchard

A new post has been added to Learning in Public:

Off-topic: Experiencing Orchard

Introduction to Learning in Public

A new post has been added to Learning in Public:

Introduction to Learning in Public

Run-in with Beaver, PA Police Department

I’m writing after a very long and scary night in an encounter with the Beaver police department in Pennsylvania.

My dad and I attended the 10pm showing of Star Trek at the Cinemark Center Township Theater near Beaver Valley Mall. All went well until our trip home. On the way home, I took my normal exit to cut through Vanport and Midland to take my dad home in Ohio.

Directly off of the exit, I encountered something I have never seen before. Having lived in Ohio, North Carolina, South Carolina, and Washington State, I have never encountered a “sobriety check point“. Am I the only one who has reached the age of 33 without this “pleasure”? It was a foreign concept to me so when I approached the officer and he asked me for my license, I was taken aback. I hadn’t done anything wrong, and my “sobriety” can be ascertained without my license. I looked at the officer for a moment strangely and before I could react he immediately barked, “give me your license or I’ll arrest you”. I pulled my license out and handed it to the officer reluctantly. He then asked me something, which I cannot remember exactly. The question was effectively asking why I hesitated to give him my license. The question seemed strange and obvious to me. I answered, “Have you not heard of the fourth amendment?” Obviously the officer was not happy with the answer because he put his hand on his gun, leaned in toward me and started barking at me “Your F*$%ing 4th amendment rights?! Say something again and I’ll arrest you!” The police officer went on and on for what seemed like an eternity but was likely shorter than I remember. I literally feared for my life. I was among a dozen or so “peace officers” and I feared for my life as a law-abiding citizen. For what? For answering the question that he asked. Granted, my response was in a tone that was not respectful, but it was not taunting or belligerent either. The situation was so bazaar to me that the question just seemed absurd. It would be like an officer pulling you over to ask you if you know how to drive. The obvious fact that he pulled you over would indicate your ability do drive. Therefore, you might likely respond, “Umm. Seriously?” That’s how I felt.

My dad at this point looked shocked too and we were both scared. The man was clearly out of control. I gazed at the other officers at the checkpoint. They all had a very confused look on their faces too. At this point, I was scared – not so much for me but for my dad. He has two bad knees and all I could imagine was the police pulling him from the car and slamming him to the ground – all because I answered his seemingly silly question.

I picked up my ‘mini computer’. I didn’t even care that it wasn’t recording. I just wanted to get the device out and visible. I figured the police, thinking they were possibly recorded might be enough to deter him from making an unwise decision. Worst case scenario – if I did manage to record anything that the recording might serve as evidence if anything “happened” to my dad and I. Apparently, this decision worked in my advantage. I didn’t even have to tell him the device was on or that I was recording. His actions ever so slightly changed from “Who’s your daddy now” to “just get the hell out of here.” He just handed my license back and started yelling, saying “Go ahead and say something again.” I kept my mouth shut and he said, “Just go”. So as I turned my gaze back toward the road ahead of me, I didn’t even inch forward a foot from the checkpoint before he started cussing at me and yelling. It was disturbing. This man has a gun — and is sanctioned to carry AND use one by the city. He was dangerous and frightening. This was only the beginning of a long night.

After making it through the stop, I pulled over and called 911. I told them what happened and they directed me to go to the police department in Beaver to file a report. My dad, knowing the area better than I do, advised that I go around the checkpoint a different way so I didn’t instigate that officer further. The 911 officer, still on the phone at this point, seemed to indicate that going the alternate route wasn’t a bad idea.

My dad and I drove to the Beaver police department the back way and got into town where I was greeted with a darkened police station. (see Google street view below)

I used the telephone outside the station to contact the police. The individual on the phone asked for my name, and said someone would be there shortly to take my report. My dad then said, “They aren’t going to be happy about you reporting one of their own.” I felt this was a slight risk, but was unlikely – something that only happens in movies. Boy was I wrong.

I went back to my truck for a minute and my dad stayed on the stoop of the police station. Just as I got into my truck, an officer pulled up. I got out of the vehicle and so did the officer. We met together and I began telling him what happened, my dad chiming in occasionally with his perspective and agreement that the officer was acting recklessly. The officer was very courteous and listened intently and seemingly concerned. He was a fairly young looking guy so I wondered if he was able to take the report or had to report to someone else first. The officer started to give me his perspective on the legality of sobriety checks and the reason for being able to side-step the 4th amendment (see the previously linked Wikipedia article for more information – essentially, it was decided that violation of constitutional rights is OK because its effective… hmm). I told him that at this point I wasn’t as concerned about that as I was with the officer’s very inappropriate actions and temper at the checkpoint. The officer may normally be OK. Maybe he had a bad day. Whatever the case, I didn’t think he needed to be at that station tonight. That said, I expressed my concern that all I wanted was to file the report and go home. Just as I did, another officer pulled up and started listening from his car. The second officer, also a young guy with a shaved head, stayed in his car for some time. After I while further into my story, the officer in the car told me “You know what, If I go and get that officer and he tells me it didn’t happen, I’m going to arrest you!” At that point, I told both officers that I was fine with that and I would prefer they got the officer so he could be present while I gave the report. I also told them that I might have been able to record the incident in question and really wanted to file my report. I could suddenly sense the mood change and the officer in the car looked visibly upset. Scared what may happen, I told the officer that I may have uploaded the recording already. I didn’t want them thinking that if they took the device, they could make it go away – and therefore the problem too.

The officer in the car said, “Go ahead and record me and put it on YouTube!” Based on his facial expression and the tone with which he said it, I thought he was being serious. I said “really?” “Yeah,” he said, “Put it up on YouTube. You’ll be arrested for wire fraud.” I then realized he was not serious at all. He was trying to threaten me. He got out of the car and kept saying, “go ahead and record me. But you can’t record anyone without their consent.” I said, “As far as I understand, you can record anything that is out in the public without consent. Reporters do it all the time. He said, “How much do you want to bet?” I said, “Well, nothing because unsanctioned gambling IS illegal, but I still contend recording in public is not.” At this point, I hadn’t even acknowledged that I HAD ACTUALLY recorded anything. I simply indicated that I might have been able to – but was uncertain yet. So I pulled the device out again and asked, “You did say I can record you then?” He said “No. I didn’t say that.” He changed his story — a flat-out lie. I asked him, “How can I even trust you to give you a report if you are already lying to me?”

At this point, another car pulled up and the bald-headed officer said, “There’s the chief of police right there! We can ask him!” I said, “Great, let’s go talk to him.” So I started walking toward the chief and the bald-headed officer started shouting, “Don’t say anything, he’s recording this whole thing!” I never affirmed or denied it to the captain or anyone. The captain then started concentrating on my device despite my request to file a report. He didn’t care about the report. He wanted that device away from me. He kept demanding it from me. “Give me that phone. I want to see if it’s recording.” “No!” I exclaimed. “I never said it was recording, HE did,” as I pointed at the bald officer. The captain said, “Well, give me the device, I want to see. You have turned something very simple into something very difficult.” I thought, why was it *me* making this difficult? I just wanted to file a report. They were the ones getting very interested in what devices I had and making the issue about me, rather than simply taking a report. Were citizens that used to rolling over and giving up their rights? Am I really the only person they’ve ever seen who has indicated they had rights? Do they really not care?

I simply held my device and occasionally looked at it. I was afraid at this point. I realized it was the Serriff’s office against my dad and me. The only defense I had was that the police had no idea what technological capability my device had. They also weren’t certain if I had uploaded a recording or streamed it somewhere that others could see. They weren’t certain if my device was a phone and I had someone listening/watching/reading to an open call/video feed/text-to-speech for an witness. That device felt like my only defense against what was increasingly looking like a completely corrupt police department. “Give me the phone,” the captain said assumingly. “No. See, if I WERE actually recording you, and it is actually against the law, I have a right to not turn that over to you and incriminate myself. That is the 5th amendment.” At this point, another few officers had shown up and had circled. There were 6 surrounding me. Other officers were now looking in the windows of my truck and running my license plates. They were just looking for a reason to arrest me. One of the additional officers on duty said, “You think because you read a few law books you know what’s going on? It’s called wire fraud in PA. You can record video, but you can’t record audio. I need to see what you are recording“, insisted the captain. The officers were drawing increasingly close, and had surrounded my dad and I. Some had their hands on their guns. Others were standing very threateningly – like a cobra ready to strike. OK, I’ve seen “Cops” and other shows. I see how these things go down. I was ready for someone to tackle me to the ground at any moment and arrest me. They would then “lose” my device to make sure there was no proof and then I’d be stuck on defense rather than offense. I was playing out every scenario in my head and I kept thinking my poor father was standing in harm’s way. I was still scared they would take him down hard and he just couldn’t handle that right now.

So after repeated attempts to take my device, the captain said, “OK, let’s go! We are done here.” I asked “What about my report?” And they just ignored me and got in their cars. They weren’t even going to take my report. My dad and I went back to our truck. The police stuck around for a minute until the realized I wasn’t going anywhere just yet. I made a phone call to 911 again and expressed my concern that we were going to be harassed or worse on our way out of town. This was a rather valid concern at this point because the police had ‘driven off’ but had circled back around. Despite their obvious attempts to hide – turning off their lights and creeping into position so I wouldn’t see them, I could see them placing themselves in strategic positions. The 911 dispatcher gave me the number for the state highway patrol. I called that number and was told that the officer would call me back. As I waited for a return call, the police officers repositioned themselves. One even threateningly put himself directly in the alley in front of me as if to say, “go ahead and pull out, I dare you.”

The state trooper on the line was very helpful by providing me with some information, but he was unable to come help me in what I perceived to be a dangerous situation. So, I hung up and put my phone down in the console. I knew there are anti-cellphone laws in the area, so I didn’t even want it in my hand where they could say I was on it. I pulled out and drove down toward Bridgewater. It was just a mile or so away to get out of Beaver’s jurisdiction in that direction. My dad and I ended up driving completely around the jurisdiction of Beaver police department out of fear.

I have never been afraid of anything like this in my life. I stand up when I feel it is necessary. When I was a child in school, Edmund Burke’s quote had a profound impact on my life: “all that is necessary for evil to triumph is for good men to do nothing.” I wasn’t grandstanding for my own amusement. I wasn’t trying to cause problems. I really just wanted to go home after watching a movie. However, this situation just got increasingly worse as more and more testosterone and abused power was added to the group. There was strength in numbers, but fortunately for me, there was also strength in using fear of the unknown and media scrutiny to keep me busy. I fully believe that if I had not had my device, or had the police had any certainty that I wasn’t recording them, I would have been in jail or dead — perhaps my dad too.

From our childhoods, we are told to cooperate with the police. However, I have always had distrust for law enforcement officers. Growing up, I was told about the police scandals in my little home town and knew that a badge isn’t necessarily a reason to trust someone. This certainly hasn’t helped the cause. Tonight I was threatened by an officer at a sobriety check point because I wasn’t familiar with them. I was directed into a bad situation by a 911 operator. I was threatened again by a gang from the police department – including the chief himself. I was told to give up my rights, that I had none. Even if I wanted to record the police officers, apparently it IS illegal to do so in PA (seriously, they can record you, but you can’t record them). I witnessed a police officer change his story to protect himself and others around him when he thought he was being recorded. The chief of police wouldn’t even take my report and in fact, threatened me instead of helping me. So the police are out to stop drunken driving (an admirable act), but were more than willing to break laws, abuse their power, and make threats to protect a man who was just as dangerous as a drunk driver – if not more so.

The police cry foul when citizens don’t help them out. Perhaps this is why. It has taken me three hours to write this up as my hands are still shaking and my heart is still literally racing from the experience. I still fear retaliation or reaction from them in some way. How are my dad and I to react?

Is Pennsylvania so corrupt that they give you means for the average citizen to defend themselves? What is a person to do if they feel their life is threatened and there is no other way to prevent harm other than to record the officer? What is a person to do when the police department is so corrupt that they won’t even take a report against one of their officers. I’m afraid to even go in to file the report now. I’m actually securing an attorney to handle the matter because I feel I have no choice. Had the police just taken my report, I would have been happier and there would have been no need for me to protect myself. Hell, they could have thrown the report away afterward. I wouldn’t have known any better. The point is, I didn’t make this a big deal. The police just gave me no choice but to make it one because they wanted to swing their authority around for absolutely no reason at all.

Please tell me what you think.

Update (May 9, 2009 – 9:34PM EST):

I’ve been doing some more reading and have found some more resources. First, I found the location to contact for public records. I will be requesting transcripts of the 911 calls, videos from the police vehicles, correspondence and public records about the officers involved last night. I also found that the Pennsylvania State Attorney General has a Public Corruption Unit. I will be contacting them on Monday to file a formal complaint and ask for an investigation.

Update (May 10, 2009 – 12:03AM EST):

In my previous version of this post, I posted that this was the Sheriff’s department. After doing some investigation and talking with my dad to confirm, it was the local Beaver, PA police, and not Beaver County police. Beaver is the county seat so the local police and Sherriff’s office are on the same street within blocks of each other. My sincerest apologies for the misunderstanding.

Update (May 10, 2009 – 1:00AM EST):
I was checking out Google Street view and found this ‘grab’ to be a bit humorous. That’s right, Google street view cams drove right by a speed trap on their way into Beaver from Bridgewater.

View Larger Map

IIS Security – Past and Present

This topic has been covered many times both by Microsoft and non-Microsoft employees. However, I’ve recently been asked what the main features of IIS 7 are and have seen a great deal of misinformation about IIS security on twitter, blog posts and forums.

I think, therefore, the issue deserves yet another look. In this post, I’m going to go over security in the past for IIS and then move on to talk about security features in IIS 7. These are not in any particular order. This post is not meant to diminish the many thoughtful works already created by others – both complimentary and critical. This is just meant to bring the subject back up for discussion again in hopes that you can be properly equipped with the decision making information you may need.

Ghosts of IIS Security Past

The reason for so much misinformation about the current state of security in IIS is likely due to the earned reputation the product had in versions previous to IIS 6.0. A quick search on the web for IIS 5 security vulnerabilities may be like a walk down memory lane for some of the more veteran administrators and IT staff across the globe. The search results are littered with critical vulnerabilities related to buffer overflows, ISAPI extensions, exploits on rarely-used features, or features that were available by a default installation. We are haunted by names like “Code Red” and “Nimda”. I don’t know about you, but those very names send shivers down my spine. I was consulting as a developer and web administrator for a very large property management company when these hit. We were lucky enough to avoid these as we had patched our services. That said, many whom I did business with on a regular basis were not very happy. So, to be clear, I feel the misinformation that is spread today is built on an element of experience with previous versions. Secunia reports 16 advisories and 6 vulnerabilities with IIS 5.  And so started the reputation , perhaps deservedly so, that IIS was not secure unless you really knew what you were doing with security.

Bill Gates was apparently visited by the ghosts of security past, present and future when he laid his head on his pillow January 14th, 2002. I say that because on January 15th, 2002 Mr. Gates sent out the now-famous trustworthy computing memo to every employee at Microsoft.  This set off a major revamp of products from the ground up. Standards were set for test planning and testing. Writing Secure Code was mandatory reading for every Microsoft developer and tester. The results have been staggering.

Security drastically improved in Microsoft products over the years, and IIS was definitely no exception to this. IIS 6 saw 5 security advisories and 4 vulnerabilities reported since 2003. Not to get ahead of myself, but IIS 7 has exactly 1 advisor and 1 vulnerability from Secunia. Compare this against Apache 2.0.x which has had 39 advisories and 23 vulnerabilities (4 of which are still unpatched as of this writing) and Apache 2.2.x which has had 10 advisories and 16 vulnerabilities (2 of which are still unpatched as of this writing) in the same period.  Now I have seen attempts ([1], [2]) to quantify or otherwise explain these numbers further. You can read those articles for yourself and determine how much weight you want to give them. However you skew it, the facts should speak for themselves – IIS has dramatically improved and taken a leadership roll in security in IIS 6 and 7. Our ghost of IIS past still haunts the product’s reputation today, despite obvious strides taken. Even if you feel you like Apache better I think it is only fair to give credit where it is due.

Improvements in IIS 6

The IIS team took the four tenants of Microsoft’s Trustworthy Computing initiative to heart: Secure by Design, Secure by Default, Secure in Deployment and Secure Communication. Since we are already on the next version, I won’t spend a great deal of time talking about the security improvements in the last version other than a brief overview so you know how they relate to changes in our current version, IIS 7.

IIS 6 took vast strides to improve security. During upgrade installations, IIS 6 was disabled by default if the previous server had not been secured by the IIS lockdown tool. The architecture was completely revamped to separate kernel-mode HTTP listening from user-mode application execution. Changes were made to application pools, authentication, access control, encryption and certificate handling, auditing, logging and patch management that made the product far superior to its predecessors. You can find a detailed list of these features on TechNet.  SecurityFocus did a comparison of these features in March of 2004.Server Watch wrote an article in December of 2003. By most accounts, everything accomplished in IIS 6 was a huge step in the right direction.

Despite the massive steps already taken in IIS6, IIS 7 took these all a bit further. Let’s go ahead and investigate these now.

Improvements in IIS 7.x

Customizable Installation

Continuing with the tenant of being secure in deployment, IIS 7 has made installation a wonder to behold. In IIS 6, you could reduce your attack surface by disabling features native to web server. However, these features were still loaded into the process. This carried not only a security factor, but also a performance and memory footprint issue.  IIS 7 has a completely modular architecture. That means that features which you do not want are not only NOT loaded into the process, you can leave the bits for those features off of your disk completely.

Limitable Attack Surface

This is a bit dubious and is essentially part of the customizable installation. By reducing the modules that are available on disk or loaded into a process, you significantly reduce the attack surface for your specialized web servers. If all you intend to do is serve static content with caching and no default documents, you can simply install the static file handler and caching module and leave the rest of the IIS modules off of your server. Additional controls and limitations will also reduce your attack surface and I’ll cover those below.

IUSR account

Anyone who has tried to migrate an IIS installation from one machine to another or attempted to recover your installation on a new machine, previous to IIS 7, has likely run into an issue with the local “IUSR_” account.  IIS 7 now uses a built-in IUSR account that allows you to easily copy your security settings from one machine to the next. This is great news for those using distributed configuration in web farms, recovery, restoration, or replication.

IIS_IUSRS group

IIS 6 introduced the IIS_WPG group. Application pool security identities had to be assigned to this group in order to host the w3wp.exe process. Like the IUSR account, IIS 7 now creates a built-in security group (IIS_IUSRS) and assigns application pool identities to the group automatically. You can find more information about the built-in user and built-in group for IIS 7 on IIS.NET (Understanding the Built-In User and Group Accounts in IIS 7.0).

ASP.NET / IIS Unified Security Architecture

Previous versions of IIS did not provide a unified approach to security with ASP.NET. The IIS 7 unified request pipeline that supports both Windows and non-Windows principals and provides one place to do all authentication and authorization. Apart from simplification and performance improvements, this also reduces the attack surface and allows for greater flexibility in authentication / authorization scenarios with custom modules.

Request Filtering / URL Rewriting

IIS 7.0 includes a request filtering module that is based on the URLScan ISAPI Filter for IIS 6.0. The module helps you tighten security of your Web servers.

The IIS team has also released an add-on URL rewrite module for IIS 7.0, which provides functionality for rule-based URL manipulation. Even though the primary purpose of the URL rewrite module is to rewrite URL paths for requests, the rewrite module can also be used as a security enforcement tool that helps prevent access to Web site content.

Application Pool Identities

On top of Application Pool Isolation, IIS introduces a new security feature in Service Pack 2 of Windows Server 2008 and Windows Vista. It’s called Application Pool Identities. Application Pool Identities allows you to run Application Pools under an unique account without having to create and manage domain or local accounts. The name of the Application Pool account corresponds to the name of the Application Pool.

Kernel mode SSL

The implementation of SSL has changed from IIS 6.0 to IIS 7.0.  On Windows Server 2003, all SSL configuration was stored in the IIS metabase and encryption/decryption happened in user mode (required a lot of kernel/user mode transitions).  On Windows Vista and Windows Server® 2008, HTTP.sys handles SSL encryption/decryption in kernel mode, resulting in up to 20% better performance for secure connections. 

Configuration Improvements

IIS 7.0 allows locking and unlocking configuration settings in various levels and scopes. Locking down configuration means that it cannot be overridden (or set at all) at lower levels in the hierarchy. Unlocking configuration can only be done at the level where it was locked. This is useful, for example, when creating different configuration for different sites or paths, and only some of sites and paths are allowed to override it. Locking can be done at the section level or for specific elements, attributes, collection elements and collection directives within sections.

Dynamic IP Restriction

IIS 7 provides a new module that allows dynamic, temporary IP address restriction. This module prevents brute force attacks and HTTP clients that make unusually high number of concurrent requests or a large number of requests over a short period of time.

Summary

A verbose list of security features in IIS 6 and IIS 7 might be nearly impossible. Apart from the obvious features, there were numerous improvements to code made over these two versions that make the product far more secure than IIS 5 and earlier. That said, this should give you a summary start on information. I’ve listed some reference documents that may help you understand these features better.  In general, I would encourage you to ask questions of the product team and or other users on the IIS.NET forums if you hear something that sounds negative regarding IIS. If the feedback is true, the product team has the benefit of improving the next release. If the feedback is unfounded, the product team has the benefit of helping you find the information you need to make an informed decision.

See Also

Philly Code Camp 2009.1

I flew to Philadelphia from my home in Pittsburgh to attend and speak at the first Philadelphia area code camp for 2009.

I spoke on Extending IIS 7. You can find my photos of the event on flickr.

I took the opportunity to visit family that I hadn’t seen in ages and to see Philadelphia — a big deal for me as I’m a history buff.