Net Data Design, LLC Blog

There have been many questions on how to install and configure DotNetNuke on IIS 7.5 which ships in Windows 7 and Windows 2008 R2. I will outline the procedure I use to do so. For this example I will be using Windows 2008 R2 64-bit.

When you first login to 2008 R2 you will be greeted with the Server Manager.

Server Manager

After you expand the Roles node and the Web Server node in the left pane you will be in the main IIS Manager.

IIS Manager 7.5

Right Click on the “Sites” folder and select “Add Web Site.”

Add Web Site

In the next screen we enter the web sites specifics. Fill in the highlighted areas with your information. Note that as you enter your site name an new Application Pool is created.

Web Site Details

During the above process you will create a new directory to which you will deploy your DNN code.

Create Website Directory

After this is complete, select Application Pools from the IIS Manager node. The detailed view should indicate that the AppPool is in Integrated Pipeline mode.

AppPool View

If you have not already done so, copy your DNN files to your website directory. In IIS Manager right click your new website and:

1. Select “Edit Permissions.”
2. Select the “Security” tab.
3. Click the “Edit” and then “Add” button
4. Click the “Locations” button and make sure you select your machine.
5. Enter “IIS AppPool\<YourAppPoolName>” in the “Enter the object names to select:” text box.
6. Click the “Check Names” button and click “OK”.
7. Grant <YourAppPoolName> modify permissions on the directory.

Securing Resources for your Process Identity

At this point you are ready to edit your web.config for your database connection., and get started.

If you have any questions on the Application pool details, I have covered this in an earlier Blog, you can read that here.

A serious SQL injection attack has injected a malicious iframe on more than 100,000 susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009.

Keep in mind that 99.9% of these attacks stem from poor coding. It very important to implore beginners (and some more experienced programmers) to code against them. In brief:

• Constrain Data, Check for known good data by validating for type, length, format, and range.
• Use type-safe SQL parameters for data access. Use parameters with stored procedures or dynamically constructed SQL command strings.
• Use a low-permission database account for data access.
• Hide data errors, don’t give clues at to what maybe acceptable to the database.

Now, there is a reason the items above look simple. They Are!

All we need are programmers that will listen and not take short cuts.

2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges.  If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch.  The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.