So version 1.1 of MS Debug Diagnostics is currently the latest version of the debugger, however on Win 2008 x64 the only thing you can do with it directly is use the Analysis portion. It will not allow you to create dumps, so we will have to create one manually.

To capture a dump of an Application Pool we need to use adplus which is part of the debugging tools.  Adplus can be targeted at either a process name (w3wp.exe) or a PID.

To determine which PID belongs to our application pool we can use the native IIS tools:

H:\>%windir%\system32\inetsrv\appcmd list wp
WP “4072″ (applicationPool:RDWebAccess)

Then we can target that PID with adplus like this:

adplus –quiet –crash –p 4072 –o PATH_TO_DUMPFILE

Here is a query that works with SQL 2005 to pull the top 100 slowest queries of a database:

SELECT TOP 100

[Object_Name] = object_name(st.objectid),creation_time, last_execution_time,
total_cpu_time = total_worker_time / 1000,
avg_cpu_time = (total_worker_time / execution_count) / 1000,
min_cpu_time = min_worker_time / 1000,
max_cpu_time = max_worker_time / 1000,
last_cpu_time = last_worker_time / 1000,
total_time_elapsed = total_elapsed_time / 1000 ,
avg_time_elapsed = (total_elapsed_time / execution_count) / 1000,
min_time_elapsed = min_elapsed_time / 1000,
max_time_elapsed = max_elapsed_time / 1000,
avg_physical_reads = total_physical_reads / execution_count,
avg_logical_reads = total_logical_reads / execution_count,
execution_count,
SUBSTRING(st.text, (qs.statement_start_offset/2) + 1,
((CASE statement_end_offset WHEN -1 THEN DATALENGTH(st.text)
ELSE qs.statement_end_offset
END

- qs.statement_start_offset) /2) + 1) as statement_text FROM
sys.dm_exec_query_stats qs CROSS APPLY sys.dm_exec_sql_text(qs.sql_handle) st
ORDER BY total_worker_time / execution_count DESC

Occasionally Urchin 5.x.x will stop processing data. If one looks in the scheduler section the parse will be labeled as running and typically only at 0%. In this situation, one needs to use the Urchin utils command line to reset some flags in the database so Urchin can run the report again. Typically the utils folder is located at C:\Program Files\Urchin5\utils>

Type all the commands in order substituting MyProfile for the name of the profile that is stuck.

uconf-driver action=set_parameter table=task name=”MyProfile” cr_runnow=0

uconf-driver action=set_parameter table=task name=”MyProfile” ct_runstatus=2

uconf-driver action=set_parameter table=task name=”MyProfile” ct_completed=0

uconf-driver action=set_parameter table=task name=”MyProfile” ct_status=1

uconf-driver action=set_parameter table=task name=”MyProfile” ct_lockid=0

Sometimes you just need a specific sized file for something. For instance testing FTP transfers. This handy command line tool will create a file of any size for you. Just open a command prompt and type the following:

fsutil file creatnew myfile.txt <size>

You can replace myfile.txt with any file name and extension. Size will need to be a number in bytes. So for a 1GB file you can use 1073741824.

fsutil file createnew myfile.txt 1073741824

Create a text file and name it answer.txt. Save it in a location that can be easily accessed via the command line. The root of the alternate partition is a good place. For this example we will install IIS on a partition that has been assigned the letter “D” Paste the information below inside the answer.txt file and save it.

[Components]
iis_common = on
iis_inetmgr = on
iis_www = on
iis_ftp = on
iis_smtp = on
iis_asp = on
aspnet= on

[InternetServer]
PathFTPRoot=”D:\InetPub\FTPRoot”
PathWWWRoot=”D:\InetPub\wwwroot”

Launch a command prompt and run the following command:

sysocmgr.exe /i:sysoc.inf /u:D:\answer.txt

If for some reason sysocmgr is not in the path you may need to run the command from within the system32 dirctory.

I don’t work with Linux as often as Windows, but sometimes need to pull some data to a Linux box. It’s as much of a reference for me as anyone. I’ve used this on Ubuntu and Fedora, but it should work for pretty much any distro.

Test for a share:
smbclient -L <windows-box> -U <username>

Make a directoy for the mountpoint:
mkdir /mnt/<name-of-mountpoint>
For this example I will name the mountpoint ntserver

Mount the share utilizing cifs:
mount -t cifs //servername/share -o username=myUsername,password=myPassword /mnt/ntserver

Remove the share when finished:
Umount  /mnt/<mount-point>

In this example I will assume that IIS is currently located at “C:\InetPub” and it’s logs are located at  “C:\iislogs.” Both directories will be migrated to the “D:” partition.

1. Stop all IIS services
This can be done via the command line by going to Start -> Run -> cmd and using the command net stop http /y .
Or this can be done via the services snap in by going to Start -> Run -> services.msc. Once in the services menu, locate the IIS Admin Service. Right-Click the service and select Stop. A message will appear listing all the services that will be set to stopped. Click Ok.

2.    Copy the folder  and contents of “C:\inetpub” and “C:\iislogs” to D:

3.    Create a backup of the metabase by making a copy of the metabase.xml file located at “c:\windows\system32\inetsrv” and rename to metabase.xml.bak

4.    Using a text editor with a find and replace feature, open the metabase.xml file and replace instances of “C:” with “D:” Be very careful to not use an automated accept method, ensure that the text editor ask for confirmation for each line change before applying it. Specifically you are looking for lines similar to:
Path=”C:\Inetpub\wwwroot” which would be changed to Path=”D:\Inetpub\wwwroot”
LogFileDirectory=”C:\IISLogs” which would be changed to LogFileDirectory=”D:\IISLogs”

5.    Launch the registry editor. Start -> Run -> regedit

6.    Locate the key hklm\system\currentcontrolset\services\http\parameters

7.    Locate the key “ErrorLoggingDir” and modify the value to D:\IISLogs. This key may have to be created if you have never modified the location of your IIS log files.

8.    Reboot the server to apply the updated registry settings.

9.    After the reboot it is recommended to review the Windows Event logs for errors.

Using httpcfg to set the IP addresses that the server is listening on Win 2003
By default, IIS will grab all IP addresses for it’s use. So if a server has multiple IPs port 80 on all of them will be reserved by IIS. What if Apache needs to be running along with IIS on port 80? The answer is sellectively choose which IP address IIS has access to.
1.    Open a command prompt. Start -> Run -> cmd
2.    Stop the http service with the following command.
a.    net stop http /y
3.    Add all IP addresses IIS should listen on with the following.  Substitute <ip address> for the IP needed. Only do one IP address per command.
a.    httpcfg set iplisten -i <ip address>
4.    Start the web service
a.    net start w3scv
5.    To verify what IPs are in the list run
a.    httpcfg query iplisten

Using netsh (socket pooling) to set the IP addresses that the server is listening on Win 2008
1.    Open a command prompt. Start -> Run -> cmd
2.    Stop the web service with the following command
a.    net stop http /y
3.    Add all IP addresses IIS should listen on with the following. Substitute <ip address> for the IP needed. Only do one IP address per command.
a.    netsh http add iplisten ipaddress=<ip address>
4.    Verify the IPs in the list
a.    netsh http show iplisten
5.    Restart the web service
a.    net start w3svc

The metabase has pretty much gone away in IIS 7.  ApplicationHost.config is the root file of the IIS 7.0 configuration system. It includes definitions of all sites, applications, virtual directories and application pools, as well as global defaults for the web server settings (similar to machine.config and the root web.config for .NET Framework settings). It is also special in that it is the only IIS configuration file available when the web server is installed. Legacy compatibility for the IIS 6 metabases can be installed but they interface though an interpreter so backing them up does not function in the same way. This file is backed up as a whole unlike IIS 6 where there was an option to export individual site configurations to an XML file.

Backup Method 1 – The super easy way.
Simply copy the “C:\windows\system32\inetsrv\config” directory (and it’s subdirectories) into a backup directory somewhere. I suggest a backup tape or CD/DvD.

Backup Method 2 – Command line way
1.    Launch a command prompt. Start -> Run -> cmd
2.    %windir%\system32\inetsrv\appcmd.exe add backup “IIS_Backup”
3.    Move this backup off the system or burn it to media.

Restore Method 1
1.    Simply overwrite the data with the data in the backup directory

Restore Method 2- Command Line
1.    %windir%\system32\inetsrv\appcmd.exe restore backup “IIS Backup”

To view a list of available backups on the system via command line:
%windir%\system32\inetsrv\appcmd.exe list backup

Prevention
1.    Sanitize user input.
It’s absolutely vital to sanitize user input to insure that it does not contain dangerous code. If the field is for a zip code in the US then it only needs to accept numbers. Even further US zip codes do not exceed 10 numbers so why even bother giving the space. Sure that could someday change, but it’s fairly constant. This can be done in the form of Try/Catch statements in code or other methods such as URLScan.

It is important to realize that only secure code can protect protect the system. A firewall provides no help under this kind of attack. An intrusion detection system may mitigate the problem to some extent, but IDS rule sets only cover a small portion of the attack surface.

2.    Limit database permissions and segregate users.
A web application should use a database connection with the most limited rights possible. Query-only access from the user end should be limited to only essential tables. Another method along these lines is to use multiple connection strings. Once the web application determined that a set of valid credentials had been passed via the login form, it can then switch that session to a database connection with more rights.  SA rights should never be used for any web-based application.

3.    Use stored procedures for database access
Assuming the stored procedures themselves are written properly, the control offered by this method is immense.

Even having taken these mitigation steps, it’s nevertheless still possible to miss something and leave the server open to compromise. Other procedures, like putting the machine in a DMZ, means that even getting complete control of the webserver doesn’t automatically grant full access to everything else. This won’t stop everything, but it makes it a lot harder.

There is an ISAPI filter floating around the internet that was made by Microsoft to mitigate SQL injections. It’s fairly generic and will not help in all situations, in fact it has been known to cause more problems than it fixes. This is a quick fix solution and will not properly address the root problem. Additionally it may break functionality of the site it’s trying to protect. For example, I’ve seen it break the ability for customers to fill out forms or perform orders using shopping cart software.

Recovery from backups of information after a SQL injection attack.
There are a number of scrubber scripts floating around on the internet that claim to clean up SQL injections. For the most part these scripts are to generic and don’t solve the root problem (See comments above.) Therefore, besides wasting a DBA’s entire day or week, the only option is to restore from backup. Hopefully your company has had enough foresight to have some sort of disaster recovery plan that includes the frequent backing up of your database along with it’s transaction logs so a point in time restore is possible. Additionally, it’s important to realize that restoring the database will not prevent it from getting injected again. The restore is a band-aid. The code for the site needs to be fixed if the problem is to be prevented.