MaximumASP Weblog

MaximumASP is excited to announce the  roll out of Microsoft’s just released Web Platform Installer (Web PI)  to all of our Dedicated server and MaxV customers. So what is Web PI? It is a really cool tool Microsoft developed making it super easy to download, install and keep up-to-date with the latest components of the Microsoft Web Platform, including Internet Information Services (IIS), SQL Server Express, .NET Framework and Visual Web Developer. Additionally, you can install popular open source ASP.NET web apps with the Web PI.

The Web PI really takes the guesswork out of dependencies for applications and where they need to be found for download. To start using it all you need to do is double click the link on your desktop.

Check out our  short 2 minute video demonstrating how easy it is to use! You can also read Microsoft’s blog announcement.

What's Inside?

	Popular Web Apps Install free popular ASP.NET and PHP web apps such as DotNetNuke and WordPress.
	.NET Framework Install the latest version of the .NET Framework. This includes everything you need to work with ASP.NET.
	IIS and Extensions Install the latest version of IIS, including latest IIS Web extensions like IIS Media Services.
	SQL Server Install the latest version of SQL Server 2008 Express. This includes both the database engine and tools.
	Visual Web Developer Install the latest version of Visual Web Developer Express, Our full featured free web development tool.
	Extra and Goodies In addition to everything above, the Web PI also includes the latest community version of PHP for Windows.

If you've logged in and seen our new bandwidth UI, you've probably noticed a new piece of data labeled "95th percentile." One of the new features of the new bandwidth system is tracking bandwidth by megabits per second (mbps). For our higher bandwidth customers, this method can be used instead of tracking based on the total amount of data transferred.

To gather this data, we take a sampling every five minutes which will give us a roughly 8,640 readings per month. We use this data to figure out how much of our pipe you are using and then bill you on that value. To get this reading, we take the 95th percentile of the data. This is also called Burstable billing.

The 95th percentile gives us a value which roughly tells us that 95% of the time, the usage is below this amount. What we do is take all of the data we gathered up over the month and sort it. We then take the top 5% of the values and throw them out. The highest value that is left becomes your billable utilization.

The advantage for the customer is that the peak values are thrown out. Many of our higher bandwidth customers use a steady amount of bandwidth, but periodically they need to burst up. Let's say, for example, every morning at 8:00 am you need to replicate many gigs of data from your local servers up to the web servers hosted at MaximumASP. This process only takes about 30 minutes. With burstable bandwidth, we’ll allow you to get as much bandwidth as needed to accomplish this process as possible. And, as long as this temporary spike in traffic accounts for less than 5% of the total data, we won’t penalize you.

For customers receiving our Tier 1 or Tier 2 weekly and daily backups, you'll now find a new tab on your dedicated server page. With this page you can track the status of your backup jobs in addition to the amount of disk space you are using against your allocation quota.

One of the new features on the page is the graphical history of each backup job. Here's a sample chart:

You'll notice that when the first job ran, it consisted of new files to be backed up and a number of "RFE files" or "redundant file eleminations." The next day more new files were added to the files from the previous day's job. After that day, since there weren't many new files being added to the server, we see that the majority of files being backed up daily for the rest of the month are identical to those on the previous day.  Only a small percentage of files being backed up are considered RFE files.

RFE files are files that already exist on our backup cluster. Files such as the windows system files only need to get backed up once for all users of the backup cluster.  Furthermore, they do not count against your backup quota for your server. RFE combined with HLZS data compression drastically reduces the time required to perform backups.  The use of RFE files also reduces the amount of space required to store your backups.

For more information on how our Backups work we have a KB article on how MaximumASP Dedicated Server Backups work.

Please be aware that, for some customers, there will be some missing report data around the 12th of September. The reporting data was lost while moving the data to our production environment.  This action did not affect your backup jobs.

MaximumASP has recently been featured in case studies by Microsoft and Dell for our work with Windows 2008, SQL 2008 and the new virtualization technologies.

• Dell Hardware
• Microsoft Virtualization
• Microsoft Windows 2008

For customers who have shared databases, you can now create new databases on our SQL 2008 servers. Back in November, we were the first to offer SQL 2008 hosting in conjunction with with Dell, Intel, Microsoft and the Professional Association for SQL Server so we've been looking forward to being able to roll out SQL Server 2008 into our production environment for quite some time.

To create a new SQL Server 2008 database just login to the MaximumASP Account Center, go to your database screen and choose Add New Database. You'll now be able to choose between a SQL 2005 or a SQL 2008 database.

The External DNS system at MaximumASP has been replaced with a new system of hardware appliances based on the BIND nameserver software. The appliance vendor of choice for this solution is Infoblox,one of the industry's leading companies in DNS infrastructure and management as well as security for core network services.

The Infoblox DNS solution replaces our old DNS servers which were running Microsoft DNS on 64-bit Windows 2003 servers. The decision to replace this critical part of our network infrastructure was made a number of months ago following a series of DNS related outages. We were simply outgrowing the capabilities of Microsoft DNS.

BIND based software is a comfortable fit for our external DNS that offers us the performance and uptime our customers are accustomed to having. To further our commitment to performance and uptime, the decision was made to use a network appliance solution and place management of DNS with our netops department. This decision placed priority on the security of our external DNS in addition to performance.

Of the appliances considered, the Infoblox family of boxes met - and in many cases exceeded - all our needs. The solution provided the functionality we required, a flexible solution architecture, a short migration path, a knowledgeable and responsive technical support base and a thorough attention to security.

As we were wrapping up our final tests on the new system, posts all across the industry spoke of the DNS vulnerability identified by Dan Kaminsky in early July. Because the code update was already available from Infoblox when we first caught wind of the vulnerability, our solution went live with the patch in place. Now, granted, the possibility of that vulnerability affecting our external DNS was low. However, the fact that Infoblox was prepared before the public-at-large knew about the problem convinced us that we made the right choice.

Since putting the new system in production, the days of our public DNS servers needing weekly reboots and experiencing other "mini-disasters" related to server performance and software limitations, our netops now boasts DNS uptime in terms of months (soon to be years) and DNS problems have been cut down to almost nothing. In fact, this all comes to fruition without any of our Microsoft Certified engineers needing to learn a single BASH command.

The MaximumASP Account Center will be undergoing maintenance this Wednesday night / Thursday morning from Midnight until 4am EST. The downtime is not expected to be longer than 30 minutes. Thanks for your patience.

For customers that are having their servers monitored by MaximumASP, you can now check the status of the Virus Scan under your device's AntiVirus page. On this page you'll find the results of the most recent full scans along with any of the files that the real-time scanning engine has cleaned up. Please note that if you are managing your own AntiVirus system or have opted out of our managed AntiVirus protection then nothing will be displayed.

A few of our customers have probably noticed the new Files tab in the MaximumASP Account Center. This feature will allow us to upload important documents such as contracts, Visio diagrams, VPN software or help text to your account that you can download at any time. If we haven't uploaded any files to your account you won't see this tab.

Recently, a Mass injection attack has started that is targeted at SQL Injection vulnerabilities within application code, with some of these attacks specifically targeted at ASP and .NET applications in particular. Some of these attacks are even fully automated and are being launched via botnets and other infected systems. The source of these attacks and the attack code being used changes so fast that it is impossible to block at the network level.

SQL Injection and Cross site scripting (XSS) attacks are nothing new. For several years now Computer Security professionals have been warning of massive attacks such as these disrupting normal business operations on the Public Internet. It looks as though this new wave of attacks and new method of infecting clients with malicious code has started.

The Security Team at MaximumASP has been watching this traffic very closely. A vast majority of these attacks have been originating from Chinese IP space or from compromised systems being controlled by Chinese attackers. Much of the data that is being injected into the databases contains links back to malicious Javascript code or links directly to Virus/Trojan code which is being hosted from other infected systems and from systems that reside in the Chinese web space.

The only way to protect your systems from attacks such as these is to correct the insecure application code that is allowing these database changes to be made. This means to validate all client side input to your applications for type, length, format and range. Client side input is defined as any piece of data that can be changed or modified by the client. This could be in the form of HTTP GET, HTTP POST, Javascript, cookies, VIEWSTATE or any other code that allows a client to input data to your web application.

Some of these recent attacks have even used Google search engines to find HTTP GET parameters that maybe vulnerable to an injection attack. After these GET parameters have been collected an automated system attempts to inject code into these parameters to determine if the application is possibly vulnerable attack. If the code is vulnerable links to malicious Javascript and virus code are injected into the database so the application’s clients become infected. This method of attack is extremely effective since your web server logs never see the attacking client until the attack takes place. Since they are using search engines such as Google to find your application’s parameters and code you never see any type of information-gathering scan taking place before the attack starts.

One way to protect yourself from the attacks described above is to use HTTP POST parameters for input instead of GET parameters. POST parameters are just as vulnerable to injection as GET parameters but the POST parameters will not be as easily found by things such as search engines or automated scans.

Microsoft provides a free security tool called URLScan that restricts the types of HTTP requests that Internet Information Services (IIS) will process. It can be installed on servers running IIS 4.0 or later. URLScan can be configured to block encoded URL’s, unwanted character sets, extremely long requests as well as many other useful features that can help protect your system from known and zero day (unknown) attack vectors. For more information or to download this Microsoft product please go to the following link: http://www.microsoft.com/technet/security/tools/urlscan.mspx

If you do not have access to your application’s source code, you can do some research and ensure the 3rd party application you are using does not have any known existing vulnerabilities. Many 3rd party applications such as phpBB have recently been attacked and exploited. Attackers are again using search engines such as Google to find servers with these vulnerable applications installed and then launching attacks to deface or inject malicious code.

For more information on protecting yourself from Injection vulnerabilities please see the following links:

• http://help.maximumasp.com/smarterticket/Customer/KBArticle.aspx?articleid=831&KBSearchID=71807
• http://weblog.maximumasp.com/archive/2007/10/7/Security-Learn-to-help-yourself.aspx
• http://msdn.microsoft.com/en-us/library/ms161953.aspx
• http://www.securiteam.com/securityreviews/5DP0N1P76E.html