DOCSLIB.ORG

IIS Security and Programming Countermeasures

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

IIS Security and Programming Countermeasures By Jason Coombs ([email protected]) Introduction This is a book about how to secure Microsoft Internet Information Services for administrators and programmers whose work includes a requirement for information security, a computer industry specialty field commonly referred to as infosec. In this book the terms information security and infosec are used interchangeably with the more friendly term data security. This is not a book about hacking, cracking, and the tools and techniques of the bad guys, the so-called black hat hackers. This book teaches computer professionals and infosec specialists how to build secure solutions using IIS. It is your duty to secure and defend networked information systems for the benefit of the good guys who are your end users, clients, or less technical coworkers. There is nothing you can do that will transform a programmable computer running Microsoft Windows from its vulnerable condition to an invulnerable one. Every general purpose programmable computer is inherently vulnerable because it is controlled by software and is designed to allow new software to be installed or executed arbitrarily. Network computing based on programmable general purpose computers will never be safe from an information security perspective. Eliminating the feature of general purpose programmability from a networked computer and replacing its software with firmware reduces but does not eliminate vulnerabilities. These are immutable realities of present day computing and, as always, reality represents your biggest challenge. Microsoft is in business to get as much of your money as possible using whatever means will work at a given moment and in this respect they know virtually no equal in the software business. Unfortunately, Microsoft truly does not care about security. You will see why in this book. To Microsoft, your possession of a microprocessor turns you into a customer, a source of potential profit. Just as your possession of a pair of eyeballs turns you into a potential customer for media giants who would sooner see you put in prison for violating arbitrary intellectual property laws than thank you sincerely for the money you've paid to them over the years, Microsoft will never do anything (willingly) that reduces its competitive position by reducing its access to your microprocessors or relinquishing some of its leverage over you. Never mind that these same corporations and media giants are responsible for laws such as the Digital Millennium Copyright Act (DMCA), that you may one day find yourself accused of violating based on something a microprocessor appears to have done over which you allegedly had control or authority, because of political contributions and special-interest lobbyist politics. Giving you real control over your computers is not in the best interest of capitalism nor law enforcement because such control would reduce profits and hinder prosecutions. If you don't think these issues are a part of the complex and volatile modern world of data security then you'll be surprised how a little knowledge of the subject will change your perceptions. Just remember that if it becomes difficult for Microsoft to execute code on your computers, it will become more difficult for them to extract money from your bank accounts by selling you more software. The business methods used by Microsoft have so badly compromised the safety of those who use Microsoft software that I've called publicly for Microsoft to give away, free of charge to all existing Microsoft customers, the latest build of Windows code that incorporates, for the first time, security remediations produced as a result of the Trustworthy Computing Initiative. These architectural security fixes are not just new features that you might like to have and may choose to pay for, they are the first attempt Microsoft has ever made to create a product that is safe to use and free from severe defects. That Microsoft has failed yet again to achieve a reasonable level of safety for its products will become apparent in the coming months, but this does not change the fact that Microsoft profited enormously by selling severely defective products in the past and owes a debt of apology to every person and business that has been harmed by their actions and inactions. We'll never see this apology in the real world, of course, just as we may never see Microsoft software that incorporates common sense security countermeasures. It is just not in Microsoft's best-interest to do what is in your best-interest, and this alone should cause you serious concern. Many other businesses draw a line that they choose not to cross, out of respect and care for their customers and for the benefit of the general public. Microsoft draws no such line, and it has thus become a despicable company run by despicable people. Information security is a constant process that never achieves its objective. Given this fact, many people choose to do something else with their time and money. People who faint at the sight of blood make poor surgeons. Likewise, computer programmers or administrators who insist that computers are inherently trustworthy under certain circumstances make terrible information security professionals. Before you can expect any computer system to be trustworthy you must abandon any hope you might have that a technological solution may exist and reconsider the criteria by which you judge a computer to be trustworthy. Technically, a computer can be considered trustworthy if it is provably under your exclusive control, performing only operations that are known or expected, and you are certain to detect any behavior or condition that would indicate otherwise. Your risk exposure to a computer can be considered reasonable if the computer is trustworthy and you are aware of, and prepared to respond to, incidents that may occur due to malfunction or malfeasance. Unlike a guide to black hat hacker mischief, and more applicable to daily programming or administration tasks than a guide for so-called white hat hackers who conduct penetration tests and employ hacking tools for the purpose of ensuring data security or discovering new vulnerabilities before malicious hackers do, IIS Security shows you where threats exist in data networks and information systems built around Microsoft IIS to enable threat comprehension but makes no effort to give detailed instructions on perpetrating exploits. There is plenty to read on the Internet on that subject. This book shows how to harden IIS and its hosted Web applications and services against attacks so that all known, and hopefully all possible, black hat exploits can be prevented with solid data security technology, secure Web application code, application-specific threat countermeasures, and a security policy appropriate to the level of protection required for each server box. IIS Security assumes that you are using IIS version 4, 5, 5.01, or 6.0 with an emphasis on versions 5 and 6. IIS versions 5 and 5.01 are only available for Windows 2000 or Windows XP Professional and IIS 6 only available in the Windows .NET Server OS family. Although some of the instructions in this book pertain specifically to one version of IIS and therefore imply use of a particular OS (NT 4, Win2k, XP or .NET Server) you will find the majority of the instructions relevant to your environment because Windows XP Professional and .NET Server share a common code base derived from Windows 2000 which in turn derives from Windows NT 4. Most of the Windows 2000-specific instructions also apply to members of the Windows .NET Server OS family if only in a historical context. You may not need to follow all of the instructions in this book if you are using Windows .NET Server and IIS 6 because much of the best practices knowledge, registry settings, and secure configuration options have been preconfigured for IIS 6 in the most secure locked-down setting. Consider historical Windows 2000 instructions to be informative if you need to lower security settings on your Windows .NET Server with IIS 6 rather than increase them. If you are still using a Windows NT 4 system with IIS 4, which include NT 4 derivatives such as BackOffice Server 4.5, you would realize a performance benefit for IIS if you were to upgrade, but IIS version 4 can be made as secure as newer versions and Microsoft does not plan to stop supporting version 4 nor stop releasing security hotfixes for it. If you do use IIS 4, the critical thing to understand is that unlike IIS 5 and 6, IIS 4 must not be used to host applications on behalf of multiple unrelated parties. IIS 4 can only be adequately secured for application hosting if the applications belong to a single organization. To securely host Web sites for multiple organizations under IIS 4 you must disable all dynamic content and application services, such as ISAPI extensions, and serve only static HTML content. Removing all active content and applications to achieve security is a drastic measure, and while this book can be used as a guide to dismantling programmability interfaces exposed by IIS, it assumes that your objective is to build, deploy, and manage secure applications around IIS not revert to serving static text and pictures. The bottom line is that if you host applications for other people, upgrade to Windows 2000 or Windows Server 2003. The sample code shown in this book, and there is no shortage of it, is not meant solely for computer professionals whose business cards bear the title of Programmer. Administrators will find the code useable as a basis for administrative scripting, and the code samples are tailored with this in mind. The boundaries between administrator and programmer have blurred recently with the release of new versions of Windows, the .NET Framework, and new programming platforms such as Windows Script Host that appeal to and solve problems for anyone who manages, uses, or programs Windows-based computers.
Recommended publications
  • Disrupting Fields: Addressing Power Dynamics in the Fields of Climate Finance and Gender Lens Investing

    Disrupting Fields: Addressing Power Dynamics in the Fields of Climate Finance and Gender Lens Investing

    JANUARY 2021 Disrupting Fields: Addressing Power Dynamics in the Fields of Climate Finance and Gender Lens Investing Joy Anderson, Criterion Institute with funding from Wallace Global Fund and UNICEF Disrupting Fields: Addressing Power Dynamics | 1 Acknowledgements This paper is grounded in a moment in time in the development of gender lens investing and climate finance. It must be acknowledged up front that the work of Criterion Institute is implicated in this history. I invite you to challenge Criterion and me as its leader on our own decisions and how they affect power dynamics in the field. We are committed to publishing metrics and setting up feedback loops to be an example of the transparency and accountability in field building that we are calling for in this paper. Criterion’s Board of Directors, many of whom are referenced in this work, challenge the power dynamics that keep systems of inequity in place in their own work. They hold Criterion accountable for our mission to expand who sees themselves as able to use finance to create social change. Susan Gibbs at Wallace Global Fund and Patty Alleman at UNICEF have been long-time champions in ensuring that efforts to innovate in systems finance is grounded in goals of equity and justice. This work would not have been possible without funding from both Wallace Global Fund and UNICEF. This has been a collective effort. The whole team at Criterion participated in one way or another developing and writing this paper over the last 18 months as Criterion’s work became increasingly explicit in its focus on power.
  • Solve Errors Caused by Corrupt System Files

    Solve Errors Caused by Corrupt System Files

    System File Corruption Errors Solved S 12/1 Repair Errors Caused by Missing or Corrupt System Files With the information in this article you can: • Find out whether corrupt system files could be causing all your PC problems • Manually replace missing system files using your Windows installation CD • Use System File Checker to repair broken Windows system files • Boost the memory available to Windows File Protection for complete system file protection Missing or corrupt system files can cause many problems when using your PC, from cryptic error messages to mysterious system crashes. If one of the key files needed by Windows has gone missing or become corrupt, you may think that the only way to rectify the situation is to re-install Windows. Fortunately, nothing that drastic is required, as Microsoft have included several tools with Windows that allow you to replace corrupt or missing files with new, fresh copies directly from your Windows installation CD. Now, whenever you find that an important .DLL file has been deleted or copied over, you won’t have to go to the trouble of completely re-installing your system – simply replace the offending file with a new copy. Stefan Johnson: “One missing file can lead to your system becoming unstable and frequently crashing. You may think that the only way to fix the problem is to re-install Windows, but you can easily replace the offending file with a fresh copy from your Windows installation CD.” • Solve errors caused by corrupt system files ................... S 12/2 • How to repair your missing system file errors ..............
  • Download; (2) the Appropriate Log-In and Password to Access the Server; and (3) Where on the Server (I.E., in What Folder) the File Was Kept

    Download; (2) the Appropriate Log-In and Password to Access the Server; and (3) Where on the Server (I.E., in What Folder) the File Was Kept

    AN ALCTS MONOGRAPH LINKED DATA FOR THE PERPLEXED LIBRARIAN SCOTT CARLSON CORY LAMPERT DARNELLE MELVIN AND ANNE WASHINGTON chicago | 2020 alastore.ala.org © 2020 by the American Library Association Extensive effort has gone into ensuring the reliability of the information in this book; however, the publisher makes no warranty, express or implied, with respect to the material contained herein. ISBNs 978-0-8389-4746-3 (paper) 978-0-8389-4712-8 (PDF) 978-0-8389-4710-4 (ePub) 978-0-8389-4711-1 (Kindle) Library of Congress Control Number: 2019053975 Cover design by Alejandra Diaz. Text composition by Dianne M. Rooney in the Adobe Caslon Pro and Archer typefaces. This paper meets the requirements of ANSI/NISO Z39.48–1992 (Permanence of Paper). Printed in the United States of America 23 24 22 21 20 5 4 3 2 1 alastore.ala.org CONTENTS Acknowledgments vii Introduction ix One Enquire Within upon Everything 1 The Origins of Linked Data Two Unfunky and Obsolete 17 From MARC to RDF Three Mothership Connections 39 URIs and Serializations Four What Is a Thing? 61 Ontologies and Linked Data Five Once upon a Time Called Now 77 Real-World Examples of Linked Data Six Tear the Roof off the Sucker 105 Linked Library Data Seven Freaky and Habit-Forming 121 Linked Data Projects That Even Librarians Can Mess Around With EPILOGUE The Unprovable Pudding: Where Is Linked Data in Everyday Library Life? 139 Bibliography 143 Glossary 149 Figure Credits 153 About the Authors 155 Index 157 alastore.ala.orgv INTRODUCTION ince the mid-2000s, the greater GLAM (galleries, libraries, archives, and museums) community has proved itself to be a natural facilitator S of the idea of linked data—that is, a large collection of datasets on the Internet that is structured so that both humans and computers can understand it.
  • Computer Malpractice and Other Legal Problems Posed by Computer Vaporware

    Computer Malpractice and Other Legal Problems Posed by Computer Vaporware

    Volume 33 Issue 5 Article 4 1988 Computer Malpractice and Other Legal Problems Posed by Computer Vaporware Ronald N. Weikers Follow this and additional works at: https://digitalcommons.law.villanova.edu/vlr Part of the Computer Law Commons, Contracts Commons, and the Torts Commons Recommended Citation Ronald N. Weikers, Computer Malpractice and Other Legal Problems Posed by Computer Vaporware, 33 Vill. L. Rev. 835 (1988). Available at: https://digitalcommons.law.villanova.edu/vlr/vol33/iss5/4 This Comment is brought to you for free and open access by Villanova University Charles Widger School of Law Digital Repository. It has been accepted for inclusion in Villanova Law Review by an authorized editor of Villanova University Charles Widger School of Law Digital Repository. Weikers: Computer Malpractice and Other Legal Problems Posed by Computer V 1988] "COMPUTER MALPRACTICE" AND OTHER LEGAL PROBLEMS POSED BY COMPUTER "VAPORWARE" I. INTRODUCTION The computer hardware' and software 2 trade is extremely compli- cated in that manufacturers, distributors and retailers must contend with thousands of available computer systems and parts, various financing and pricing concerns, training and retaining salespeople and much more.3 Nonetheless, the picture has recently become further clouded by 1. The term "computer hardware" describes the physical computer equip- ment. Typically, the hardware comprising a "personal computer system" con- sists of a "central processing unit"-the main body of the computer housing the processing circuitry and disk drives-, a video display monitor, and a printer. See Note, Copyright Infringement of Computer Programs: A Modification of the Substantial Similarity Test, 68 MINN. L. REV. 1264, 1264 n.1 (1984); Management Sys.
  • WAF/CDP V3.7.1 User Guide

    WAF/CDP V3.7.1 User Guide

    WAFS/CDP v3.7.1 User Guide GlobalSCAPE, Inc. (GSB) 4500 Lockhill-Selma Road, Suite 150 Address: San Antonio, TX (USA) 78249 Sales: (210) 308-8267 Sales (Toll Free): (800) 290-5054 Technical Support: (210) 366-3993 Web Support: http://www.globalscape.com/support/ © 2004-2010 GlobalSCAPE, Inc. All Rights Reserved July 21, 2010 Table of Contents GlobalSCAPE Replication Software ............................................................................................................. 7 What's New? .............................................................................................................................................. 7 For the Best WAFS/CDP Experience .................................................................................................... 8 Getting Started .............................................................................................................................................. 9 WAFS Quick Start ..................................................................................................................................... 9 CDP Quick Start ...................................................................................................................................... 11 Quick Reference ...................................................................................................................................... 13 File-Naming Conventions ........................................................................................................................ 13 WAFS/CDP
  • Mighty Number 9 and the Ethics of Kickstarter on July 18Th, 2011

    Mighty Number 9 and the Ethics of Kickstarter on July 18Th, 2011

    Spring 2016 | ADES 5515 Logan McLaughlin The Legend Never Dies, or Gets a Full Release: Mighty Number 9 and the Ethics of Kickstarter On July 18th, 2011 Capcom disappointed many fans of their iconic Mega Man series by announcing the cancellation of the most recent installment in the series: Mega Man Legends 3. Legends 3 had been in development for less than a year and was apparently close to having a finished Alpha build, an early playable version of the game. More importantly, lead producer Keiji Inafune had approved an interesting design process by opening a multi-national development forum to solicit ideas from carefully selected fans. I was among those on the developer forums who took part in surveys and design sessions for various mechanics and design implementations. When the game was cancelled I, like many others, had to accept that the Mega Man series was officially dead. Hope came in 2013 in the form of a Kickstarter for a new game developed independently from Capcom by Inafune himself under the banner of his new company Comcept LLC. What was promised to fans was a re-imagining of the classic 2D side scrolling Mega Man games so many had known and loved over the years. The title of this game was Mighty Number 9. The game reached its $900,000 USD target in two days, and by the end of the month-long Kickstarter campaign had raised a total of $3,845,170 USD. After the campaign, the game had a period of extended PayPal donations ultimately ending with a grand total of $4,046,579 USD raised.
  • 1. in Practice, There Are Two ...Of Detergents A. Predictions B

    1. in Practice, There Are Two ...Of Detergents A. Predictions B

    In the name of God English for the students of IT Summer Term 14/6/1389 Choose the letter of correct answer and mark it on your answer sheet accordingly ﺗﻌﺪاد ﺳﻮال: 50 وﻗﺖ: هﻔﺘﺎد دﻗﻴﻘﻪ . ﻧﻤﺮﻩ ﻣﻨﻔﯽ دارد 1. In practice, there are two .......... of detergents d. described a. predictions 9. Since they both spoke simultaneously, I could not b. manipulations figure out what they were saying. The word c. evolutions SIMULTANEOUSLY is synonymous with the word d. categories* .......... a. real-time* 2. I want you to tell me the .......... truth, and nothing b. interrelated but the truth. c. instead a. tolerable d. distant b. illustrative c. approximate 10. The instructions faxed to us were garbled. We d. absolute* could not follow them. The word GARBLED is synonymous with the word .......... 3. The government .......... a new program for the a. removed improvement of the economy. b. rebuilt a. intervened c. corrupted* b. interacted d. changed c. initiated* d. extended 11. Many people regard ARPANET as the precursor of the internet. The word PRECURSOR is 4. Ram is also known as .......... memory. synonymous with the word .......... a. volatile* a. limitation b. removable b. forerunner* c. permanent c. complement d. critical d. amusement 5. .......... me those CDs over there, please. 12. Teachers disseminate knowledge to their students. a. quantify The word DISSEMINATE is synonymous with the b. manipulate word .......... c. locate a. record d. fetch* b. receive c. distribute* 6. She was .......... for the loss of her arm in the d. add accident. a. increased 13. Which of the following is a proper noun? b.
  • Microsoft Windows Common Criteria Evaluation Security Target

    Microsoft Windows Common Criteria Evaluation Security Target

    Microsoft Common Criteria Security Target Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 version 1809 (October 2018 Update) Microsoft Windows Server 2019 (October 2018 Update) Security Target Document Information Version Number 0.05 Updated On June 18, 2019 Microsoft © 2019 Page 1 of 126 Microsoft Common Criteria Security Target Version History Version Date Summary of changes 0.01 June 27, 2018 Initial draft 0.02 December 21, 2018 Updates from security target evaluation 0.03 February 21, 2019 Updates from evaluation 0.04 May 6, 2019 Updates from GPOS PP v4.2.1 0.05 June 18, 2019 Public version Microsoft © 2019 Page 2 of 126 Microsoft Common Criteria Security Target This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs- NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
  • Windows Intruder Detection Checklist

    Windows Intruder Detection Checklist

    Windows Intruder Detection Checklist http://www.cert.org/tech_tips/test.html CERT® Coordination Center and AusCERT Windows Intruder Detection Checklist This document is being published jointly by the CERT Coordination Center and AusCERT (Australian Computer Emergency Response Team). printable version A. Introduction B. General Advice Pertaining to Intrusion Detection C. Look for Signs that Your System may have been Compromised 1. A Word on Rootkits 2. Examine Log Files 3. Check for Odd User Accounts and Groups 4. Check All Groups for Unexpected User Membership 5. Look for Unauthorized User Rights 6. Check for Unauthorized Applications Starting Automatically 7. Check Your System Binaries for Alterations 8. Check Your Network Configurations for Unauthorized Entries 9. Check for Unauthorized Shares 10. Check for Any Jobs Scheduled to Run 11. Check for Unauthorized Processes 12. Look Throughout the System for Unusual or Hidden Files 13. Check for Altered Permissions on Files or Registry Keys 14. Check for Changes in User or Computer Policies 15. Ensure the System has not been Joined to a Different Domain 16. Audit for Intrusion Detection 17. Additional Information D. Consider Running Intrusion Detection Systems If Possible 1. Freeware/shareware Intrusion Detection Systems 2. Commercial Intrusion Detection Systems E. Review Other AusCERT and CERT Documents 1. Steps for Recovering from a Windows NT Compromise 2. Windows NT Configuration Guidelines 3. NIST Checklists F. Document Revision History A. Introduction This document outlines suggested steps for determining whether your Windows system has been compromised. System administrators can use this information to look for several types of break-ins. We also encourage you to review all sections of this document and modify your systems to address potential weaknesses.
  • Hands-On Ethical Hacking and Network Defense

    Hands-On Ethical Hacking and Network Defense

    Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration Modified 1-11-17 Objectives Describe the enumeration step of security testing Enumerate Microsoft OS targets Enumerate *NIX OS targets Introduction to Enumeration Enumeration extracts information about: – Resources or shares on the network – Network topology and architecture – Usernames or groups assigned on the network – Information about users and recent logon times Before enumeration, you use Port scanning and footprinting – To Determine OS being used Intrusive process NBTscan NBT (NetBIOS over TCP/IP) – is the Windows networking protocol – used for shared folders and printers NBTscan – Tool for enumerating Microsoft OSs Enumerating Microsoft Operating Systems Study OS history – Knowing your target makes your job easier Many attacks that work for older Windows OSs still work with newer versions Windows 95 The first Windows version that did not start with DOS Still used the DOS kernel to some extent Introduced the Registry database to replace Win.ini, Autoexec.bat, and other text files Introduced Plug and Play and ActiveX Used FAT16 file system Windows 98 and ME More Stable than Win 95 Used FAT32 file system Win ME introduced System Restore Win 95, 98, and ME are collectively called "Win 9x" They run Windows 98 Use plaintext passwords – Research from Billy K Rios, published 2-11-14 Windows NT 3.51 Server/Workstation No dependence on DOS kernel Domains and Domain Controllers NTFS File System to replace FAT16 and FAT32 Much more secure and stable than Win9x Many companies still use Win NT Server Domain Controllers Win NT 4.0 was an upgrade Windows 2000 Server/Professional Upgrade of Win NT Active Directory – Powerful database storing information about all objects in a network Users, printers, servers, etc.
  • The Defintive Guide to Windows Desktop

    The Defintive Guide to Windows Desktop

    realtimepublishers.comtm The Definitive Guidetm To Windows Desktop Administration Bob Kelly Chapter 2 Chapter 2: OS Deployment............................................................................................................23 The Workstation Baseline..............................................................................................................23 Benefits ..............................................................................................................................23 Increased Reliability ..............................................................................................23 Increased Deployment Speed.................................................................................23 Ease of Troubleshooting ........................................................................................24 Drawbacks..........................................................................................................................24 Baseline Components.........................................................................................................24 What to Leave In....................................................................................................25 What to Leave Out.................................................................................................25 Common Pitfalls to Avoid .................................................................................................25 MSI Source Resiliency ..........................................................................................25
  • Vaporware: Imaginary High-Tech Products and Real Antitrust Liability

    Vaporware: Imaginary High-Tech Products and Real Antitrust Liability

    Vaporware: Imaginary H-igh-Tech Products and Real Antitrust Liability in a Post-Chicago World ROBERT PRBNTICE* I. INTRODUCTION In rejecting a consent decree in the antitrust case United States v. Microsoft Corp.,1 Judge Stanley Sporkin noted that "vaporware," the high- technology industry's marketing ploy of preannouncing products that do not exist at the time of the announcement and may never come into existence in anything like their described form,2 "is a practice that is deceitful on its face and everybody in the business community knows it." 3 In part because of his misgivings about Microsoft Corporation's alleged * University Distinguished Teaching Professor and Ed and Molly Smith Centennial Professor of Business Law, Graduate School of Business, University of Texas, Austin, Texas. 1 159 F.R.D. 318 (D.D.C. 1995), rev'dper curiam, 56 F.3d 1448 (D.C. Cir. 1995). The original complaint charged Microsoft with violating sections 1 and 2 of the Sherman Act in the market for personal computer operating systems for the x86 class of microprocessors. The complaint attacked three of Microsoft's marketing practices: (a) "per processor" licenses by which Microsoft required original equipment manufacturers (OEMs) to pay a royalty for each computer the OEM sold regardless of whether it contained a Microsoft operating system; (b) "minimum commitments" distribution practices whereby Microsoft induced OEMs to commit to buy a minimum number of units of Microsoft operating systems under circumstances making it economically unattractive to install any non-Microsoft system; and (c) use of non-disclosure agreements (NDAs) to discourage independent software developers (ISVs) from developing applications for competing operating systems.