Securing Microsoft Web Servers
We have a guest column this week. It was written by one of the
Techies of eEye, a leading edge security tool developer.
URLScan versus SecureIIS? Web Server Protection ? You Get What You Pay For
Every administrator realizes the importance of preventing unwanted
network access points. Having firewalls and intrusion detection
systems serves a purpose in preventing certain network exposure
points; however these technologies do little to guard against
HTTP/Port 80 based attacks. Port 80 is the open door that needs
to allow traffic ? but needs to intelligently dissect requests
or risk being attacked.
Inherently, Microsoft's Internet Information Services (IIS) is a
feature-rich product, but does not have adequate security to prevent intrusion. Administrators need to take the appropriate action to guard against potential attacks on their Microsoft web servers by adding the critical layer of security required to take advantage of IIS' features without jeopardizing security. What we all learned from the Code Red and Nimda experiences is that patch
management, while still absolutely necessary, is certainly not enough to keep intruders from gaining access to IIS-based web servers.
To augment patch management, IIS-specific intrusion prevention
tools and products emerged last year to address this issue.
Specifically, URLScan and IIS Lockdown from Microsoft; and
SecureIIS? Web Server Protection from eEye Digital Security.
The choice between these utilities comes down to cost of ownership,
ease of use, level of protection and feature richness.
URLScan / IIS Lockdown ? The Free Utilities
Microsoft's URLScan and IIS Lockdown are two utilities that are
meant to work in conjunction. The combination of the two gives
IIS-based web server administrators the ability to turn off unutilized features and restrict certain HTTP requests that the server would process otherwise. By blocking specific HTTP requests, the URLScan security tool prevents some potentially harmful requests from reaching the server and causing damage.
Unfortunately, there are several issues associated with these basic
utilities. By using URLScan and IIS Lockdown, the advanced functionality of IIS and other web applications (like FrontPage) are significantly impacted and in some cases, rendered completely useless. For example, features such as using "file includes" in ASP programming or even the use of ASP pages have been removed via IIS Lockdown. Administrators are also susceptible to losing database functionality while "tweaking" the undocumented settings of URLScan just to accommodate simple functions. Given the limited features of these utilities, administrators are expected to be somewhat IIS-savvy and willing to experiment with various configurations until the server and its various web applications are stable.
In addition, with these utilities supporting only one policy per
physical server, URLScan and IIS Lockdown were offered by MS
primarily to cater to administrators with a limited number of
non-critical servers to manage.
SecureIIS? Web Server Protection - The Proven Enterprise Solution
SecureIIS? Web Server Protection is another alternative for IIS
administrators to protect their Windows-based servers from intrusion. SecureIIS was developed by eEye Digital Security, the undisputed experts at uncovering IIS vulnerabilities and understanding precisely why IIS is susceptible to attack. See eEye's IIS-related advisories at:
Developed by eEye as the first-ever IIS application firewall,
SecureIIS operates within IIS to actively inspect all incoming
requests at each stage of data processing. In this way, SecureIIS
prevents potentially damaging network traffic ? whether encrypted
or unencrypted ? from penetrating your servers. SecureIIS works
within the Microsoft web server without altering its core functionality and by ensuring that all requests are RFC compliant. SecureIIS installs as an ISAPI filter into IIS and immediately protects from the entire classes of attack that typically compromise IIS Web servers; including: buffer overflows, parser
evasion attacks, directory traversals, and a variety of known and undiscovered exploits.
eEye's response to the release of URLScan and IIS Lockdown (a few
months after the release of SecureIIS) was to evolve the product
into an enterprise-centric solution with remote central admin,
third-party application support and multiple web site per server
Fully supported by eEye Digital Security, SecureIIS is ready to
protect right out of the box. Altering configurations of SecureIIS
is simple and handled via a point and click interface ? a key
feature missing from Microsoft's unsupported tools. Large enterprises will appreciate that SecureIIS is built to support a different policy for every website hosted on a single physical web server, and managing each website can be done from the same interface. SecureIIS provides the ability to centrally manage security policies for many disparate servers.
Though it is tempting to use Microsoft's free tools, administrators
serious about implementing web server security without headaches
will realize significantly better ROI by choosing SecureIIS over
A free trial of SecureIIS? Web Server Protection is available at: