Do something. Do anything. Thats the message we have for organizations committed to Microsoft Corp.s IIS Web server.
When eWeek Labs went looking for ways to brace Internet Information Services flimsy walls, we found several methods in addition to manual hardening. These include Microsofts free IIS Lockdown and URLScan tools and three higher-end products: eEye Digital Security Inc.s $495 SecureIIS 1.2.1, WatchGuard Technologies Inc.s $595 AppLock/Web 1.0.1 and ClickNet Software Corp.s $1,595 Entercept Web Server Edition 2.01.
The bottom line is that each of these options would have protected IIS shops hit hard by Code Red, Code Red II and Nimda this year, had they been deployed. (Although the Microsoft tools were released after most of the milk was spilled, they will be of future help.)
No matter what else IIS administrators do, the most important step in proper security is hardening.
Hardening consists of two main tasks: applying all known patches to a guaranteed clean server, then removing all unneeded components to minimize exposure to as-yet-unpublished exploits.
We found AppLock/Web and Entercept Web Server Edition notable for their trusted operating-system-like security features, which provide much deeper protection than the other choices. Both include defenses against Web page defacement and root kit installation, should crackers somehow get through the Web server layer.
Of the two, Entercept Web Server Edition demonstrated the most compelling combination of protection, customizability and manageability in tests and is a model of where Microsoft itself should be going if it wants to get serious about security.
eEyes SecureIIS provides the best quick-fix option. It doesnt have the deep operating system integration of AppLock/ Web or Entercept Web Server Edition, but—for the same reason—we found it much less invasive and simpler to maintain in ongoing operation than AppLock/Web and Entercept Web Server Edition. SecureIIS lacks any central administration or logging, however—something Entercept Web Server Edition provides.
Microsofts IIS Lockdown tool does a very nice job of removing unneeded IIS options and tightening file permissions, and we recommend using it on all IIS servers.
Once a server is hardened, an application-level firewall should be deployed to filter out suspicious URL requests. This job must be done at the IIS level because malicious HTTP traffic slips right past port 80 on firewalls. Microsofts URLScan and eEyes SecureIIS are IIS-specific firewalls, and Entercept Web Server Edition includes an IIS firewall.
We configured URLScan through a simple .ini file. It can filter HTTP traffic by allowing or disallowing URLs ending with certain extensions (such as the now-notorious ".ida" extension call used by Code Red and Code Red II), block URLs with strings such as ".." and block URLs with non-ASCII characters.
SecureIIS can do all these things using its graphical management console. It can also restrict requested files to specified directories. In addition, SecureIIS can examine HTTP query string, header or post data in an HTTP request (as well as in the URL) and can block requests that send long strings in HTTP header variables such as "Host"—usually a tip-off of a buffer overflow attack.
Centralized logging and a log analyzer program is planned for the next release, expected by the end of the year, and centralized configuration is expected in the release after that, according to eEye officials.