Do something. Do anything. Thats the message we have for organizations committed to Microsoft Corp.s IIS Web server.
When eWeek Labs went looking for ways to brace Internet Information Services flimsy walls, we found several methods in addition to manual hardening. These include Microsofts free IIS Lockdown and URLScan tools and three higher-end products: eEye Digital Security Inc.s $495 SecureIIS 1.2.1, WatchGuard Technologies Inc.s $595 AppLock/Web 1.0.1 and ClickNet Software Corp.s $1,595 Entercept Web Server Edition 2.01.
The bottom line is that each of these options would have protected IIS shops hit hard by Code Red, Code Red II and Nimda this year, had they been deployed. (Although the Microsoft tools were released after most of the milk was spilled, they will be of future help.)
No matter what else IIS administrators do, the most important step in proper security is hardening.
Hardening consists of two main tasks: applying all known patches to a guaranteed clean server, then removing all unneeded components to minimize exposure to as-yet-unpublished exploits.
We found AppLock/Web and Entercept Web Server Edition notable for their trusted operating-system-like security features, which provide much deeper protection than the other choices. Both include defenses against Web page defacement and root kit installation, should crackers somehow get through the Web server layer.
Of the two, Entercept Web Server Edition demonstrated the most compelling combination of protection, customizability and manageability in tests and is a model of where Microsoft itself should be going if it wants to get serious about security.
eEyes SecureIIS provides the best quick-fix option. It doesnt have the deep operating system integration of AppLock/ Web or Entercept Web Server Edition, but—for the same reason—we found it much less invasive and simpler to maintain in ongoing operation than AppLock/Web and Entercept Web Server Edition. SecureIIS lacks any central administration or logging, however—something Entercept Web Server Edition provides.
Microsofts IIS Lockdown tool does a very nice job of removing unneeded IIS options and tightening file permissions, and we recommend using it on all IIS servers.
Once a server is hardened, an application-level firewall should be deployed to filter out suspicious URL requests. This job must be done at the IIS level because malicious HTTP traffic slips right past port 80 on firewalls. Microsofts URLScan and eEyes SecureIIS are IIS-specific firewalls, and Entercept Web Server Edition includes an IIS firewall.
We configured URLScan through a simple .ini file. It can filter HTTP traffic by allowing or disallowing URLs ending with certain extensions (such as the now-notorious “.ida” extension call used by Code Red and Code Red II), block URLs with strings such as “..” and block URLs with non-ASCII characters.
SecureIIS can do all these things using its graphical management console. It can also restrict requested files to specified directories. In addition, SecureIIS can examine HTTP query string, header or post data in an HTTP request (as well as in the URL) and can block requests that send long strings in HTTP header variables such as “Host”—usually a tip-off of a buffer overflow attack.
Centralized logging and a log analyzer program is planned for the next release, expected by the end of the year, and centralized configuration is expected in the release after that, according to eEye officials.
AppLock/Web (see www.eweek.com/article/0,3658,s%253D708%2526a%253D16475,00.asp for our Oct. 15 review of AppLock/Web) and Entercept Web Server Edition both install kernel-mode drivers that allow or block actions at a level deeper than Windows own file system permissions and user rights (both packages are also available for other major operating systems and Web servers).
In tests, AppLock/Web hooked into Windows to block all changes to Web pages on our Web sites. Also off-limits were changes to IIS metabase configuration settings, such as virtual Web roots, various IIS and Windows registry settings, and key Windows files and directories.
Our changes were blocked when we tried to modify these objects, no matter what program we used, and even when we had Administrator privileges. However, we were able to add files (such as cmd.exe) to Web sites and then run them if the Web folder had execute permissions. The Internet Services Manager console also doesnt load when AppLock/Web is enabled.
When files or settings needed to be updated, we logged into AppLock/Webs local console and turned server protection off. No granularity is possible—protection is either all on or all off, although we could exclude selected Web files from protection entirely.
Depending on the number of people who need to update HTML content and the lack of administrative delegation in AppLock/Web, the administrative password may have to be fairly widely distributed. This protection model could also be a problem for sites using caches that automatically generate static content from dynamic content.
The software doesnt have a URL scanner and so lets the initial IIS attack through. We were able to break into a test server using an exploit eEye published with its .printer vulnerability announcement.
This approach makes us nervous—like bolting down everything in the house and then letting a burglar wander around. However, the exploit could do only permitted actions—in this case, place a text file in C:. When we modified the exploit to place an .exe file in C: (a forbidden action), our new exploit got through IIS but was blocked by AppLock/Web.
AppLock/Web doesnt have centralized management, but WatchGuards $1,295 ServerLock, a superset of AppLock/Web, has a $5,000 management console option.
Entercept Web Server Edition provides IIS firewall and kernel-level system object protection (and was able to block file additions in our tests) and also uses an attack signature database for specific identification of particular IIS and operating-system-level attacks. This kind of in-depth defense provides very strong security.
Entercept Web Server Edition also has fine-grained permissions, activity and configuration reporting (see screen, Page 63), centralized management, SNMP support, and self-updating agents. At least one $4,995 management console is required.
The fine-grained permissions are a major manageability win. We could define specific allowed actions based on rule type, user ID, process name and affected object, so we could run Internet Services Manager, view IIS log files or update Web pages (but only as a specific user and using a specific program) without turning off system protection elsewhere.
We had to do a fair amount of tweaking to get just the right permissions defined for our server-side applications and utilities, but the end result provided good usability and rock-solid security at the same time.
Entercept Web Server Edition is the most expensive option we examined for protecting IIS, but it also offered the most comprehensive protection, the most flexibility and the best manageability.
The advantage shifts to less expensive products for deployments to a small set of servers, but Entercept Web Server Edition offers clear benefits for shops with large numbers of Web servers (either in a Web farm or spread through many departments).