AppLock/Web (see www.eweek.com/article/0,3658,s%253D708%2526a%253D16475,00.asp for our Oct. 15 review of AppLock/Web) and Entercept Web Server Edition both install kernel-mode drivers that allow or block actions at a level deeper than Windows own file system permissions and user rights (both packages are also available for other major operating systems and Web servers).
In tests, AppLock/Web hooked into Windows to block all changes to Web pages on our Web sites. Also off-limits were changes to IIS metabase configuration settings, such as virtual Web roots, various IIS and Windows registry settings, and key Windows files and directories.
Our changes were blocked when we tried to modify these objects, no matter what program we used, and even when we had Administrator privileges. However, we were able to add files (such as cmd.exe) to Web sites and then run them if the Web folder had execute permissions. The Internet Services Manager console also doesnt load when AppLock/Web is enabled.
When files or settings needed to be updated, we logged into AppLock/Webs local console and turned server protection off. No granularity is possible—protection is either all on or all off, although we could exclude selected Web files from protection entirely.
Depending on the number of people who need to update HTML content and the lack of administrative delegation in AppLock/Web, the administrative password may have to be fairly widely distributed. This protection model could also be a problem for sites using caches that automatically generate static content from dynamic content.
The software doesnt have a URL scanner and so lets the initial IIS attack through. We were able to break into a test server using an exploit eEye published with its .printer vulnerability announcement.
This approach makes us nervous—like bolting down everything in the house and then letting a burglar wander around. However, the exploit could do only permitted actions—in this case, place a text file in C:\. When we modified the exploit to place an .exe file in C:\ (a forbidden action), our new exploit got through IIS but was blocked by AppLock/Web.
AppLock/Web doesnt have centralized management, but WatchGuards $1,295 ServerLock, a superset of AppLock/Web, has a $5,000 management console option.
Entercept Web Server Edition provides IIS firewall and kernel-level system object protection (and was able to block file additions in our tests) and also uses an attack signature database for specific identification of particular IIS and operating-system-level attacks. This kind of in-depth defense provides very strong security.
Entercept Web Server Edition also has fine-grained permissions, activity and configuration reporting (see screen, Page 63), centralized management, SNMP support, and self-updating agents. At least one $4,995 management console is required.
The fine-grained permissions are a major manageability win. We could define specific allowed actions based on rule type, user ID, process name and affected object, so we could run Internet Services Manager, view IIS log files or update Web pages (but only as a specific user and using a specific program) without turning off system protection elsewhere.
We had to do a fair amount of tweaking to get just the right permissions defined for our server-side applications and utilities, but the end result provided good usability and rock-solid security at the same time.
Entercept Web Server Edition is the most expensive option we examined for protecting IIS, but it also offered the most comprehensive protection, the most flexibility and the best manageability.
The advantage shifts to less expensive products for deployments to a small set of servers, but Entercept Web Server Edition offers clear benefits for shops with large numbers of Web servers (either in a Web farm or spread through many departments).