Product Reviews

Thwarting Hackers

SecureIIS provides a solid brick in your defensive wall

• By Seyoum Zegiorgis
• 08/01/2002

SecureIIS wraps around the IIS Web server to protect IIS 4.0 and newer versions from a number of attacks (known with signatures and unknowns). The software installs easily on an NT 4.0 server with Service Pack 6 and IIS 4.0. It also installs on a Windows 2000 Web Server with SP1 and newer. Configuration is straightforward. A user with administrator rights can set defense rules by using the SecureIIS GUI. The interface is divided into four windows, each containing configurable selections. The leftmost window contains a list of attack categories such as Buffer Overflow and ShellCode Protection. The three rightmost windows contain the Web site selection window, the list of controls for a selected attack category, and a definition (explanation) of each of the attack groups, respectively. Clicking on any of the seven attack categories lists a set of user-selectable defense rules, with checkboxes in the center window.

Once the user is satisfied with the defense rules for each of the IIS attack-groups, it's time to "arm" SecureIIS. When the user clicks the "arm" button, SecureIIS is ready to defend IIS against almost all attacks, per the defense rules. The ease with which the software loads and configures is a big plus. Tests have shown that it does defend against many of the attacks that have plagued IIS for a long time. SecureIIS, too, has come a long way from version 1.2.5 to Version 1.2.7, and it has improved by adding strength from version to version.

On the downside, the application does not cater to legacy IIS servers. It assumes every IIS server is either IIS 4.0 or newer and should run on NT 4.0/Win2K with the latest service packs.

I subjected SecureIIS to a variety of tests to ensure it stood up to what it claims using both commercial and freeware scanners and worms. It doesn't interfere with or hamper performance when used with browsers such as Microsoft Explorer or Netscape Navigator. Some of the attacks were simulated using IIShack and netcat, and the defense configurations held up well by rebutting any probes. Vulnerability of the server was scanned using Retina (also made by eEye), which produced no audit reports when SecureIIS was armed.

Note, though, that server protection should not be left to any one product. The security professional should adhere to the principle of "defense-in-depth" and supplement SecureIIS with other security controls. All tests, however, have shown SecureIIS to be robust in defending IIS web servers.

[eEye has released SecureIIS 2.0, which offers upgrades such as enterprise-level functionality, centralized policy management, events management, logging of blocked requests and real-time statistical charts. Visit www.eEye.com for more information.-Editor.]