SecureIIS provides a solid brick in your defensive wall
SecureIIS is an application firewall intended to remedy the lack of hacker
protection that was assumed to be out-of-the-box on an IIS server. Because
conventional IIS defenses are pitifully inadequate, IIS has been a sitting
duck to hackers (novices and experts).
SecureIIS wraps around the IIS Web server to protect IIS 4.0 and newer
versions from a number of attacks (known with signatures and unknowns).
The software installs easily on an NT 4.0 server with Service Pack 6 and
IIS 4.0. It also installs on a Windows 2000 Web Server with SP1 and newer.
Configuration is straightforward. A user with administrator rights can
set defense rules by using the SecureIIS GUI. The interface is divided
into four windows, each containing configurable selections. The leftmost
window contains a list of attack categories such as Buffer Overflow and
ShellCode Protection. The three rightmost windows contain the Web site
selection window, the list of controls for a selected attack category,
and a definition (explanation) of each of the attack groups, respectively.
Clicking on any of the seven attack categories lists a set of user-selectable
defense rules, with checkboxes in the center window.
Once the user is satisfied with the defense rules for each of the IIS
attack-groups, it's time to "arm" SecureIIS. When the user clicks the
"arm" button, SecureIIS is ready to defend IIS against almost all attacks,
per the defense rules. The ease with which the software loads and configures
is a big plus. Tests have shown that it does defend against many of the
attacks that have plagued IIS for a long time. SecureIIS, too, has come
a long way from version 1.2.5 to Version 1.2.7, and it has improved by
adding strength from version to version.
On the downside, the application does not cater to legacy IIS servers.
It assumes every IIS server is either IIS 4.0 or newer and should run
on NT 4.0/Win2K with the latest service packs.
I subjected SecureIIS to a variety of tests to ensure it stood up to
what it claims using both commercial and freeware scanners and worms.
It doesn't interfere with or hamper performance when used with browsers
such as Microsoft Explorer or Netscape Navigator. Some of the attacks
were simulated using IIShack and netcat, and the defense configurations
held up well by rebutting any probes. Vulnerability of the server was
scanned using Retina (also made by eEye), which produced no audit reports
when SecureIIS was armed.
Note, though, that server protection should not be left to any one product.
The security professional should adhere to the principle of "defense-in-depth"
and supplement SecureIIS with other security controls. All tests, however,
have shown SecureIIS to be robust in defending IIS web servers.
[eEye has released SecureIIS 2.0, which offers upgrades such as enterprise-level
functionality, centralized policy management, events management, logging
of blocked requests and real-time statistical charts. Visit www.eEye.com
for more information.-Editor.]
Dr. Seyoum "Zeg" Zegiorgis, CISSP, MCSE, MCT, CCNA, CCAI, has more than ten years of experience teaching and working in the IT field. In addition to Infosec market research, consulting and speaking, he does IT technical reviewing for publications including the ACM's Computing Review. Dr. Zeg lives in Bloomington, Illinois.