IIS Server Security

For years, Microsoft has had to contend with the impression that their products were not as secure as their counterparts. This was especially true when it came to Internet Information Services (IIS), the Microsoft web server. Much of the issues associated with ISS were related to the fact that many of the services were enabled by default.

Featured Blog Posts

Microsoft confirms critical IE bug, works on fix

suggests using blocking tool, but does not plan to issue emergency patch ... read more ...

CWE/SANS Top 25

With the release of the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors came a ... read more ...

Right out of the box, IIS could run as a fully functional web server without much need to configure various services. Unfortunately, attackers knew this and were able to compromise servers, and web sites, that relied on IIS because many of the administrators who installed the software were not aware of what steps they needed to take to secure this application.

Much has changed over the years. In response to an increase in web-based application attacks, Microsoft made attempts to increase security in all of their products, including IIS. In version 6, they rolled out what was referred to as a lockdown by default approach where many features and services were left out, or disabled, in the default installation. They were still available, however the administrator had to enable or install them giving them full knowledge that they were running. In version 7, this approach changed again to take on a minimum install approach where only the bare minimum components are installed giving attackers a much smaller surface to work from.

Risks Associated with IIS

Despite the strides taken to protect IIS 7 from attacks, there are still risks that a web administrator needs to be aware of if they are running this application as their web server - this is what makes using a Web application firewall so appealing. Unfortunately, some of the things that make Microsoft’s IIS so appealing are also some of the issues that anyone using it needs to be aware of.

It is a Microsoft product

It is not insecure because it is a Microsoft product, but the fact that Microsoft still makes things easier for administrators still makes it a target. IIS can be installed and run on Server 2008 Core, which uses a command line interface rather than Windows. In this environment, the server is much more secure. However, when Windows is used the temptation to make use of Internet Explorer to connect to the web is far too great and happens far too often. When servers are allowed to access the web, they are put at risk. Windows makes it too easy for a lazy admin to simply fire up IE to find something from their server rather than a workstation.

It is too easy to install software

One of the biggest threats to security is a web application. Odds are that most servers using IIS are using Windows. In a Windows environment, it is far too easy to install web applications like WordPress, Joomla!, or ZenCart. Although this is a huge selling point, it also poses a risk because if the web administrator does not have background knowledge related to the vulnerabilities that are present in these, or any other web application, then they may unknowingly be installing insecure software onto their server.

Of course, this can be true of applications installed via a command line interface or GNU/Linux shell as well, however odds are that if a person is adept at using these tools, they are more aware of basic security risks as well.

Malware

Unfortunately for Microsoft, many web admins still remember what the Code Red and Nimda worms did to web servers using IIS. Defacing web sites, hitting them with Denial of Service attacks, and exploiting path traversal vulnerabilities.

Due to Microsoft’s market share, it will always be a preferred target for malware attacks. Even as engineers work to patch known vulnerabilities, the thousands of pieces of malware being released into the wild every day that pose significant threats to any server running Microsoft.

Protecting IIS

Like any server, certain steps need to be taken to harden the operating system against attacks. While malware prevention, Intrusion Detection/Prevention Systems, network firewalls, and all of the other tools and techniques help prevent some attacks, they don’t adequately prevent attacks launched against any third-party applications that have been installed on the server.

dotDefender protects IIS web servers against a variety of vulnerabilities to include:

By acting as a Security-as-a-Service solution, dotDefender is able to provide protection to web servers whether the admin has an extensive background in security or just a minimal amount of knowledge on the subject.

With dotDefender web application firewall you can avoid many different threats to web applications because dotDefender inspects your HTTP traffic and checks their packets against rules such as to allow or deny protocols, ports, or IP addresses to stop web applications from being exploited.

Architected as plug & play software, dotDefender provides optimal out-of-the-box protection against DoS threats, Cross-Site Scripting, SQL Injection attacks, path traversal and many other web attack techniques.

The reasons dotDefender offers such a comprehensive solution to your web application security needs are:

The Need to Avoid Attacks

Whether your web server is running IIS or Apache makes little difference. With hundreds of millions of dollars being stolen each year by cyber criminals vulnerabilities will continue to be a problem as known ones are exploited and new ones emerge.

In addition to money and data stolen as a result of compromised servers and web sites, businesses have to contend with a damaged reputation after an attack. When a breach of security occurs, customers and visitors second guess visiting that site if they know that they are not safe. Once the search engines find malware or spam on a web site, it can be flagged as malicious and removed from the search engine results page causing a loss in legitimate traffic.

Protect Your Web Applications With dotDefender

dotDefender's unique security approach eliminates the need to learn the specific threats that exist on each web application. The software that runs dotDefender focuses on analyzing the request and the impact it has on the application. Effective web application security is based on three powerful web application security engines: Pattern Recognition, Session Protection and Signature Knowledgebase.

The Pattern Recognition web application security engine employed by dotDefender effectively protects against malicious behavior such as the attacks mentioned above, and many others. The patterns are regular expression-based and designed to efficiently and accurately identify a wide array of application-level attack methods. As a result, dotDefender is characterized by an extremely low false positive rate.

What sets dotDefender apart is that it offers comprehensive protection against threats to web applications while being one of the easiest solutions to use.

In just 10 clicks, a web administrator with no security training can have dotDefender up and running. Its predefined rule set offers out-of-the box protection that can be easily managed through a browser-based interface with virtually no impact on your server or web site’s performance.