Most system administrators are tired of dealing with an endless stream of security patches for Microsoft’s IIS (Internet Information Server) Web server.
Even more problematic to security-conscious administrators is that Microsoft releases patches reactively, after the fact, often leaving active servers vulnerable for many moons.
Product engineers at eEye Digital Security have taken a different approach to the problem of keeping IIS servers up-to-date and secure with SecureIIS, now in version 2.0. Instead of waiting for Microsoft to deliver patches, SecureIIS relies on an internal analysis engine to pick out potentially dangerous traffic. Neither I nor eEye is saying you can ignore patch management, but SecureIIS is an effective bulwark against new forms of attack while patches against them are being written and tested by your IT staff for safe integration.
SecureIIS is an application-level firewall integrated into IIS. By residing on the ISAPI (Internet Server API) layer, SecureIIS is able to intercept every inbound string to the server, making it relatively easy to check both for attack patterns and conformity to RFC (Request for Comments) 2616, the definition of the HTTP protocol.
By checking for RFC compliance, SecureIIS can effectively limit the amount of data coming into the server. Hand-coded attacks can vary from the HTTP RFC in minute ways, so by being a nitpicker for detail, SecureIIS can effectively thwart unknown attacks by simply denying them access.
Installing SecureIIS is fast and easy, though you will need to pay attention to software requirements. The software is compatible with NT 4.0 servers patched to Service Pack 6 and running IIS 4.0. Windows 2000 IIS Web Servers must be running at least SP1 but may be configured with IIS Server 5.0 or 5.1. eEye recommends at least 128MB of RAM and 8MB of disk space, though you’ll probably want to increase that on servers with heavy-duty access loads.
eEye claims that running as an ISAPI filter instead of as a kernel-level firewall is more effective because it allows inspection of incoming packets before they reach the Web server. It even contends that an ISAPI approach uses as much as 15 percent fewer system resources than a kernel-level approach, implying that performance won’t be a problem.
In effect, SecureIIS simply encapsulates the IIS server in protective software armor. Administrators can implement protection by setting customisable defensive rules. Normally, this can drop you deeply into firewall and protocol-level minutiae, but SecureIIS’s version 2.0 GUI makes configuration surprisingly straightforward.
The interface is comprised of four configuration panes covering attack categories, site selection, control lists for a prospective attack, and a text definition of a selected attack mode to let administrators know what they’re protecting themselves against. Getting organised in SecureIIS does require some specific knowledge of Web security, but not so much that it is overly complex for new users.
For more granular protection and added attack-analysis capability, SecureIIS allows you to monitor your IIS server’s file system. This is done via a dedicated File Monitor window, starting with a default list of potentially vulnerable IIS files that is customisable if you wish to add files. Checkbox selections allow administrators to choose which file-access methods they wish to monitor including recursions (accessing files or folders lower in the hierarchy than the one selected), additions, removals, and modifications. Finally, you can choose to enable all rules for all files selected, or you can disable monitoring for some files while keeping others fully scoped.
For those administrating more than one IIS server, SecureIIS’s capability of creating policy-based protection is a great feature. It lets admins create one or more SecureIIS policies at a central location and then push, monitor, and edit those policies on multiple servers on the network.
Overall, this product shines. With relatively little impact on IIS server performance, SecureIIS provides highly effective protection against both known and unknown forms of attack. That means IIS administrators will be able to do more than just react — a tremendous incentive by itself — and can hopefully devote more time to detection and possibly even a little retribution. SecureIIS does all this while reducing your staff requirements both for security as well as patch-update management. Considering the cost per server, we highly recommend it.