Most system administrators are tired of dealing with an endless stream of security patches for Microsoft’s IIS (Internet Information Server) Web server. Even more problematic to security-conscious administrators is that Microsoft releases patches reactively, after the fact, often leaving active servers vulnerable for many moons.
Product engineers at eEye Digital Security have taken a different approach to the problem of keeping IIS servers up to date and secure with SecureIIS, now in version 2.0. Instead of waiting for Microsoft to deliver patches, SecureIIS relies on an internal analysis engine to pick out potentially dangerous traffic. Neither I nor eEye is saying you can ignore patch management, but SecureIIS is an effective bulwark against new forms of attack while patches against them are being written and tested by your IT staff for safe integration.
SecureIIS is an application-level firewall integrated into IIS. By residing on the ISAPI (Internet Server API) layer, SecureIIS is able to intercept every inbound string to the server, making it relatively easy to check both for attack patterns and conformity to RFC (Request for Comments) 2616, the definition of the HTTP protocol.
By checking for RFC compliance, SecureIIS can effectively limit the amount of data coming into the server. Hand-coded attacks can vary from the HTTP RFC in minute ways, so by being a nitpicker for detail, SecureIIS can effectively thwart unknown attacks by simply denying them access.
Installing SecureIIS is fast and easy, though you will need to pay attention to software requirements. The software is compatible with NT 4.0 servers patched to Service Pack 6 and running IIS 4.0. Windows 2000 IIS Web Servers must be running at least SP1 but may be configured with IIS Server 5.0 or 5.1. eEye recommends at least 128MB of RAM and 8MB of disk space, though you’ll probably want to increase that on servers with heavy-duty access loads.
The folks at eEye say that running as an ISAPI filter instead of as a kernel-level firewall is more effective because it allows inspection of incoming packets before they reach the Web server. They even contend that an ISAPI approach uses as much as 15 per cent fewer system resources than a kernel-level approach, implying that performance won’t be a problem.
In effect, SecureIIS simply encapsulates the IIS server in protective software armour. Administrators can implement protection by setting customisable defensive rules. Normally, this can drop you deeply into firewall and protocol-level minutiae, but SecureIIS’s version 2.0 GUI makes configuration surprisingly straightforward.
The interface is comprised of four configuration panes covering attack categories, site selection, control lists for a prospective attack, and a text definition of a selected attack mode to let administrators know what they’re protecting themselves against. Getting organised in SecureIIS does require some specific knowledge of Web security.
For more granular protection and added attack-analysis capability, SecureIIS allows you to monitor your IIS server’s file system.
For those administrating more than one IIS server, SecureIIS’s capability of creating policy-based protection is a great feature.
Overall, this product shines. With relatively little impact on IIS server performance, SecureIIS provides highly effective protection against both known and unknown forms of attack. That means IIS administrators will be able to do more than just react — a tremendous incentive by itself — and can hopefully devote more time to detection and possibly even a little retribution. SecureIIS does all this while reducing your staff requirements both for security as well as patch-update management. Considering the cost per server, we highly recommend it. w