IIS has repeatedly been in the news for its poor security and kiddy friendly hacks. It's clear that relying on Microsoft and its patches is no longer good enough.

Fortunately, salvation is on the horizon with protection programs such as Entercept and Watchguard's AppLock/Web.

However, there's also SecureIIS Web from eEye security. eEye was responsible for finding a number of holes in IIS including the one that led to the Code Red worm being released.

From a company with this much knowledge, we were expecting a lot from the application. We weren't disappointed. The software is billed as an application firewall. It sits between IIS and the outside world and checks incoming and outgoing requests.

We ran into some trouble when we tried to run the software for the first time, as SecureIIS kept crashing. However, after a reboot there were no further problems.

Operation is a doddle, thanks to the clean simple interface provided, which is used to select restricted behaviour on an IIS machine. The software can restrict the size of a requested URL to prevent buffer overflows. It is also smart enough to work on a per-website basis, not just by IIS server.

Applying these settings is made easy by a simple tick-box selection and, from this point, the software runs in protection mode. It can be disarmed to perform maintenance at a later date.

Protection is based on understanding how crackers work, not just trying to pattern match attacks like an IDS system. This means the software can also prevent future attacks and doesn't have to wait for the latest signature update file.

The protection options are categorised by the way a cracker would attempt to breach the machine. Buffer overflows are exploited when a cracker sends an over-long string to a variable in an application. The code the cracker wants to run is at the end of the string.

When the application crashes after receiving the first string, the malicious code is run at the same privilege level as the application. This is the method used in both the recent IIS Unicode and ISAPI exploits.

Combating this is a matter of checking incoming requests and placing size restrictions on them. SecureIIS will check and limit, among others, URL, query and cookie lengths. The restricted length can be changed for each variable but, for most cases, the default values should provide enough protection.

To look at this in action, we set up an IIS 5 server on a Windows 2000 machine without installing any of the latest service packs or security updates. We downloaded some perl scripts that exploit both the Unicode and ISAPI bugs.

When we ran them without the software installed, we could easily gain control of the machine and upload Trojans. Turning on the protection stopped both attacks, but there are other kinds of attack that can be run.

SecureIIS also has shellcode protection. Some buffer overflows can be caused by sending small amounts of data to a web server. In this case the buffer overflow protection won't pick up the string length and pass it through. SecureIIS checks requests for shell commands in any HTTP request made to the server.

Similar in operation are the keyword filtering operations. These check for keywords, such as cmd.exe and SYSTEM32, but custom keywords can be added. This is useful when considering items such as CGI scripts.

Improper bound checking can often let an attacker traverse out of the directory path and run arbitrary code on a host machine.

Of course, this still allows other random files to be read. We've seen sites where CGI scripts allowed us to display arbitrary files on a server. File system protection will prevent this. It denies all access to directories and files outside of those specified.

SecureIIS automatically populates the list with directories that a website has to access, and other directories can be manually added later if problems accessing the site occur.

Finally, SecureIIS can be programmed to ignore all but the needed HTTP methods. IIS only needs GET and POST to operate, so the default options only allow these methods. Many other methods, such as HEAD, allow a cracker to perform reconnaissance on a web server, so it's recommended that they should be disabled.

SecureIIS is also programmed to look for specific obscure attacks that don't fall into the other categories, such as some directory traversals. However, it can only protect you against the attacks it knows about.

The only other problem we had with the software was based on reporting. By default, the software lists attempts made on the server to a log file, but that's all you can do with it.

There's no default mechanism for viewing this information inside the server, and we couldn't find a way of sending alerts to an administrator. This is a shame as the core protection part of the server is a very robust piece of software.

Before rushing out and buying the software, it's worth considering a couple of options. IIS is the only web server that has so many different software guards, which doesn't show a high-level of confidence in Microsoft.

Maybe Microsoft should be making IIS more secure. After all there are many different web servers on the market. It may make more sense in the long run to move away from IIS and towards a proven reliable software package such as Apache.

However, if you already have a lot of IIS machines, SecureIIS will at least give you back some of that lost confidence. It hasn't got any remote management capabilities, but it's easy to set up and does exactly what it says it will.

david_ludlow@vnu.co.uk

Product details

eEye SecureIIS
Price £309
Contact eEye +41 22 819 1713
www.eeye.com

Pros: Easy to configure; comprehensive list of countermeasures.

Cons: No remote management; reporting and alerting not present.