Re: Securing IIS

From: Aj Effin Reznor (aj@reznor.com)
Date: 04/23/02 

To: focus-ms@securityfocus.com
Date: Mon, 22 Apr 2002 22:02:59 -0700 (PDT)
From: Aj Effin Reznor <aj@reznor.com>

To tend to both mails in one shot:

"Maher Odeh was known to say....."
>
> URLScan and eeye's Secure IIS both good once you get to configure them
> right
> there is alot to do under eeye's secure IIS ( for example rules to
> prevent buffer overflows and disabling http methods etc ... )
> same goes for URLscan there's a file URLscan.ini that needs to be
> configured right ... so to answer your question they are both good=20
> once you configure them , for other tools check the following :

URLScan is rather lightweight in the overall scheme. SecureIIS is much
easier to use. URLScan for instance, to protect against buffer overflows
you need to hand edit an .ini file (I know, typical method for a lot of
people used to tweaking things) and prepend "max" in front of the variable
you want to apply a value to, then follow it with the particular value you
intend to set a cap on. Thing is, the variable that you prepend "max"
to.... is not listed anywhere. They are not included in the .ini file...
there is no master list included with URLScan. SecureIIS gives them all
to you in a convenient GUI interface. (as a side note, tweaking .ini files
is fine and all for most apps, but do you *really* want to let your server
security depend on it?)

URLScan is also a freebie from Microsoft. It's interesting to note that
the recent .ASP exploit found by eEye was protected for a version or
two ago in the SecureIIS product, but URLScan is now forked in its dev cycle
and comes in two variants, baseline and "SRP". Installing the baseline version
does not even protect against this new vulnerability. The "SRP" version
does, but it is far more restrictive and even more likely to cause problems
with web applications.

There are several "gotchas" that come along with URLScan and are not
documented by MS, either. It took quite a bit of trial and error to get it
to start to behave close to how it should. SecureIIS on the other hand
is obscenely straight forward with install and configuration. Consider
that URLScan 2.5 can only be installed on top of 1.0 or 2.0, and the
instructions on MS' Technet site on how to extract URLScan from the bundle it's
downloaded with *don't work*! (They inserted an extra character, I'll let
y'all figger out which one it is :)

>
> www.sanctuminc.com Appshield=20

Appshield is a bit different than SecureIIS and URLScan (they build themselves
inside of IIS, Appshield sits in front of it as a proxy).

Thing that gets me about it is they link to an "unbiased" *cough* article
stating:
        "I experienced some delays and discovered that AppShield needs a
        supplementary firewall, but in the end, the product successfully blocked
        most of the shenanigans I was trying to pull."

That just doesn't sound entirely kosher, sorry.

> http://home.ie.cuhk.edu.hk/~msng0/twhttpd/

Another proxy. Just not fond of them.

> -----Original Message-----
> From: Peter Louies [mailto:peter@pixeldesign.be]
> Sent: Saturday, April 20, 2002 3:44 AM
> To: focus-ms@securityfocus.com
> Subject: Securing IIS
>
>
> Hi,
>
> Is anyone recommending URLScan (from Microsoft) or Secure IIS (from
> www.eeye.com)? Besides the price, which one should be the best or are
> there
> other tools like this that I should take a look at? I've downloaded them
> both now (Secure IIS is installed on the server) but I want some experts
> advice.

One of the two is free, and you *do* get what you pay for (or in this case,
aren't paying for). Most people seem to prefer something that's supported
from a notable research company than something written to fix an issue by
the same company that didn't avoid the issue in the first place ;)

>
> Thanks in advance, Peter.
>

"Don't mention it." :)

-aj.

Quantcast