IIS Security - Using a Linux Box as a Sentry?

Steven Yi asks: "This is a suggestion - why not consider IIS an 'application server', similar to they way we consider BEA WebLogic an app server? Continue using your Windows Servers to process your programming logic and ASP pages - but use a box running Apache as your true web server. This is the way many other app-server driven hardware setups are like. Internet --> (Apache Web Server) --> (IIS 'App Server'). The obvious point is that there isn't an Apache plugin to redirect Microsoft/ASP page requests, but couldn't this be written fairly quickly? I think this would be a much cheaper migration path where existing Microsoft applications/hardware can be preserved and your internet security would be greatly enhanced with a Linux/UNIX Apache server guarding the internet connection." Many saavy readers should realize that a mod_rewrite + mod_proxy combination should be all you need to implement such a feature. Has anyone deployed something similar for their production systems?

Came up not long ago.

[crisco]

There was an article titled Securing an Unpatchable Webserver that detailed an IIS 3.0 server that had a custom application that wouldn't run on newer IIS. Microsoft's solution to one of the IIS 3 vulnerabilities was upgrading to IIS 4 or greater but becuause of the custom app this wasn't a short term option. These guys set up a box with Hogwash [sourceforge.net] and Snort [snort.org] to filter the requests to the IIS server.

Unfortunately the article seems to have disappeared but you might have better luck finding it than I did.

Re:Came up not long ago.

[thebabelfish]

Here's Google's [google.com] cache of the article [google.com] I think your talking about.

Hardware device?

[mini me]

Here is an opportunity to sell a network appliance that you can just drop into your network and have it secure your IIS server.
Just put a simple installation of Linux/*BSD/etc and a copy of Apache+modules to do this. Put a web based administration utility on it for configuring IP addresses and what-not and let it do it's thing. You could also include an update system (something along the lines of Norton Antivirus LiveUpdate) that grabs updates so it can filter any new HTTP requests that show up that can harm an IIS server as well as any holes that may show up in the appliance itself.

PHB's seem to be fond of "black boxes" even if they do run Linux. But there is no way that they'd ever allow a regular old computer run Linux, it's not the Microsoft way! Oh, the irony, but anyway.
I think it is now time to find myself a nice embeded computer...

This still isn't a "no-brainer" solution.

[dkemist]

Adding an HTTP forwarder in front of an IIS server isn't going to help for pure HTTP based attacks. If there's a legitimate HTTP request that IIS is going to mishandle, Apache in proxy mode will happily forward on that HTTP request and let IIS choke on it.

Clueful admins can use something like mod_rewrite to sanitize HTTP requests and deny suspect (ie too long, contains a specific string..) URL requests, but if I remember correctly, even mod_rewrite doesn't let you rewrite stuff like Host: headers which can be abused as well.

I'm not saying it's a bad solution. In fact, I've suggested it in the past. It just has to be implemented carefully. It's not going to be a drop in black box solution the PHB likes.

It's pretty close to no-brainer

[alienmole]

Most of the attacks on IIS have had very predictable URL structures, which could easily be filtered out. The classic one is of the form:

http://www.microsoft.com/scripts/../../winnt/syste m32/cmd.exe?/c+dir

Stuff like this, or URLs containing Unicode characters or known-bad sequences like ::$DATA, would be easy to filter out. In fact, Microsoft has a program designed to install on IIS servers to do just that, called something like URLCheck, I forget exactly. This job could just as easily be done by a separate dedicated box, with a config page to allow the level of paranoia to be specified, or new URL blocking templates to be installed.

Re:Anti-virus scanners in hardware

[rabidcow]

I can see somebody putting this in a cable modem, but the main problem (as I see it) is that then the device has to look at the entire packet before sending it off. Right now, routers just look at the header, figure out which path to send it on (only seeing ip addresses, btw) and go, which is much faster.

Firewalls afaik, also only look at the header most of the time, but there's probly exceptions to this.

Re:Anti-virus scanners in hardware

[SyniK]

Stateful Packet Inspection. Application Gateways. Enough buzzwords:
http://www.avolio.com/apgw+spf.html

You might want to look up the 7 layer OSI model as well. Routers live in level 3. Stateful packet inspection firewalls live in level 4. It takes a little faster network and muscle to keep up with routers, but it's being done all across the 'net as we speak.
(I think the levels are right! Lord knows I'm going to be crucified if I'm wrong...)

Re:Anti-virus scanners in hardware

[rabidcow]

Woah, nifty. I retract my objection!

(I am familiar with the OSI model, it's just been a while. :P I took half of the CCNA classes & got free books before I foolishly graduated.)

Try sanctum appshield

[TheLink]

Proxying stuff to IIS behind is only safe if your proxy filters out stuff.

If it just hands unhandled stuff over verbatim it won't help.

I figure if you can't or don't want to fix the broken IIS webserver/apps you should look at Sanctum Appshield.

www.sanctuminc.com

Expensive but that's what you pay for not getting it right at the start.

I have no links to Sanctum Inc. But I thought of a similar idea before- everything not explicitly allowed by the webpages or admin is denied, and found out these guys are already doing it.

Have fun,
Link.

Macromedia (Allaire) ColdFusion

[jea6]

Macromedia's ColdFusion Server can be configured in this manner. The instructions for Version 5 can be downloaded here [allaire.com]. The instructions for Version 4.51 can be downloaded here (Linux/Solaris) [allaire.com] and here (NT) [allaire.com]. There is a performance hit in configuring this way, though I don't have specific benchmarks.

Just use URLScan

[TheRealSlimShady]

Just download and install URLScan [microsoft.com] from Microsoft. It's an ISAPI plugin for IIS that filters requests before the rest of the web server sees them. It can forbid access to URL's based on extensions (e.g. .exe, .ida), and those URL's that use encoded characters. It also lets you rewrite the server header (I'm currently reporting my IIS 5.0 server as Apache), as well as restricting what HTTP commands you can send to the server.