Whether using the Internet to link customers with your products, a virtual private network (VPN) to link trusted vendors with your solutions, or a private Wide Area Network (WAN) to link employees with your sites and servers -- security is crucial to protect your company's data. While there is no guarantee that your servers won't get hacked, you can take steps today to build a fortified fortress and take a defensive posture and become a bastion against hackers.
We complete our three-part series on protecting your Web server with a focus on Internet Information Services (
Understanding ISAPI filters
Internet Server Application Programming Interface (ISAPI) filters modify the default response of your IIS server; how the Web server handles Web events triggered by HTTP requests, and how IIS handles URL mapping requests. In addition, you can use filters to monitor HTTP transactions, implement authentication, logging, and to support compression. Your company may require further customization of IIS and to write their own ISAPI filters. At a minimum, install a filter that uses the data structure "HTTP_FILTER_ACCESS_DENIED" which IIS points to, to handle the event started by the access denied message. Your filter must register for "SF_NOTIFY_ACCESS_DENIED" event.
By default, Microsoft doesn't load any site-level ISAPI filters after an IIS 5 installation unless you have also installed Exchange Server (which I don't recommend on the same machine), in which case you'll notice the "Microsoft Exchange Web Component" filter or exchfilt.dll is loaded and set to low priority. A filter is DLL that runs in the server process level, which you link to a particular event that is activated by an HTTP request.
In the Master level (active for all Web sites), you will notice four filters installed and loaded (out of roughly 24 native filters):
- Sspifilt.dll: Secure Socket Layer (SSL) support. This filter is set to high priority and is invoked first, if found. Remove this filter and DLL if you don't plan to use SSL (port 443) on all of the Web sites hosted on your Web server. Don't remove this filter if you are hosting multiples Web sites on your Web server and SSL will be required on at least one Web site. This filter works only at the Master level and therefore deleting it would remove SSL support for all of the Web sites.
- Compfilt.dll: HTTP compression support. This filter is also set to high priority and is invoked second, if found. Remove this filter and DLL if you don't plan to use the compression feature of IIS.
- Md5filt.dll: Digest Authentication Encryption support. This filter is set to low priority and is invoked third, if found. Remove this filter and DLL if your Web server is isolated from an Active Directory server configure for this type of authentication.
- Fpexedll.dll: FrontPage support. This filter is also set to low priority and is invoked fourth, if found. Remove this filter and DLL if you don't plan to support compatibility for FrontPage.
Monitor your filters periodically and check for the green up-arrows as a healthy indicator that the DLLs are properly loaded and working. Filters are loaded beginning with the first DLL in the list.
Have you implemented an IIS application protocol firewall for your Web server? Although ISAPI filters (I.E., URLScan security tool) provide additional protection at the IIS level, they are not substitute for a Web application protocol firewall. Let's take a closer look at security through filters and a brief look at application-layer firewalls.
Security through ISAPI filters
No doubt, ISAPI filters offer greater control at the IIS level to strengthen your Web server security. Take advantage of the power of security filters to customize and solidify your IIS server. You may have heard that the infamous URLScan filter blocked more than an attack from Nimda or CodeRed, but when properly configured, you can benefit from a more secured -- yet operational IIS server. The key is to balance and test your Web application requirements and IIS related dependencies with the appropriate amount of security to operate a secured and functional Web site.
Although we have covered some of the settings included in URLScan in this series -- these settings are also available in the Metabase. It makes sense to acknowledge the IIS Lockdown Wizard and URLScan as powerful weapons for your security arsenal. The ultimate security (in my opinion) is found in knowing and understanding each parameter that makes up the Metabase. Taking a manual approach to address the intricate components of IIS will provide you with the underlying details you need to build a comprehensive knowledge base.
When was the last time that you updated your URLScan filter (urlscan.dll)? The current version is 2.5 and offers several features over the previous versions. Have you replaced your URLScan with URLScan-SRP that restricts uploads to your IIS server to 30M bytes and blocks chunked encoding transfers? If you haven't installed URLScan, begin by downloading the IIS Lockdown Wizard today, which includes version 2.0 of URLScan. The Wizard is available at this link: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=43955.
Once you have installed version URLScan 2.0, upgrade it to version 2.5: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp.
A convergence of the attributes of a network firewall and an intrusion detection system (IDS) into a Web application protocol firewall that provides greater Web security -- with the capability to monitor traffic bound for IIS and attacks that "do not follow recognized patterns" is here. Application protocol firewalls are designed to operate in layer seven of the OSI model and intrinsically control IIS (as an ISAPI) by proactively inspecting and verifying inbound and outbound data security. Web servers are protected from attacks on SSL encrypted sessions (port 443/https); unencrypted sessions (port 80/http), and other potential security breaches.
Application-layer firewalls exceed the level of security offered by traditional network-layered firewalls and IDS; they are not limited by the lack of proper filtering of specific Web attacks, or can only detect attacks based on known signatures, as its primary criteria for blocking patterns from intruders. An application-layer firewall is tightly integrated into your Web server to achieve greater security by embedding itself into IIS through ISAPI and using many security filters -- as opposed to a single static database of signatures that requires updating on a regular basis.
The key to security is to implement and maintain layered security on an ongoing basis, by addressing all of the potential threats against any of the layers of the OSI model, while preserving critical application functionality and IIS-related dependencies, essential for Web servers to deliver your services and products securely. Whether using the Internet to link customers with your products, a VPN to link trusted vendors with your solutions, or a private Wide Area Network (WAN) to link employees with your sites and servers, security is crucial to protect your company's data from all of the above. There's no guarantee that your servers won't get hacked, but you can take steps today to build a fortified fortress and take a defensive posture and become a bastion against hackers.
If you're serious about security, you must pay attention to security details and leave no room for hackers.
In the absence of network security, exists an opportunity for intrusion.
Please write to me or visit my Web site (www.medinasystems.com) and let me know if this series has brought to light any potential weak links in your network.
Luis Medina is the author of "The Weakest Link Series," which offers network managers an opportunity to identify ongoing network security issues. Luis also answers security questions in our Ask-the-Expert section. Submit a security question to Luis here or view his previously answered Ask-the-Expert questions.
This was first published in December 2002