Name of tool: Secure IIS/Enterprise Web Protector (EWP)
Company name: Eeye Digital Security
Price: $995 single server for Secure IIS, $20,000 for five-server group management pack for EWP
Platforms supported: Windows NT and 2000 running Microsoft IIS V4 and V5, with appropriate service packs Strom-meter:
** = A tad shaky to install and use but has some value. Key features:
It can lock down your IIS Web server and keep it out of harm's way. Pros:
Not so easy to setup in an enterprise setting, easier to deploy
Keeps your Microsoft IIS Web server secure Cons:
IIS V6 support (for Windows Server 2003) forthcoming
Complex software installation that depends on several Microsoft products
Your Web server is the weakest link, and it is an especially weak one when it comes to running Microsoft's Internet Information Server (IIS). There are a variety of ways that you can protect yourself -- locking down its numerous loopholes, installing an application-level firewall, putting IIS on its own isolated DMZ network. An alternative is to use Eeye's Secure IIS and Enterprise Web Protector software tools.
Why two products? Actually, there are several modules that you'll need to protect more than one Web server across your enterprise. If you just have a single server, then by all means get Secure IIS and you'll be done. But if you have more than one you'll need to get EWP, and with it come a variety of modules that work together to coordinate the protection and manage the multiple servers, collect reports and handle various events.
My initial tests showed that Secure IIS delivers the goods, although it will take some effort to make sure that you are as protected as you think you are.
The trouble is its user interface. There are two basic consoles between the two products with many different screens, reports and configuration parameters to check and scroll through. For example, the tabbed dialogue boxes read as follows: buffers, methods, shellcode, keywords, protect, folders, Web applications, errors. To really understand this product, you first need to understand the weaknesses of IIS and the various means that hackers use to penetrate Microsoft's Web server. Some of the exploits are grouped randomly under one tab or another, just to make things a bit more confusing. The whole product could use a better online help and more thorough descriptions to guide users along.
Granted, the product does a reasonably good job of setting up its protection without having to muck through this, but you'll still need to spend some time studying the bits and pieces, especially when you are using the Enterprise Web Protector and especially when you block off areas of your Web site that you didn't intend to. If you are a big Cold Fusion shop, for example, you will have to get inside Secure IIS and mess with some of the settings to get everything working properly.
When you have several servers running Secure IIS, you'll want to make use of the Event Manager portion of EWP to manage entire Web server farms and groups of servers. This stores critical information on a SQL Server database. You install software agents on each of your Web servers that you want to protect, and then manage them from a central console. The central console software needs some work as well. It is nicely organized by events, tasks and reports, but there is a large number of each to scroll through, analyze and understand. When an attack is in progress, you want to be able to immediately find the security loophole and fix it. What this product needs is a more birds-eye view of your Web application's framework and the ability to drill down and immediately locate where and how something has gone wrong.
Secure IIS currently runs on Version 4 and 5 IIS servers. Support for Version 6 (the server found in Windows Server 2003) is promised soon, according to company representatives.
**** = Very cool, very useful.
*** = Hey, not bad. One notch below very cool.
** = A tad shaky to install and use but has some value.
* = Don't waste your time. Minimal real value.
David Strom is the technology editor for VARBusiness magazine. He has tested hundreds of computer products over the past two decades working as a computer journalist, consultant and corporate IT manager. Since 1995 he has written a weekly series of essays on Web technologies and marketing called Web Informant. You can send him e-mail at email@example.com.
For more information on this topic, visit these resources:
- Featured Topic: Securing Web servers
- Security Product Roundup: Securing servers: Vendors offer everything from common sense to rocket science
- Tech Tip: MBSA can help protect your Web server
This was first published in June 2003