Keeping an eEye on IIS Web Server

The main EWP solution workhorse and source of events is SecureIIS. A security-enhancing ISAPI plugin for IIS, SecureIIS protects against known and unknown vulnerabilities. Windows administrators familiar with Microsoft's URLScan will find SecureIIS easy to navigate; plus, it offers more features and granularity than URLScan. In many ways, SecureIIS acts as a host-based HTTP protocol firewall, inspecting each request and looking for signs of attack. SecureIIS focuses on global HTTP request aspects, which is more than enough to protect your Web server, but not necessarily enough to protect your Web applications. Unlike a true Web application proxy/firewall, it does not inspect or enforce hidden form fields, cookie tampering and so on.

Monitoring Events

The REM Events Server is the main collection point for SecureIIS events, including policy violations, attack attempt notifications and administrative notices related to SecureIIS configuration. An REM Events Server Client is installed on each individual SecureIIS machine, and it is responsible for taking the SecureIIS events and sending them to the REM Events Server in a secure manner using public/private key encryption. Once the REM Events Server receives the event, it is placed in a preexisting ODBC-compliant database. This version of REM Events Server requires you to provide your own database server software. I would like to have had a database engine included--specifically, Microsoft's free MSDE engine.

After the events are safely tucked into the database, there are two ways to view them. The first way is to have the REM Events Server export all events to the Windows event log, allowing other event management systems like Tivoli or HP OpenView to pick up the log events. This allows integration into existing helpdesk/IT event management infrastructure. The second way to view events collected by the REM Events Server is to use the REM Events Manager, a multiuser Web portal application that installs into an existing IIS server. It allows viewing, searching and reporting of received events.

The REM Events Manager is designed to act as an IT helpdesk or trouble-ticket system. Incoming events can be sifted and automatically delegated to the appropriate personnel for action; delegated events are tracked until completion. The REM Events Manager can produce myriad reports, detailing information such as events, tasks and the top 20 event types grouped by severity, source or destination.Watch it Run

It wasn't difficult to install the components; preparing the database to use REM Events Server was the biggest hurdle of the entire installation process. Fortunately, the purchase of an EWP solution from eEye includes an engineer installation visit. You don't need to worry about installation nuances beyond the integration of future additional SecureIIS clients. Luckily, I found incorporating a new SecureIIS install into the EWP framework a piece of cake. You simply install SecureIIS like normal, then install the REM Events Server Client and supply the public key produced by your REM Events Server.

Once all the components were installed and configured, I tested EWP by triggering a few choice Unicode attacks against my SecureIIS-protected Web server. The attack alerts showed up on the REM Events Manager alerts Web page, and I could view the particulars of each event as well as assign them for handling and remediation.

My main disappointment with EWP is its inability to manage the actual SecureIIS configuration. Fortunately, SecureIIS allows you to import a central configuration policy file. It would be nice, however, if that central policy was integrated into the REM Events Manager.

I also encountered a few minor annoyances. Rule construction for the automatic assigning of predefined incoming events is a bit inflexible and general in nature. The event search functionality is limited to keyword searches of the generic event titles, rather than event specifics, which makes it nearly impossible to search for events generated by a specific source IP address.It should be obvious that the EWP solution is only applicable to Windows IIS sites either having or looking to have moderate to large-scale SecureIIS deployments. The cost-effectiveness of using eEye's REM components is largely based on the number of eEye products plugged into it. If you currently use eEye products, or you're a Windows shop looking to deploy a from-start-to-finish security event management solution for your IIS Web sites, it would be worthwhile to look at eEye EWP as an event management candidate.

Jeff Forristal is a senior security consultant for Neohapsis.

Post a comment or question on this story.