The Microsoft IIS web server software, widely used on the Internet, was hacked in July 2001 by the Code Red virus and subsequently by Nimda. The way these viruses attack is to exploit the vulnerabilities of IIS and use special requests to detect and execute commands on the infected server. With URLScan and SecureIIS, IIS web servers can be protected against these types of attacks.
URLScan is a free Microsoft tool that allows administrators to improve the security of the web server system using IIS. When installed in conjunction with IIS, URLScan monitors all requests to the web server and allows or denying services based on rules set by the administrator. Specially formatted requests can be filtered and detected, thereby reducing the risk of server attacks.
Use URLScan
Download URLSCan at the Microsoft web site:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32571
URLScan can be installed automatically (double-click on the URLScan.exe file) or manually added to the ISAPI filter of the IIS server.
When installed in automatic mode, URLScan is installed to the directory: & quot;% winnt% / system32 / inetsrv / urlscan & quot; And automatically start in the background every time the IIS service is started. To make sure URLScan is installed correctly, you can check for the files urlscan.dll and urlscan.ini At the directory: & quot;% winnt% / system32 / inetsrv / urlscan & quot ;.
To add the URLScan to the ISAPI filter manually, you can do the following:
Extract URLScan to a temporary directory
Copy the urlscan.ini and urlscan.dll files to a local directory
Right-click on Internet Information Services in the Microsoft Management Console and select Properties
Select & quot; WWW Service & quot; in & quot; Master Properties & quot; and click & quot; Edit & quot;
Select & quot; ISAPI Filters & quot; tab and click on & quot; Add & quot;
In & quot; Filter Properties & quot; dialog, type in & quot; URLScan & quot; (or whatever you like) in & quot; Filter Name & quot; and the path to the urlscan.dll file in & quot; Executable & quot ;.
Click & quot; OK & quot; and restart the IIS service
When executed, the IIS service will rely on the rules set in the file urlscan.ini to allow or deny service requests sent to the web server. With rules set up correctly, web servers can be enhanced with security, reducing the risk of hacking.
The rules for URLScan are set in the urlscan.ini file. Rules can be set to: file extension, URL filter, etc. After every change to the urlscan.ini file, IIS needs to be restarted to activate the rules.
Running URLScan will generate the urlscan.log file in the same directory as urlscan.dll to record URLScan's activity such as on-off, refused requests, and so on.
URLScan details can be found at website of Microsoft.
SecureIIS
Company eEye Digital Security There is also a SecureIIS tool to protect your IIS server against server requests that may be dangerous to your system. SecureIIS and URLScan work the same way, but SecureIIS has a more convenient interface and better installation instructions.
The SecureIIS trial is available for download within 15 days here
More information about SecureIIS can be found at: http://www.eeye.com/html/Products/SecureIIS/
References:
- Protect IIS with the URLScan Security Tool - Steven Warren
- URLScan Security Tool
