Once you fully understand how to manually secure IIS, it never hurts to double-check your work. Fortunately, a new trend toward automated hardening tools such as exploit scanners is making this task easier. In this section we list the most popular tools to harden IIS and describe their advantages and disadvantages.
IIS Lockdown Tool
Microsoft has released IIS Lockdown Wizard, which provides templates for the major IIS-dependant Microsoft products. IIS Lockdown Wizard works by turning off unnecessary features, thereby reducing attack surface available to attackers. In addition, IIS Lockdown Wizard now integrates URLscan (described below), with customized templates for each supported server role.
To download IIS Lockdown Wizard, visit the following site: http://www.microsoft.com/technet/security/tools/locktool.asp.
URLScan Security Tool
Microsoft has also developed a tool that lets Web server administrators test the security of their servers. The tool, URLScan, screens all incoming requests to the server, and filters them based on rules set by the Administrator. This can potentially improve the security of the server by helping ensure that it only responds to valid requests.
URLScan works by helping to screen Web servers from unusual requests. For instance, an attack might consist of an extremely long request, a request for an unusual action, a request encoded using an alternate character set, or a request that includes character sequences that are rarely seen in legitimate requests. By filtering out unusual requests, URLScan can help prevent them from reaching the server and potentially causing damage.
To download URLScan, visit the following site: http://www.microsoft.com/technet /security/tools/URLscan.asp.
Although IIS Lockdown Wizard and URLScan are steps in the right direction, they are still baby steps. Microsoft has just started venturing into the esoteric world of information security, and they admit that they have a long way to go. For this reason, we also briefly mention the heavy artillery for network administrators who are fastidious about security.
Retina Network Security Scanner
Retina has won awards for being the best IIS exploit/vulnerability scanner on the market. The programmers at eEye Digital Security have been the technological leaders in this field for several years. Retina is easy to use, and it will quickly tune your Web server for maximum security against hackers.
Retina will scan your server, or a range of servers, for thousands of up-to-date exploits. Many of these exploits are brand new and are not available elsewhere. Retina also supports scheduled scanning. It outputs complete and extensive reports that are sure to impress your manager or CIO who, while not understanding it, can nevertheless show it to the board of directors as evidence of his security efforts (See Figure 13.65).
Figure 13.65 Retina.
Retina can be downloaded at: http://www.eeye.com.
SecureIIS Application Firewall
SecureIIS is another program from eEye Digital Security that can protect IIS from known and unknown attacks. SecureIIS wraps around IIS and works within it, verifying and analyzing incoming and outgoing data for possible security breaches. SecureIIS provides a level of both intrusion detection and Web server firewalling in one program, and it can be tuned to your individual Web server. SecureIIS is a useful tool that adds another layer of protection to your Web site.
SecureIIS can be downloaded at: http://www.eeye.com.