Security Basics mailing list archives
Re: Tools for IIS security check
From: gorski2003 () hushmail com
Date: Thu, 19 Dec 2002 13:41:21 -0800
-----BEGIN PGP SIGNED MESSAGE----- IIS has a few different packages that will attempt to increase security. This is assuming you've already firewalled and installed an IDS etc. The last and most serious space left to secure is the web service itself. It is prone to vulnerabilities and attackers still hit the web port (usually 80) slipping by firewall and ids. MS has put out a security package that gives you IISLockdown (will remove all unused sample pages etc) and URLScan. URLScan will filter out class attacks (eg buffer overflows) and does a fairly good job. It's free but unsupported (and no you can't have the source code). Configuration is by editing an .ini file and is generally going to be at the machine level. (eg one machine one config, so forget it if multiple sites are hosted on one box). There 's a few commercial packages out there, eEye has SecureIIS which is another ISAPI filter (like URLscan) that has a nice GUI and distributed policy management. Entercept has their own IIS type defensive layer. It's a kernel level module however and can degredate performance when load becomes heavy. It's complete protection however and protects all the ports, not just 80. Kind of overkill if you already use a firewall. | -----Original Message----- | From: Rahul Chander Kashyap [mailto:rahul () nsecure net] | Sent: Thursday, December 19, 2002 2:57 AM | To: Harish Gondavale; SECURITY-BASICS () SECURITYFOCUS COM | Subject: Re: Tools for IIS security check | | | Try using Whisker from RFP. | http://www.wiretrip.net/rfp | | Some others i wud prefer<after whisker> wud be: | nmap http://www.insecure.org/nmap/ | foundscan http://www.foundstone.com/ | Stealth HTTP Scanner http://www.hideaway.net/ | | Regards, | Rahul C. Kashyap | | www.nsecure.net | ------------------- | Layered Defence | ------------------- | | | > Hi all, | > | > Can somebody give few good free tools' name, which can | > be used to verify that IIS is secured completely? | > | > I know few of them : Nessus, Nikto | > | > Thanks for all your help. | > | > Bye. | > | > Harish | > | > | > __________________________________________________ | > Do You Yahoo!? | > Everything you'll ever need on one web page | > from News and Sport to Email and Music Charts | > http://uk.my.yahoo.com | > | | | -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wl8EARECAB8FAj4CPP0YHGdvcnNraTIwMDNAaHVzaG1haWwuY29tAAoJEGT9a0ek/76N FtsAn2NSsDOtxoX9M0wz+vLxXFP8HpFnAKC3R6Co9KhlhMXb+95D/GlYfRapYw== =o4bX -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- Tools for IIS security check Harish Gondavale (Dec 18)
- RE: Tools for IIS security check Jimmy Sansi (Dec 19)
- Re: Tools for IIS security check N30 (Dec 19)
- Re: Tools for IIS security check Rahul Chander Kashyap (Dec 19)
- RE: Tools for IIS security check Dominick Sardina (Dec 19)
- Re: Tools for IIS security check GSimmonds (Dec 20)
- <Possible follow-ups>
- re: Tools for IIS security check H C (Dec 19)
- RE: Tools for IIS security check Janssen, Steph (Dec 19)
- RE: Tools for IIS security check Rosado, Rafael (Rafael) (Dec 20)
- RE: Tools for IIS security check Mike Heitz (Dec 20)
- Re: Tools for IIS security check gorski2003 (Dec 20)