Re: Tools for IIS security check

[gorski2003 () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----

IIS has a few different packages that will attempt to increase security.  This is assuming you've already firewalled 
and installed an IDS etc.  The last and most serious space left to secure is the web service itself.  It is prone to 
vulnerabilities and attackers still hit the web port (usually 80) slipping by firewall and ids.
MS has put out a security package that gives you IISLockdown (will remove all unused sample pages etc) and URLScan.  
URLScan will filter out class attacks (eg buffer overflows) and does a fairly good job.  It's free but unsupported (and 
no you can't have the source code).  Configuration is by editing an .ini file and is generally going to be at the 
machine level.  (eg one machine one config, so forget it if multiple sites are hosted on one box).  There 's a few 
commercial packages out there, eEye has SecureIIS which is another ISAPI filter (like URLscan) that has a nice GUI and 
distributed policy management.  Entercept has their own IIS type defensive layer.  It's a kernel level module however 
and can degredate performance when load becomes heavy.  It's complete protection however and protects all the ports, 
not just 80.  Kind of overkill if you already use a firewall.

| -----Original Message-----
| From: Rahul Chander Kashyap [mailto:rahul () nsecure net]
| Sent: Thursday, December 19, 2002 2:57 AM
| To: Harish Gondavale; SECURITY-BASICS () SECURITYFOCUS COM
| Subject: Re: Tools for IIS security check
|
|
| Try using Whisker from RFP.
| http://www.wiretrip.net/rfp
|
| Some others i wud prefer<after whisker> wud be:
| nmap  http://www.insecure.org/nmap/
| foundscan  http://www.foundstone.com/
| Stealth HTTP Scanner http://www.hideaway.net/
|
| Regards,
| Rahul C. Kashyap
|
| www.nsecure.net
| -------------------
| Layered Defence
| -------------------
|
|
| > Hi all,
| >
| > Can somebody give few good free tools' name, which can
| > be used to verify that IIS is secured completely?
| >
| > I know few of them : Nessus, Nikto
| >
| > Thanks for all your help.
| >
| > Bye.
| >
| > Harish
| >
| >
| > __________________________________________________
| > Do You Yahoo!?
| > Everything you'll ever need on one web page
| > from News and Sport to Email and Music Charts
| > http://uk.my.yahoo.com
| >
|
|
|



-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wl8EARECAB8FAj4CPP0YHGdvcnNraTIwMDNAaHVzaG1haWwuY29tAAoJEGT9a0ek/76N
FtsAn2NSsDOtxoX9M0wz+vLxXFP8HpFnAKC3R6Co9KhlhMXb+95D/GlYfRapYw==
=o4bX
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427