With Internet Information Services (IIS) so widely used, several vendors have created commercial products you can use to test, improve or otherwise manage its security.
But, if you're like most people and have a limited budget, you need alternatives. Well, don't fret. There are indeed some viable alternatives for finding some of the big issues and locking down IIS. And it won't cost you a dime.
Some security tools are completely free – that is, no marketing strings are attached. Others are offered up as, "try this and we think you'll like it so much that you'll buy our commercial version." Either way, who cares? You still have a set of free security tools that'll improve the security of your IIS Web environment. Here they are:
- N-Stalker Free Edition -- Web vulnerability scanner that checks for common Web server misconfigurations as well as application-specific flaws including cross-site scripting. Figure 1 shows its simple click-and-go interface.
Figure 1
Figure 1 -- N-Stalker Free Edition web vulnerability scanner
- Acunetix WVS Free Edition -- Another feature-rich Web vulnerability scanner that checks for some basics and cross-site scripting as shown in Figure 2.
Figure 2
Figure 2 -- Acunetix WVS Free Edition Web vulnerability scanner
- ParosProxy -- Web proxy tool that lets you analyze (and manipulate) what's coming and going from your IIS server applications when manually testing for security flaws. It has some basic vulnerability scanning capabilities built in as well.
- Sandboxie -- Application "sandbox" you can use on the client side with Internet Explorer and Firefox to see just what your IIS-based system is leaving in your browser's cache. It's very interesting to see what's going on at this level -- a common security oversight when testing Web applications.
- SSL Diagnostics -- Secure Sockets Layer (SSL) analysis and troubleshooting tool. You know me -- I'm not a huge fan of hiding behind the security façade that many believe SSL offers -- but this is a good tool for ensuring your configuration is correct. This is a common Web server configuration problem I see when testing Web applications for security flaws.
- SSLDigger -- An SSL strength analysis tool that is along the same lines as SSL Diagnostics but focuses solely on the strength of your SSL ciphers. You've got to have SSL anyway -- might as well make sure it's as secure as possible. Many admins don't think about it, but it's a flaw that can be exploited nonetheless.
- FSMax and Blast -- I know, technically two different tools. I list them here as one since they have a similar goal: stress testing. Commercial alternatives are few and far between and pricey at that, but denial of service and stress testing is something that should be run against any production IIS system.
- Port80 Software Headercheck -- A tool to see just what Web server information is being revealed to the world. The guys at Port80 Software also have some free online tools for running other Web-related tests you can check out at www.port80software.com/support/p80tools.
- SiteDigger -- Google hacking tool that searches Google's cache for sensitive information that may have been stored on your Web server at some point in time. Results are few and far between but when it does find something, it's usually pretty juicy.
- wfetch -- HTTP header tool that allows you to see what's going on behind the scenes in client-server communications. Another great way to manually test your IIS system for security vulnerabilities. Wfetch -- part of the IIS Resource Kit -- is shown in Figure 3.
Figure 3
Figure 3 -- Microsoft's wfetch HTTP analysis tool
Don't forget about the other valuable tools in the IIS Resource Kit as well.
So there you have it -- IIS security tools for the budget-conscious admin. You may not be able to find and fix every single security issue in your IIS environment with these tools, but they are all excellent options if your resources are limited. Whether you want to lock down your Web systems or just tinker with some neat security tools, have at it. What have you got to lose?
About the author: Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC where he specializes in providing independent security assessments revolving around risk management and compliance. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver [at] principlelogic.com.
