Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

ModSecurity IIS Updates: Stable Release, Award Recognition and More

ModSecurity for IIS Stable Release9128_4af50411-df37-4112-b57a-b7c4b4327e96

As part of our recent release of ModSecurity v2.7.2, not only did we fix many bugs (CHANGES), but
this is also the first version where we labeled the IIS7 version as STABLE release quality! You can download the 2.7.2 MSI Installer here. Microsoft's IIS Engieering Team conducted extensive testing and opened many JIRA tickets.

All of these tickets have been fixed and closed. Here are some of the items we addressed:

21 Jan 2013 - 2.7.2
-------------------
* IIS version is now stable.
* Fixed IIS version does not pass through POST data to ASP.NET when SecRequestBodyAccess is set to On (MODSEC-372).
* Fixed IIS version HTTP Request Smuggling protection does not work (MODSEC-344).
* Fixed IIS version PHP Injection Attack (958976) protection does not work (MODSEC-346).
* Fixed IIS version Request limit protections are not working (MODSEC-349).
* Fixed IIS version Outbound protections are not working (MODSEC-350).
* Added IIS version better installer.

This is a huge achievement and I wanted to take a moment to thank both Greg Wroblewski (Microsoft Security Research and Defense) who was the lead developer of the port of ModSecurity to IIS7 and also Breno Silva Pinto (Trustwave SpiderLabs Research) who acted as the ModSecurity subject matter expert during development.

2012 Toolsmith Tool of the Year Award: ModSecurity for IIS

Russ McRee over at HolisticInfosec held open voting in January for the 2012 Toolsmith Tool of the Year Award and ModSecurity for IIS won!

11979_d3130c14-8753-4a3e-a16d-0746f5167ea5
I am glad that the Toolsmith readers found value in the IIS version of ModSecurity and we hope that it will help them to more quickly secure their Microsoft IIS/ASP/.Net environments.

Best Practice Recommendations from Microsoft

Microsoft recently released a TechNet article entitled "Security Best Practices to Protect Internet Facing Web Servers" and in it recommended the following:

Application-oriented security: WAF (Web Application Firewall), just next to the web app/site, that will allow to harden the requests control, and tighten the filter to match the specificities of the web application. ModSecurity for IIS7 (see: http://www.modsecurity.org/ ) is an example of a tool that can be used for robust audit logging of HTTP(S) transactions and virtual patching of identified vulnerabilities. Along with the bundled OWASP ModSecurity Core Rule Set (CRS), it offers essential protections against application layer attacks and information leakages.

All IIS7 admins should install ModSecurity to gain better visibility into HTTP(S) transactions and offer an expedited mechanism to deploy protections for new attacks or vulnerabilities. Trustwave SpiderLabs is a MAPP program participant and we develop ModSecurity virtual patches for a number of web server/application vulnerabilties released by Microsoft in the Patch Tuesday pre-notification data. These virtual patching rules are included within our commercial ModSecurity rules feed, so IIS7 users may utilize our rules as well to protect their environments.

ModSecurity vs. URLScan

An interesting legacy issue that needs to be addressed is this - IIS7 administrators should use ModSecurity rather than relying upon URLScan. URLscan provides extremely basic input filtering for the following:

  • The HTTP request method or verb
  • The file name extension of the requested resource
  • Suspicious URL encoding
  • Presence of non-ASCII characters in the URL
  • Presence of specified character sequences in the URL
  • Presence of specified headers in the request

Here is an example URLScan configuration file to detect basic SQL Injection strings:

12903_ff19d340-de21-4821-8980-fe529b0c530b

URLScan Limitations

URLScan has the following limitations with regards to protections:

  • Can not inspect POST request bodies. This means that it can not inspect any parameter data sent in POST payloads. Needless to say, this leaves open a huge hole in any inspections.
  • Can not inspect Outbound response data. This means that you can not identify data leakages or what data was exposed to the client.

It was for these two main reasons that the we ported ModSecurity to the IIS7 platform. With ModSecurity installed, you can also use the OWASP ModSecurity CRS to implement better coverage for a wide range of application-layer attacks such as SQL Injection.

Latest SpiderLabs Blogs

Why We Should Probably Stop Visually Verifying Checksums

Hello there! Thanks for stopping by. Let me get straight into it and start things off with what a checksum is to be inclusive of all audiences here, from Wikipedia [1]:

Read More

Agent Tesla's New Ride: The Rise of a Novel Loader

Malware loaders, critical for deploying malware, enable threat actors to deliver and execute malicious payloads, facilitating criminal activities like data theft and ransomware. Utilizing advanced...

Read More

Evaluating Your Security Posture: Security Assessment Basics

This is Part 4 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More