NT Gatekeeper: Protecting Your IIS Web Server from Buffer-Overflow Attacks

A couple of weeks ago, I deployed a company Web site that I built solely with Microsoft software. Right now, the company uses the Web site only to announce services and products. In the near future, however, the company wants to extend the site's use to let customers order products and services, a change that will make Web server security hardening more important. Although I've found a lot of information about Microsoft Internet Information Server (IIS) 4.0 hardening on the Microsoft Web site, I haven't found an adequate solution for buffer-overflow attacks. I know I need to install the latest IIS security hotfixes and use resources such as the IIS Lockdown and URLScan tools. However, these solutions are reactive. I want to detect and stop buffer-overflow attacks before Microsoft releases a hotfix for them. Can you explain how buffer-overflow attacks work and how I can take a more proactive approach to putting an end to them?

For a short introduction to buffer-overflow attacks and how they work, read the sidebar "Buffer-Overflow Attacks Explained," page 15. You're right that most solutions that Microsoft and other vendors offer address the problem only after buffer-overflow attacks have occurred and done harm. Microsoft offers one preventive solution: URLScan. URLScan screens all incoming HTTP requests to an IIS server and filters them based on a set of rules that an administrator defines. You can download URLScan from the Microsoft Security Web site at http://www.microsoft.com/windows2000/downloads/recommended/urlscan/default.asp.

You can also find some interesting third-party tools that take innovative and preventive approaches to the buffer-overflow problem on the Windows NT platform, including SecureWave's SecureStack and Entercept Security Technologies' Entercept 2.0. Advanced Intrusion Detection Systems (IDSs) such as OKENA's StormWatch, nCircle's IP360, and Recourse Technologies' ManHunt, which I lack space to address here, also can prevent buffer-overflow attacks.

The technology for SecureStack was developed in the Linux world. SecureStack's power is based on a kernel-mode driver that intervenes in a system's memory-management process. The driver installs as part of the SecureStack installation program. This kernel-mode approach makes SecureStack application-independent. The driver automatically flags all code written outside buffer boundaries as nonexecutable and detects all attempts to run illegitimate code. You can download a free copy of SecureStack with limited capabilities from the SecureWave Web site (http://www.securewave.com). The free copy will log an event when it detects a buffer-overflow attack, but it won't block the attack as the full application would.

Entercept uses a different approach. Instead of making kernel-level changes, Entercept creates a protective layer that sits between the OS kernel and the applications. Entercept intercepts, inspects, and authorizes or rejects all calls that an application sends to the kernel. Entercept is broader in scope than SecureStack. Whereas SecureStack focuses on buffer-overflow attack protection, Entercept protects against a wide range of attacks, including well-known NT attacks (e.g., GetAdmin), Trojan horses, and buffer-overflow attacks. Entercept also uses a distributed client-server architecture: You can monitor multiple Entercept agents running on different machines from a central console. (SecureStack doesn't include built-in support for centralized management.) You can request an evaluation copy of Entercept at the company's Web site (http://www.entercept.com).

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.