[200 OK]: A Port80 Software Blog

Microsoft Says SQL Injection Attack Not Their Fault (Translation: Get a Web App Firewall!)

Mon, 28 Apr 2008 16:31:00 GMT

The recent wave of SQL injection attacks has made mainstream news, just in case you have not seen it:

Hundreds of Thousands of Microsoft Web Servers Hacked

Jeremiah Grossman and others have made the point, accurately, that this is not a Microsoft IIS Web server issue, but rather that Web developers not adhering to security best practices are to blame (for shame, it is not like we have enough to do already!):

Security expert: Don't blame Microsoft for mass site defacements

To solve this puzzle, look no further than controlling parameters, permissions and sanitizing your inputs with a Web application firewall or WAF like ServerDefender AI or the upcoming ServerDefender VP. Yes, you can learn to write more secure code, but why wait to get protected or deal with recoding legacy bits? Get a WAF, and get PCI complaint, something we all need to be focusing on now.

Cheers,
Port80

PS BTW thanks to Jeremiah for being one of the early believers in ServerMask... it is nice to watch as his security star rises!

httpZip 3.8.4 Now Available

Thu, 06 Mar 2008 11:53:00 GMT

Minor releases rarely get headlines, but why not? They are important as well!

This interim release of httpZip has important changes for improved reporting and swatting a few bugs, so if you are a Zip customer or a just checking out HTTP compression, download the new bits. However, get ready for a major httpZip upgrade in the future, as 64 bit is on the way. We are working on getting the code out to our beta testers as soon as we can.

So, if you aren’t on the Zip bandwagon yet, remember that even with massive broadband penetration, your Web users always want more speed (http://www.emarketer.com/Article.aspx?id=1006022).

More to come,
Port80

Port80 on IIS 7: Seven New Reasons to Choose Microsoft for Web Serving

Thu, 28 Feb 2008 16:45:00 GMT

In the spring of 2003, as Microsoft was touting Windows Server 2003, a group from Port80 Software trekked up to Microsoft WHQ in Redmond, WA and had a meeting with the IIS team. We had all sorts of ideas for where they should take the Internet Information Services Web server, and with Port80 being new on the scene with its then four products for IIS, we wanted to know where Microsoft planned to go with IIS in the future. We were talking Apache and its culture of modules to extend Web functionality that dominated and gave competitive advantage to the open source Web server. Microsoft’s IIS folks understood this (which surprised us), and they said that IIS 7 would be worth the wait...

Fast forward to February 27, 2008, and the hottest new feature in the (formerly Longhorn) now shipping Windows Server 2008 is... IIS 7! Unless it is the focus of a news or blog piece, IIS 7 is usually the last feature brought up in discussions of Server 2008, but at least during this launch, IIS is a major selling point for the OS for once -- and rightfully so.

Here is why Port80 Software is excited about IIS 7, Microsoft’s lucky number Web server:

1. IIS 7 is modular by design.

As one early adopter from an Australian bank put it, “Server 2008 and IIS7 represents one of the more exciting developments in hosting because the ability to integrate third-party modules into IIS7.” Though you could always build out new Web server features with ISAPI on IIS 4/5/6 on Windows NT/2000/2003, the interface was purported to have issues. Good ISAPI filters are possible if you know what you are doing and have a lot of practice, but Port80’s tech teams are excited to code new IIS 7 modules with the same API that Microsoft’s team used to build IIS 7 itself. A better foundation will make for better enhancements to the Web server. Of course, this modularity is also a security feature, as you have the option to only deploy the pieces of Web server functionality that you need (however, do note that there are some reasons that a few deeper aspects of IIS will live no matter what modules are deployed, but on the sly).

2. IIS 7 has a new GUI.

Microsoft has always had a good track record with UI design, but this advantage was never pressed in their Web server software. Though IIS 6 did offer some UI changes, it is nothing like IIS 7, with different panes for tasks and the ability to marshall more data and Web server control at once. Besides, what Web admin isn’t sick of the old UI? Everyone likes a new dashboard:

:

3. IIS 7 also has no GUI.

Now it is possible to run IIS 7 with no UI as a Server Core installation (you can’t do this just yet with ASP.NET, but look for an update there soon). Less resource intensive as the Server Core option simply uses less disk space (only a gigabyte to run it all), it boots faster (some claims of speed reduction by two thirds), and finally less moving parts again reduces the potential attack service. When you combine this Windows 2008 GUI-less environment with the Power Shell interface, you begin to seriously erode the perceived Apache advantage of command line automation.

4. IIS 7 performs well.

Check out these comments:

“We also tested IIS 7 via Web get/posts using inclining concurrency of the get/posts (using static pages), and found that there was no additional performance advantage of Windows 2003 over 2008 server editions until concurrency (number of users getting and posting) was raised significantly, where Windows 2008 and IIS 7 became very fast compared with Windows 2003 and IIS 6,” Network World found. Lot’s of POSTs in Web 2.0, good for IIS 7…

“Internet hosting company Rackspace has found that hardware requirements have decreased 16% to 35% per cluster by using IIS 7.0,” per Information Week. The focus on doing more with less pays off here…

"The memory handling is extremely improved over 2003 and we'll be able to run more websites per server," said that same early adopter at that Aussie bank we mentioned earlier.

More features and IIS 7 still delivers more requests on less hardware. What’s not to like?

5. IIS 7 leverages a better TCP/IP stack for more connections, especially on 64 Bit.

We all know 64 bit is going to be the standard in high performance Web server OSes, but it is nice to see the whole thing coming together in Windows 2008. Here is what ServerWatch had to say:

“Finally, although there has long been a 64-bit version of Server 2003, it's only with the introduction of Server 2008 that companies will be moving to 64-bit hardware in significant numbers as they refresh their server rooms. Because of the way TCP/IP connection states are stored and the fact that 32-bit systems can address only 4 gigabytes of RAM, 32-bit systems have in effect been limited to around 20,000 to 30,000 connections per machine. Since 64-bit machines running Server 2008 Enterprise Edition can address 2 terabytes of RAM, IIS 7 running on these machines has the potential to maintain many, many more TCP/IP connections than it (or any other Web server) would on 32-bit boxes.”

As we are currently working at Port80 Software on our own x86-64 Bit code, we were excited to see that IIS 7 shines in this context.

6. Finally, you can use the Web-based UI in IIS 7 for easier administration.

No, we will have six points in this IIS 7 review, but it is true that you can finally safely administrate IIS over the Web without terminal services, RDP or a control panel. Turn on the built-in functionality, and administer IIS 7 over the Web -- once you have locked that box down, of course!

7. Microsoft is opening up officially, Web app-wise, with IIS 7.

"Today, Windows [or IIS] is becoming the most popular platform on the planet for running PHP applications, which has a certain irony to it," Steve Ballmer said recently.

FastCGI, a module that ships with IIS 7, makes it super easy to host application frameworks such as PHP, Ruby on Rails and Perl, and then applications built on those Web app platforms can run on IIS 7. No longer should you tie the app development environment to one type of Web server: develop where and in what you like and then deploy on *NIX or Windows, Apache or IIS. With all of these new features, Apache admins should at least take a fresh look at IIS 7.

We at Port80 Software would like to congratulate the Microsoft IIS team on a great job of not only building a stellar new Web server, but in their commitment to the IIS community with the very active site http://www.iis.net, which just got a new face lift. It is a good week for Web serving, and we look forward to seeing what customers have to say on Windows 2008 and IIS 7 in the real world.

So after all this, you might wonder what are Port80’s IIS 7 plans? Well, we are certainly working hard on it. However, truth be told, what customers so far are really clamoring for right now is x86-64 bit support for our current world renown products on Windows Server 2003. To meet this demand, httpZip will be the first tool to support 64 bit on IIS 6 shortly, to be followed quickly by most of the Port80 product line for IIS. IIS 7 products and .NET platform products of course are also in the works. With all this change in the air, we invite customers to join our new beta program to be the first to get your hands on IIS7 and 64 bit code from Port80. Beyond that, we hope that you will let us know what you would like to see in the world of Windows Web serving. What is keeping you up at night concerning IIS and HTTP?

Cheers,
Port80 Software

HTTP Compression and the Google AdSense Crawler Bot

Fri, 22 Feb 2008 11:34:00 GMT

FACT: HTTP Compression really improves Web serving.

FACT: Big sites like Google and Yahoo! use compression.

UNFORTUNATE FACT: Some services are not aware enough of compression and may break... unless you have a smart compression engine!

This underutilized technology transparently reduces the size of all text-based content served from a Web site or Web service, speeding up transmission across the Web, reducing bandwidth expenses, and freeing up Web server availability to handle more requests. Compression deployments are accelerating among business sites, and Google.com has been compressing responses for a long time (see this real-time report: http://www.port80software.com/tools/compresscheck?url=www.google.com).

Google’s Googlebot, their Web crawler that indexes sites to form the basis of search results, also likes to see compressed content. At a search engine conference a few years back, search guru Danny Sullivan spent some time focusing on this: Google only indexes so much of a page, so if you send the Googlebot compressed content (which it asks for by the presence of the “accept-encoding: gzip, deflate“ header in a request), you can theoretically get more content indexed and save bandwidth on that request from Googlebot and all other requests to IE, FireFox and other browsers and search bots with HTTP compression. Very cool.

It is ironic then, given Google’s knowledge and use of HTTP compression, that Google's AdSense program, which sells contextual advertising on third party sites, use technology that is not compatible with HTTP compression. One of Port80 Software’s httpZip compression clients received this email recently from Google’s AdSense team in response to why the Port80 client’s contextual ad site was not getting index by the AdSense crawler bot program (which goes by the user-agent name starting with “mediapartners-google”; a user agent is the Web client’s name, usually a browser or bot)... this is part of the email from a Google AdSense rep to our client:

“I've reviewed your site and have determined that our crawler is having difficulty accessing your URL. Specifically, your webserver is sending our crawler HTML in a compressed format, which our crawler is unable to process.

We recommend that you speak with your web administrator to ensure your system does not send our crawler compressed data. You can determine our crawler by looking for user agents starting with 'Mediapartners-Google'.

Additionally, please be aware that after you have turned off the encoding, it may be 1 or 2 weeks before the changes are reflected in our index. Until then, we may display less relevant or non-paying public service ads. You should expect your ad relevance to increase over time.”

So, the AdSense crawler bot does not like HTTP Compression. But the real question is -- why are they asking for it? In the request to get compression from any Web server, a user agent must first have that “accept-encoding: gzip, deflate” header in the original request… if the AdSense bot cannot deal with compression, it should not be requested by the bot itself. That makes sense, right?

It looks like Google AdSense is asking clients to not compress responses to their bot to fix this issue, rather than fixing the decompression bug (an educated guess) in their bot code. So, the fix for now if you have a Web server, are in the AdSense program from the serving side (you host Google AdSense ads on your own site), and still want to use compression for all other Web visitors, an exception must be made for any request with a user-agent starting in “mediapartners-google”.

Unfortunately, you cannot do this on Microsoft IIS 4 or 5 servers (NT or 2000) without a third party compression tool like httpZip from Port80 Software that can add a compression exclusion for a user agent. On IIS 6 (Windows 2003), you can use httpZip or ZipEnable to add such an exception or exclusion. We will be adding the default exception for this browser to a minor version upgrade of both products soon, but here is how to add an exception for this AdSense bot with httpZip and ZipEnable.

Excluding Google’s AdSense Bot IIS Compression with httpZip:

- Install the free httpZip trial from www.httpzip.com/try.

- Once installed, confirm compression is working fine (http://www.port80software.com/products/httpzip/evaluationguide).

- Open the httpZip Settings Manager.

- On the compression tab, to add a new Browser Exception for a MIME type, select "New" and, in the Add Browser Exception dialog, enter a Browser Name (like “AdSense Bot”) for the browser in the text box labeled "Browser Name." Next, enter the search string text used to identify the browser (use “mediapartners-google” to get all versions of the bot, this short version will wildcard for specific software versions of the bot) in the text box labeled "Search String", then click OK. Please note: you will have to add this for the MIME types being requested by the bot, which should include “text/html”, “text/css”, “text/javascript”, and “application/x-javascript” MIMEs, and probably a few more, based on what you are serving and want to get indexed.

Picking a MIME (text/html) to Exclude the AdSense Bot from compression:

Setting up the AdSense Bot Exception for text/html MIME:

- Apply your settings in the httpZip Settings Manager. Repete proces for other MIMEs that you want to get indexed (FYI, text/html should take care of most dynamic content output from ASP, ASP.NET, CFM, PHP, JSP, etc. files).

- You can use Wfetch, a free tool in the IIS 6 Resource Kit, to test that no responses will compress when requested by the AdSense bot (http://support.microsoft.com/kb/840671). Just add these headers to a request in Wfetch (“accept-encoding: gzip, deflate”), and the response from the server with the new httpZip exclusion will not be compressed (it should have no headers like “content-encoding: gzip” or “content-encoding: deflate” in the response from the Web server and is therefore not compressed).

- All your other requests from good browsers and bots will now be compressed while you can feel safe that you are not messed up with the Google AdSense bot. Remember, it may take a few weeks for the AdSense bot to reindex your site correctly.

You can add an exclusion to compression requests from the AdSense bot on IIS 6 with ZipEnable by following the instructions above and adding an exclusion directly in ZipEnable -- here is the documentation for that process in ZipEnable (http://www.port80software.com/products/zipenable/docs#adv_set_browser). You will also want to use something like Wefetch that will allow you to alter your request headers so you can trick out the user-agent and make sure you are getting no compression when the user agent includes “mediapartners-google*” (make sure the search string is a wildcard implictly in ZipEnable , a bit different than in httpZip: “mediapartners-google*” ).

We hope this helps clear up any confusion on Google AdSense and HTTP compression – please contact us for help here and for other tips on IIS performance boosts!

Best regards,
Port80 Software

Happy New Year Update (plus New IIS Migration Tool Released by Microsoft)

Wed, 23 Jan 2008 17:05:00 GMT

Happy 2008, folks. We have been in offline blog mode for some time, but we are getting back on the stick here for the new year.

Look for an update e-mail tomorrow from Port80 Software with information on IIS 7, httpZip 4.0 for IIS compression with 64 bit support (we are looking for beta testers), ServerDefender AI 1.1 (with some new features and a helpful evaluation guide), and a list of good Web dev and network freeware tools.

We also just got an e-mail from IIS guru Brett Hill that announced the IIS Team at Redmond has released a new IIS migration tool. They are looking for us in the IIS Community at large to use the tool and maybe give them some feedback. Here are the details copied below.

More to come in from the Port80 Team in 2008 (including httpZip.NET and a new ServerDefender VP tool). Windows Server 2008 is going to be an interesting launch given Vista and the direct impact of a whole new IIS in the 7.0 version. We have our own lists, but what are your key IIS challenges for 2008? We would love to hear what you are up to!

Cheers,
Port80 Software

FROM THE MICROSOFT IIS TEAM:

IIS is thrilled to announce the Technical Preview 1 release of the Microsoft Web Deployment Tool! The tool provides deployment and migration support for IIS 6.0 and 7.0. It incorporates many features that enable web server administrators to deploy, sync and migrate sites, including configuration, content, SSL certificates and other types of content associated with a Web server.

This tool can be used on Windows Server 2008 and IIS 7.0 as well as Windows Server 2003 and IIS 6.0. Please note that this is a Technical Preview release of the tool and should not be used on production servers. For a Tech Preview, only forum level support is available.

How to Get Started

Download and read the walkthroughs: http://go.microsoft.com/?linkid=8100895

Download the x86 version: http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1602

Download the x64 version: http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1603

Web Deployment Tool forum: http://forums.iis.net/1144.aspx

Web Deployment Team blog: http://blogs.iis.net/msdeploy/

Features

The following list contains several of the features in this version:

· Synchronization and Snapshot of IIS 6.0/IIS 7.0:

The sync operation provides administrators with a way to quickly synchronize a site or server and deploy changes to existing sites and servers. A synchronization allows you to synchronize one source with one destination. For example, you can synchronize two directory paths or two web servers. The sync can be performed with local or remote objects.

The snapshot, or archive, functionality allows administrators or developers to quickly take an archive of their web site or server for rollback, restore or backup purposes.

· Migration from IIS 6.0:

The migrate operation provides administrators with a way to migrate sites or entire servers from IIS 6.0 to IIS 7.0, including their settings and content. A migration is essentially a way of synchronizing, filtered by migration rules. For example, when migrating from IIS 6.0 to IIS 7.0, MS Deploy will check the value of some properties and see if it is the IIS 6.0 default. If it is the default, such as the log files directory, it will instead use the value set on the IIS 7.0 server. This enables a server admin to maintain new settings on IIS 7.0 while moving sites or applications from IIS 6.0.

· Analysis of IIS 6.0 Installed Features:

The analyze operation allows administrators to check what components are installed on the source server. In this way, they can determine if features are present that they will need in IIS 7.0 or that require more advanced setup than simply copying files. For example, ASP.NET requires more than a file copy and will need to be installed on the destination server.

· Troubleshooting and Validation Features:

For validating an operation, the -whatif flag allows administrators to see what actions would happen when they perform an operation. This is especially useful for performing sync or migration, when they want to validate what changes will be made before performing them. For troubleshooting, the -verboseLevel flag allows administrators to get rich detail about what operations are being performed, and upon failure, the ability to diagnose the problem.

New Web Security Tool: ServerDefender AI

Mon, 22 Oct 2007 14:41:00 GMT

Hello there,

We have been mentioning a new Web app firewall since this spring at TechEd, and we are happy to announce that the new ServerDefender Artificial Intelligence (or ServerDefender AI for short) Web application firewall for Microsoft IIS Web servers (and the app layer) is ready for your review at our site!

Building on the security layers of defense from ServerMask and LinkDeny, ServerDefender AI offers solid attack signatures from SANS, OWASP and our own research to protect against the myriad attacks we have all come to know and loath like SQL injection, buffer overflows, cross-site scripting (XSS) and request forgery (CSRF), directory traversal, zero-day, brute force, dictionary, denial of service and others (here is our new Port80 review of Web app attacks and countermeasures). ServerDefender AI then employs a learning Web app firewall that maps your normal traffic and then begins to use this data to detect and block anomalies. You can get involved in this training process or set the AI to train without your supervision. This Web app firewall not only protects IIS, but your app server layer(s) like .NET, .asp, .php, .cfm, Java server pages, etc. -- and of course your database’s precious gems as well.

Other key features include request throttling (controlling frequency of requests to a given page to block bots and other attacks), network-layer IP blocking (threats never even get to IIS), threat management options (a configurable framework to customize Web app sec), notification alert management (get paged, texted or even stop IIS in the event of an attack), detailed logging (you will be surprised how many hacker requests your site is getting right now), and much more.

We kept the price low for a Web app firewall that works at $649.95 per IIS instance, and this is a first tool from Port80 Software to offer centralized deployment (install/activate) and management from a single console. Server Defender AI will even stop IIS in a very bad hack attempt (based on your preferences). Check out ServerDefender AI today, and let us know what you like and what we can change to make this security solution more robust.

At the same time, we are working on a sister Web app firewall, ServerDefender Vulnerability Protection (VP), that will focus on input sanitization and attack vectors like error information leakage -- adding effective Web app security with less frills than ServerDefender AI, but at a lower price (we are targeting $349.95/server for ServerDefender VP).

We appreciate your interest and feedback on ServerDefender AI and IIS security. Let’s make it a bad day for hackers, indeed.

Sincerely,
Port80 Software

P.S. We also have a current promotion ($600 down from $850) on the ServerMask ip100 security appliances for intrusion defense and anti-reconnaissance. Check out this deal for better network-edge defense that works in tandem with Port80 origin server security tools (and your existing hardware firewall and IPS solutions)!

Prognostications Galore: Web 3.0 and the Rise of an Interplanetary Internet

Mon, 22 Oct 2007 13:43:00 GMT

We are all for futurism here at Port80.

It is important to look ahead to what is coming, and make dreams become reality. So, when Vint Cerf says we will have an Internet capability in space by 2010, it worth noticing... This type of vision makes sense, given the success and number of unmanned, robotic experiments taking place in our solar system right now. Pretty cool stuff:

http://physorg.com/news111816547.html

But, when we start to hear Web 3.0, we have to laugh. Ask 10 smart folks in our industry about Web 2.0, and you are liable to have 10 different definitions. It is less than a decade since the golden days of the Dot Com MOAB, but with all the real work we have to do serve complex Web apps today, do we need more snake oil sales blabber?:

http://bits.blogs.nytimes.com/2007/10/19/what-i-meant-to-say-was-semantic-web/?em&ex=1192939200&en=3c233d05e8ff4dd3&ei=5087%0A

Have a good one,
Port80

Web Server Wars Religious, Not Productive

Wed, 22 Aug 2007 14:46:00 GMT

Last week, we released our updated surveys of Fortune 1000 Web sites and the Web technology they use to deliver their sites.

Port80 Software has been conducting this survey since 2003, when we felt there was so much negativity out there on Microsoft IIS. Apache, long loved in the open source community and more widely used than IIS, and the Apachephiles themselves were always kicking sand in IIS’ face. So, IIS’ ongoing lead in our Fortune 1000 survey as the Web server of choice (it still leads with 55% share in July 2007) has been a kind of a counterbalance against Netcraft’s surveys that had promoted the concept that Apache is so much more widely used on the Internet than IIS -- so much so that you needed to have your head examined if you were still running IIS. Or so the headlines told us…

Recently, IIS has been adding sites in Netcraft’s survey relative to Apache, gaining on the open source superstar, and this has upset folks in that camp. Having blasted IIS for years, it must sting a bit to have the tables turned. Our latest survey only strengthens the argument that IIS is on the rise, and the much-anticipated IIS7 release in Windows Server 2008 probably won’t help the numbers for Apache in the future.

But this story is really all old news. True technologists know that is not so much the platform that you are building upon but rather what Web site or application you are building, that makes the difference. Yes, we are an IIS shop, and yes we have stoked the fires of this somewhat religious Web server battle for supremacy, but at heart we know that IIS and Apache offer two different ways to serve Web content, two different ways to skin the Net cat, so to speak. Also, it is important to note the small but steady rise in alternate Web servers in the Fortune 1000 survey which demonstrates that IIS and Apache are not the only players here.

Port80 Software was recently quoted as saying that IIS is more difficult to tune and manage than Apache -- we do not believe that. Rather, this is the common perception among those unfamiliar with IIS or already in the Apache camp to say that “Apache is more secure” or easier to administer. From Port80’s perspective, it is not what you serve with, but how much you configure, add on new functionality and work to solve tech and business problems.

We will keep producing our survey, as long as Netcraft is out there, to provide an alternative perspective. But that’s all it is -- one more slice of a very complicated Internet, one more story of technology in use, one more stat in your inbox.

Back to work,
Port80

LinkDeny 1.1 Released with Some Fixes and Features

Wed, 22 Aug 2007 14:37:00 GMT

We released LinkDeny 1.1 last week with some fixes and new features worth the mention. For customers and test downloaders, this is a freebie update:

Changes in LinkDeny version 1.1 (8/2007):

1. Updated GeoIP.dat file for most current IP address and geographic data.
2. Altered type of HTTP redirection for this Action option from temporary redirects (302) to permanent redirects (301).
3. Added feature to update IIS logs with proper HTTP status code when LinkDeny action is taken like 404 error response or 301 redirection response.
4. Fixed various bugs in the Time Limit Test, both functional and UI.
5. Fixed UI bug that caused crash when many LinkDeny rules were loaded in the Settings Manager.

Also, we are working hard to release ServerDefender Artificial Intelligence (AI) in the next few weeks, the first of our two new upcoming Web app firewalls…

More to come,
Port80

ISAPI Install and Uninstall Help

Mon, 02 Jul 2007 16:37:00 GMT

Sometimes, customers ask us, “Why do you spend so much time explaining installation?” It’s a valid question.

Most software companies do not focus on installation as much as we do at Port80 Software, but then again most software in the world does not plug into the IIS Web service…

You know we are the biggest fans of IIS around, but the 2.0 ISAPI interface to the 6.0 IIS Web server software has its limitations. Installation in the face of multiple third party filters and gracefully stopping IIS to make sure an ISAPI can even be installed are chief among them...

Long story short, there are many ways to fail in any ISAPI installation. Our new Install Notes pages has some updates to make it easier to install and even uninstall Port80 Software tools, but these tips should come in handy for anyone trying to install any ISAPI filter.

Our new Install Notes will always live at http://www.port80software.com/install.

We look forward to your feedback, and hope these tips make any ISAPI installation a bit smoother for you!

Cheers,
Port80

Web Security Threats, General to Specific (personally, we like the details)

Fri, 29 Jun 2007 14:38:00 GMT

We came across a business-focused article on Web security today at http://news.com.com/Solving+the+Web+security+challenge/2009-1002_3-6189437.html.

Here’s an excerpt that caught our attention:

Pete Boden, senior director for MSN and Windows Live security, echoes the views of many longtime executives. He argues that a lot of application security problems boil down to the same fundamental source: data input; that is, what people type into an application. Tightly control what can or can't be entered--or "validate" in industry parlance--and you can eliminate the major access point for security breaches.

"If you classified Web vulnerabilities and took out all of those that are related in some form to input validation, I think you'd have a very small number of vulnerabilities left," he said. "I contend that 80 percent of the vulnerabilities that we see are input validation errors."

Interesting.

The Microsoft answer (better development tools) or the industry standard answer from the article (better industry cooperation, better-trained developers) are all well and good, but while we wait for those utopias to arrive, there is a rapidly-growing amount of vulnerable "Web 2.0" code getting deployed. This is where the upcoming ServerDefender Web app firewalls from Port80 Software will help -- one of their key features is input sanitization to cover/help Web developers who should be focused on functionality (you guys have enough to worry about) -- and to keep out the hackers looking for a way in at the same time…

A more general critique of the article (and of articles of this type) would be that the Web 2.0 talk seems pretty airy and uninformed. For example, there is no mention of security issues with popular Ajax libraries, issues that affect many sites in specific, but issues for which there are current solutions as well (see this 200 OK post).

Instead, we get a lot of business-analyst-speak about whether MS or Google or Yahoo will do the right thing.

Do we have time to wait for Web security to standardize from the top players down? Or should we fight the good fight now with the tools on market, and those to come soon like ServerDefender? What do you think?

More to come,
Port80

Port80 at TechEd 2007: The IIS7 Cometh (In Force)

Fri, 15 Jun 2007 12:18:00 GMT

One of the coolest new features coming in Windows Server 2008 (formerly Longhorn Server) isn't really a feature -- it's a whole new version of Windows.

The feature is called “Server Core”, and it will only take one-sixth of the disk space of a normal Windows 2008 installation. Designed to not need as many patches or hot fixes, “it's a version of Windows that does not, in fact, use windows”, but rather leverages the command line for rapid administration and management.

When Port80 Software arrived at Microsoft’s TechEd conference last week, we had no idea that IIS7 was going to become the lucky number seventh “Server Core” installation option in the upcoming Windows Server 2008 operating system. This designation finally puts IIS on the level with Windows server core features like Terminal Services, Network Access Protection, Virtualization, Server Management and Backup, and Server Core/BitLocker, and is designed to get Internet Information Services/IIS Web servers up and running quickly and securely in a command-line-only environment. This was announced in the TechEd keynote address by Microsoft's senior vice president Bob Muglia, drawing intense applause from the crowd.

Some of the Port80 Software team in the audience fainted…

Microsoft IIS, long the “red headed stepchild” of Windows, has informally become one of the most popular and widely deployed Web servers that deliver the World Wide Web. Now, with IIS7 formally becoming a Server Core player, the news could not be better for customers. IIS Product Manager Brian Goldfarb said at TechEd that this will effectively cement IIS as a principal feature of Windows Server into the foreseeable future.

Projects like Windows Communications Foundation (Indigo) and lingering bad religious wars over the Apache vs. IIS choice had left the impression in some folks’ minds that IIS may go the way of the dodo bird and be replaced by other systems. This ain’t happening, and as IIS’ Brian Goldfarb said, “You have to have Port80.”

Of course, Brian: If you are on Microsoft IIS Web servers, you got to have Port80 Software!

Actually, Brian Goldfarb said, more precisely, “You have to have port 80,” and IIS is HTTP/HTTPS on Windows.

We at Port80 are excited that IIS is here to stay and has been elevated from that Web server “everyone gets for free” in Windows to the world class, core server role that we all know Internet Information Services/IIS is in our real-world deployments of Web sites and applications.

Kudos to Microsoft for boldly keeping a product brand that has often been incorrectly attacked in the press, maligned by zealous Apache-philes, and yet the product most corporations rely on to deliver Web content everyday. With new extensibility and modularity features baked into IIS 7, it is only going to get better and better.

Port80 has already demoed the first IIS 7 Web application firewall at TechEd 2007, ServerDefender, and we will have our current tools ported to IIS 7 and Windows Server 2008 by early 2008, just in time for the next Windows server OS.

200 OK to that!

More to come,
Port80 Software

Port80 at TechEd 2007: Drum Roll for the XBOX 360 Winner!

Fri, 15 Jun 2007 11:14:00 GMT

Thanks to everyone who stopped by Port80 Software’s booth at TechEd 2007 in Orlando last week.

We delayed our drawing on-site, as we had so many people leave business cards at the booth, and we wanted to get everyone into the drawing.

Drum roll.... and the winner is:

Jason Cornellier
Ford Motor Company

Jason, we will be sending your brand new XBOX 360 to you next week!

Everyone else, thanks so much for visiting Port80 and make sure to take advantage of your 20% TechEd discount on Port80 Software tools.. Also, let us know where we can help you directly or indirectly with Microsoft IIS Web servers and HTTP solutions!

Best regards,
Port80 Software

Port80 at TechEd 2007 (with no time to live blog)

Wed, 13 Jun 2007 11:03:00 GMT

Orlando, city of humidity, Disn-o-Universal, and TechEd 2007, the latter being Microsoft’s key yearly show for customers, partners, and learning.

Port80 Software was there in force this year with live IIS7 demos, free site reviews, and IIS and HTTP tips and tricks for all. It all started on Saturday, June 2, as Port80 forces descended on Orlando by plane and car (we took alternate routes to avoid suspicion). No time for dinner, just check in and get ready for Sunday, the booth set-up day. Yes, someone has to put these things together, and you would be surprised how even the best laid booth plans can change when you are on the ground. Despite a few hiccups and curses, the booth became reality… All demos were set up, including a ServerMask ip100 dongle, which was placed between the booth’s Internet connection and the booth CPUs. We wanted to keep the casual probers and any crackers at TechEd from getting in… plus we hoped to show our logs the next day of all the hacker probes which the ServerMask ip100 had blocked the night before. It seemed like a good idea at the time.

Ready for Monday AM, Port80 retired to the House of Blues for well-deserved cocktails at 8PM Sunday night with partners Arxceo and PrivacyWare.

9PM: Dinner complete (great seared tuna, per Port80's Joe Lima).

10PM: More cocktails.

11PM: Cocktails interrupted.

Chris from Port80 glanced down at his cell phone. Who could be calling tonight? The show had not even started… It was the main booth organizer from Microsoft for TechEd, and there was an emergency.

“What device did you guys leave in your booth?” she asked.

“Device?” Chris responded, “What do you mean?”

The booth organizer continued: “Well, the folks at SmartCity, who manage the show’s network, started to see the network shut down a few hours ago. They tracked it down to your booth, and found an odd orange-colored device in there. When they removed the device from your booth, the network was able to be restored.”

Whoops, Chris thought. The ServerMask ip100. But that little hacker anti-recon dongle only reacts when it is aggressively probed, and the more aggressive the probe, the more confusing data it generates… oh, boy.

“That is one of our products,” Chris said. “It is a security device, should be cool. I cannot believe it crashed the TechEd network.”

“Well, it did, and it has been confiscated for the time being… you should check back in with security in the morning.”

11:05PM: Cocktails continued.

In the morning, we got this little message in the booth from the TechEd show’s network managers:

It is funny, yes, but the story demonstrates the power of anti-reconnaissance and intrusion prevention (and the interplay between monitoring and security, a fine line to be walked for sure). Port80 considered any IP outside the booth to be untrusted if there was any form of probing; the SmartCity monitoring at TechEd, designed to keep worms and malware from spreading throughout the show, was designed to aggressively monitor what was happening at every IP/port combination it could “find” at every downstream connection.

The result: the ServerMask ip100 won, until it was physically removed from the booth. Here is a picture of the little guy:

The moral of this tale? Anti-reconnaissance is a very powerful intrusion prevention defense. And you just never know when even an internal attack could be launched at your network… and if you are monitoring your network and have a ServerMask Security Appliance deployed, use the whitelist for your monitoring IPs to avoid this type of situation… and ServerMasking rules!

By 11:45AM Monday, the booth was up (minus our ip100 -- the device was returned, with the proviso that it would not be used at the show again… bummer on showing those ServerMask logs to folks, right?), and we were open for business:

Above: Port80, The Light at the End of the IIS Security/Performance Tunnel

Above: Getting Ready for the TechEd Traffic (both IIS fans and the free schwag hunters came, one and all)

Port80 Software had a blast at TechEd. We spoke with many great customers, partners, and even a few competitors. If you were there, you may have heard a few of these lines from the Port80 folks:

“Low cost and high impact Windows IIS Web tools? Yep, we got ‘em.”

“Getting overcharged and under served by appliance vendors? Talk with us.”

“Need a custom IIS tool? Yeah, we can help there.”

“http.sys? Not our department, but we know the guys.”

It was so great to meet people face-to-face, hear what their real-world issues are and see it in their eyes, and offer good, affordable solutions to almost every security and performance issue that they had. People were also excited about the upcoming remote management and deployment options coming to all Port80 tools later this year, and some even took the time to see the world’s first Web app firewall running on IIS7 and Windows Server 2008, ServerDefender. This tool will be launched on the Port80 site very soon, but the feedback was excellent!

Thanks to all that stopped by to meet Port80 Software at TechEd 2007 in Orlando this year. We will announce the winner of the XBOX 360 tomorrow on our blog, and it will be mailed to the lucky winner next week.

If you have a chance to go to TechEd 2008, don’t miss it. It is a fun trip with real learning opportunities and a chance to see what is here and what is coming to Windows soon.

Cheers,
Port80