Documentation

Guide to Using ServerDefender VP Web Application Firewall


Getting Started With ServerDefender VP

This section of the documentation contains all the information you will need to:

  • Get ServerDefender VP (SDVP) up and running successfully in LOG ONLY mode
  • Start exploring some basic configuration options
  • Learn how to start keeping tabs on what SDVP is finding out about the security of your sites.

Once you are finished here, you will be ready to get into the heart of SDVP, by checking out the power of the LogViewer interface.


Installation Notes

System Requirements | Installed Components | Trial and Activation

System Requirements

The System Requirements for ServerDefender VP are as follows:

  • A compatible version of IIS and Windows:
    • IIS 8 / Server 2012
    • IIS 7.5 / Server 2008 R2 with Service Pack 2
    • IIS 7 / Server 2008 with Service Pack 2
    • IIS 6 / Server 2003 (all editions) with Service Pack 2
  • Compatible hardware:
    • x86 (32-bit)
    • x64 (64-bit)

Notes:

  • On IIS 6.0 / Server 2003, IIS 5.0 Isolation (compatibility) Mode is not supported.
  • For IIS 7.x / Server 2008 installations, the following IIS Role Services must be installed:
  • ISAPI Filters
  • ISAPI Extensions

Installed Components

ServerDefender VP consists of the following major program components:

  • An ISAPI DLL (ServerDefenderVP.dll) that is loaded into IIS as both a Filter (at the global level) and a Wildcard Extension (on a per-site or per-application basis).
  • A user interface, called the Settings Manager (ServerDefenderVP.exe), that serves as the principal means of configuring SDVP.
  • A log analysis utility, called LogViewer (LogViewer.exe), that is used to both view and analyze the SDVP logs and also to make contextual configuring changes on the spot.
  • A Windows Service (sdvp_service.exe) that manages a variety of supporting tasks.

Trial and Activation

When first installed ServerDefender VP will be in trial mode. The trial period lasts for 30 days, during which time all of SDVP's features are fully functional.

At the end of the trial period, ServerDefender VP will cease functioning. Any SDVP settings changes made, and/or logs accumulated, during the trial period will be persisted, pending activation. However, SDVP's security controls will cease being logged or enforced.

ServerDefender VP may be activated at any time during the trial period, or after that period has ended, thereby continuing (or restoring) full functionality. Activation always requires the prior purchase of a ServerDefender VP license from www.port80software.com, or the purchase of an additional activation, if you already own a ServerDefender VP license and are seeking to activate an additional server.

After purchasing, there are two options for completing the activation:

  • If your IIS server can initiate outbound SSL (HTTPS) connections, you can activate online.
  • If your server lacks an outbound secure connection, you can instead use email-based activation.
Both activation options are available on the activation dialog that comes up whenever the SDVP Settings Manager is launched in trial mode.

For detailed information and instructions regarding activation, upgrades, evaluation and licensing, please see www.port80software.com/support/licensing.


The Configuration Wizard

The Configuration Wizard offers you the chance to make adjustments to SDVP's default settings, based on an analysis of your Web server logs and other data. While you can launch the wizard at any time (see below) SDVP launches it for you automatically after installation.

The first thing the wizard does is to offer you a choice between Standard and Expert modes:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

If you are installing SDVP for the first time, or if you just want to get started as quickly as possible, pick Standard Mode. If you are an experienced SDVP user, and you want to take time to go through the initial configuration options in more detail, try Expert Mode. (Click here to read more about Expert Mode.)

Next, SDVP briefly analyzes your system so it can make some educated guesses about the optimal configuration for your sites:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Once the analysis is complete you can go on to the next screen. This summarizes several configuration options for each site, giving you a chance to change the default recommendations:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

For each Web site on the system, you will see checkboxes representing the following configuration options:

Optimize - This option lets SDVP optimize performance by ignoring requests for static resources like images. Applying security checks to such requests can slow down performance. Yet such files rarely pose any danger to a Web application, because by default IIS serves them up without executing any server-side code.

Note: If SDVP detects any 3rd party software that can execute within IIS during requests for static files (i.e., non-default ISAPI Filters or Extensions), it "unchecks" the Optimize option for the site. You should do likewise, if you know of any 3rd party ISAPIs that SDVP missed.

Uploads - Check this option for any of your sites that need to support file uploads. If checked, SDVP will still restrict the types of files that can be uploaded to that site, but it won't categorically block all uploads, as it does by default.

404 - By default, SDVP takes over 404 error handling for all sites. It does this in order to better identify and trap unfriendly robots. This means it serves its own specially-designed 404 error template, which you can customize with your site's look and feel.

Note: Some sites use custom 404 handling to run custom code (for example, to do URL rewriting). If this applies to any of your sites, be sure to uncheck this option, so that SDVP will not break the site's custom error handling mechanism.

Ext. logs - Extended logging is not turned on by default in IIS and the Configuration Wizard also does not enable it by default. However: We strongly suggest you turn it on, by checking the boxes in this column. Extended IIS logging allows SDVP to better determine if anomalous requests are part of a malicious pattern, or not.

Profile - A Profile is an overall set of configuration options tailored to sites of a certain type. All sites that are not customized will inherit the Default Profile, which is General Public Site. There are, however, other built-in Profiles to choose from. To change a site's Profile to one more appropriate for the site, click into the Profile column, and select the alternative Profile from the pull down menu:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Note that this will cause the site to stop inheriting its settings from the Default Profile and instead to have a custom Profile of its own. Click here for more information about custom Profiles.

The next screen provides an opportunity to set up your outbound email so that SDVP can start delivering Alerts and Daily Reports right to your inbox, if so desired. This requires that you specify an SMTP server for SDVP to send email through, as well as To and From addresses. (You can separate multiple addresses in the To field with commas or semicolons.)

ServerDefender VP Web Application Firewall for IIS and .NET Applications

The Daily Report is an email summary of the previous 24 hours worth of security activity, sent once per period, at midnight server-local time. If you do not wish to set up email using the wizard, the Daily Report emails can set up later instead.

The Alert that is configured along with the Daily Report is just an sample of SDVP Alerting can do: It notifies the recipients when an IP address is (or would have been) blocked due to excessive/frequent security violations. If you do not set up email using the wizard, Alerting can be set up later instead, using email and/or any of several alternative delivery options. A wide variety of specific Alerts may be configured as well.

Does your SMTP server require authentication, or SSL? Does it use a non-default SMTP port? Would you rather receive plain text emails than HTML emails? Fear not: there are additional configuration options for all of the above. Simply click the Advanced button to reveal them:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

If you ran the Configuration Wizard in Standard Mode there is nothing else to do. And if this is the first run of the wizard (the one that happens immediately following install) the concluding screen will look like this, and when you click Finish SDVP will immediately begin logging suspect activity:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Of course you may want to run the Configuration Wizard again later, once SDVP has had a chance to accumulate more data about your sites. To do that, just select the Configuration Wizard menu option from the Configure menu in the SDVP Settings Manager:

ServerDefender VP Web Application Firewall for IIS and .NET Applications


Switching Between Modes

SDVP has three modes of operation: OFF, LOG ONLY and ON. The difference between these modes is straightforward:

  • In OFF mode, SDVP does nothing.
  • In LOG ONLY mode, SDVP applies the security controls required by the configured Enforcement Level, and logs the resulting security events that fall within the configured Logging Level. It does not, however, take any action against these requests.
  • In ON mode, SDVP behaves just as it does in LOG ONLY mode, except that it also carries out the configured action for each security event--such as modifying or blocking specific requests, or blocking entire IP addresses.

To change modes, begin by selecting the appropriate Profile in the tree view. In this case we are changing the Default Profile's mode, which affects all of the sites under it.

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Note: Modes apply to the Profile that a site is using. Thus, all sites inheriting the Default Profile will change modes together. If you want to change the mode for one site only (and if that site is still inheriting the Default Profile), you will need to start by creating a custom profile for the site.

Now you have two ways to carry out the change:

1. Using the right-click menu in the tree view control. Suppose the Default Profile is in LOG ONLY mode, as pictured below. To change it to OFF mode, select Stop Protecting. To change it to ON mode, select Start Protecting:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

2. Alternatively, you can just use the radio buttons in the Status Bar to change the mode. Whether you use the right-click menu or the radio buttons, notice how the Status Bar changes color to indicate the change in mode: Red for OFF:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Yellow for LOG ONLY:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

And green for ON:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

If you are working in Standard View, that is all there is to changing modes: the change takes effect as soon as you click Apply. If you are working in Expert View, then when you change to LOG ONLY or ON, you will be shown a few of the advanced Configuration Wizard screens as well, to allow for some last-minute fine-tuning of the settings before the change takes effect.


Working in Standard View

Changing the Enforcement Level | Changing the Logging Level | Using Custom Profiles

Standard View is the way most users will interact with the SDVP Settings Manager most of the time. It is designed to give you enough control over SDVP's enforcement and logging behavior to adjust these to the needs of your site or sites, without requiring you to become deeply immersed in the details of the SDVP security controls. For users who do want or need that deeper immersion, the Expert View is always a button click away.

There are just two main controls to worry about in Standard View: The Enforcement Level slider and the Logging Level slider. You will see them both just under the Status Bar, along with a Show/Hide Details button:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Changing the Enforcement Level

The Enforcement Level control lets you decide how leniently or strictly SDVP should enforce its security controls. To adjust it, click Show Details, or just grab the Enforcement Level slider and move it in any direction. The Details Pane will appear on top of the Site Status tab:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

As you can see, the Details Pane lists a number of different security controls. Depending on your chosen Enforcement Level, these controls will either be disabled (represented by the green shield), partially enabled (the yellow shield), or fully enabled (the red shield).

Enforcement Level 3 (shown above) is the default setting, which is designed for the typical, public-facing Web site, to be both strong enough to prevent the most common Web application attacks, and lenient enough to avoid significant risk of false positives.

There are however a number of alternative Enforcement Levels you can try out, and we encourage you to do so, especially when (as pictured here) SDVP is in LOG ONLY mode. In that mode, the effect of the enabled security controls will only be logged, but not actually enforced. This gives you a chance to use SDVP's powerful LogViewer, along with its Reporting and Alerting tools, to assess how different Enforcement Levels would impact your sites.

If for example you slide the Enforcement Level control all the way to the left, SDVP's security controls will be set to the bar minimum, with little more than the SQL Injection and Cross-Site Scripting (XSS) controls being enforced:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Slide the Enforcement Level control all the way to the right, by contract, and SDVP's security controls will be set to the maximum level possible:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Changing the Logging Level

SDVP's Logging Level is just as easy to adjust as its Enforcement Level. While the default Logging Level is designed to record enough data to help you make informed configuration decisions, you may want to experiment with a more verbose Logging Level, especially when SDVP is in LOG ONLY mode and/or if you have already increased the Enforcement Level.

The check boxes on the lower part of the Details Pane indicate which categories of events will be logged. To increase the verbosity, simply slide the Logging Level control to the right:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

After SDVP has been running in ON mode for some time, it will likely reach a kind of steady state, with few surprises in the LogViewer each day. When that happens you may wish to reduce the default log verbosity. To do so, simply slide the Logging Level control to the left:

img src="/assets/images/sdvp_first_scrns_7f.png" alt="ServerDefender VP Web Application Firewall for IIS and .NET Applications">

Using Custom Profiles

As we saw when looking at how to switch between operating modes, much of the configuration of sites in SDVP is actually done using Profiles. Unless you customize the settings for a particular site when the Configuration Wizard runs for the first time, all of the sites on the server will initially be arranged under the Default Profile in the tree view, meaning they are inheriting most of their settings from that Profile.

If for instance the mode is ON for the profile, then it will be ON for all of the sites under it as well:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

You can customize the settings for a particular site at any time by creating a custom Profile for it. The site will still have the configuration settings inherited from the Profile it was using before, but now you will be able to change those settings without doing so for all of the sites under the Default Profile.

To create a custom profile for a site, you start by selecting it in the tree view:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

After the site has been selected you have several options for completing the Profile change:

1. Use the Customize Settings option from the right-click menu:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

This removes the site from under the Default Profile in the tree view, indicating that it now has a custom profile of its own, and can accept configuration changes directly:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

2. You can also just start making changes with either the Enforcement Level or Logging Level slider controls, and this too will break the site out into a custom Profile:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

ServerDefender VP Web Application Firewall for IIS and .NET Applications

3. Lastly, you can assign the site to one of the other built-in Profiles, instead of the one currently being used as the Default Profile. This too will customize the site's Profile, but it will do so using the built-in Profile you select as a starting point.

To do this, just choose the desired Profile from the drop-down menu to the right of the tree view:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

As you can see, the effect is similar to what happens with the first two methods, except that now the custom Profile has the name of the built-in Profile you selected as a template:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

One more thing to keep in mind: If you decide that you want to revert a site that has been customized to the configuration settings in the Default Profile, that option is always a right-click away:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

ServerDefender VP Web Application Firewall for IIS and .NET Applications


Monitoring Your Sites

Site Status | Blocked IPs | Alerting | Active Alerts | Reporting

The Site Status tab group provides controls to access and manage information about the current security status of the sites protected by ServerDefenderVP.

Site Status

  • This tab shows a summary of statistics collected by SDVP since the last restart of the ServerDefender VP service
  • Statistics are shown for both the server as whole as well as per site.
  • The statistics are auto-refreshed every 60 seconds, or on-demand, by using the Refresh button.
  • The refresh interval is configurable Operational Settings tab of the Global Settings dialog.)

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Blocked IPs

  • This tab lists IP addresses currently blocked by SDVP.
  • Both temporarily and permanently blocked IP addresses are listed.
  • IPs are blocked temporarily in response to suspect behavior such as accumulating excessive errors in too short a span of time.
  • IPs are blocked permanently using LogViewer or the IP Policy tab of the Session Management tab group.
  • To unblock an IP, check the associated checkbox and click the Unblock button.

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Alerting

Once one or more Alert providers have been configured, you can begin setting up individual Alerts, so as to be notified of specific errors/events of interest. To do this, go to the Alerting tab in the Settings Manager's Site Status tab group, and click the Add button:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

This brings up the Add/Edit Alert Information dialog:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Each Alert requires a unique name as well as a Level (corresponding to one of the Log Levels on the General tab of the Alert Settings dialog).

Note that the "Trigger" section of this dialog is similar in its logic to the "Match" section of the Add/Edit Input Exception dialog, in that leaving an item unchecked means it will not be used as a criterion for applying ("triggering") the Alert. Thus, the more boxes you check, and the more fields you fill in with something besides a * wildcard, the narrower (and thus the less frequent) your Alert will be. Of course each Alert must contain at least one trigger.

Note also that each Alert has its own selection of Alert provider(s). This means that different Alerts can be delivered using different providers, which can be useful in organizations where different monitoring mechanisms are used for events of different severities, for example.

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Once the Alert is fully configured, simply click OK to dismiss the dialog then OK (on the Settings Manager) to save the changes. The Alert will remain active as long as it is listed on the Alerting tab:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

ServerDefender VP Web Application Firewall for IIS and .NET Applications

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Active Alerts

When using email as an Alert provider, and email clients that can handle HTML, the Active Alert feature becomes available. This feature adds a button to most email Alerts, allowing you to temporarily block the IP address that triggered the Alert, without having to login to the SDVP Settings Manager or LogViewer to do so:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Alerts that notify you when an IP has been temporarily blocked have a different Active Alert option. In this case, you have the ability to unblock the temporarily blocked IP:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Reporting

The Reporting tab provides on-demand access to the following information sources:

ServerDefender VP Web Application Firewall for IIS and .NET Applications

Notes:

  • To activate the buttons for the two site-specific reports, you must first select a site using the tree view control.
  • Both of the Web Summary Reports can be made available for remote access by specific IP addresses. (See Remote Reporting for details.)
  • The Daily Report can also be sent to specified recipients via email. (See Configuring the Daily Report for details.)

Next: Using the LogViewer »