Security Checklists for IIS

Don’t Let XSS Fake Out your Traffic

Posted: August 9th, 2010
Filed under: Web and Application Security


and Damage your Good Name

A Cross-Site Scripting (XSS) Overview

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. XSS essentially compromises the trust relationship between a user and the Web site. As of 2007 XSS carried out on web sites was responsible for roughly 80% of all Internet security vulnerabilities as documented by Symantec. Read the rest of this entry »

No Comments »

From Blind to Targeted Attacks

Posted: July 2nd, 2010
Filed under: Web and Application Security


A SQL Injection overview

A SQL injection attack exploits the fact that in a typical dynamic Web site or application layer (ie. ASP.NET, PHP, etc) ultimately has access to a database layer. By using the application’s own code to get at the database, SQL injection attacks can do almost unlimited mischief: steal or corrupt sensitive data, host malware on the site, damage or even seize control of the entire application. This article provides a short overview of SQL injection and how it can be damaging to your Web applications. Read the rest of this entry »

No Comments »

The Windows Server 2008 Security Compliance Manager

Posted: July 2nd, 2010
Filed under: Web and Application Security
Tags: ,


A new helpful free tool from Microsoft, the Security Compliance Manager provides an end-to-end solution to help plan, deploy, and monitor the security baselines of computers running Windows Server 2008.

The Security Compliance Manager provides centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility to accelerate your organization’s ability to efficiently manage the security and compliance process for the most widely used Microsoft technologies.

This tool allows you to access the complete database of Microsoft recommended security settings, customize your baselines, and then choose from multiple formats-including Desired Configuration Management (DCM) packs, Security Content Automation Protocol (SCAP), XLS, or Group Policy objects (GPOs)-to export the baselines to your environment and automate the security baseline compliance verification process.

Combining use of a professional Web Application Firewall with the Security Compliance Manager will enable you to achieve a secure, reliable, and centralized IT environment that will help you better balance your organization’s needs for security and functionality.

To get more information about downloading a copy of the Security Compliance Manager visit Microsoft’s TechNet site.

/ P80

No Comments »

Cloak and Dagger Security: Hide and Protect your Server

Posted: March 22nd, 2010
Filed under: IIS & HTTP, Web and Application Security
Tags: , , , ,


Typically, the first step on the road to hacking a particular site is knowing all there is to know about that site, including what type of server it is hosted on. Server anonymization is a method of enhancing the security of a host by removing the ability of hackers and other intruders to get identifying information about a system, such as the vendor and version of its OS and any applications that might be running on it. This kind of information is enormously useful to people or programs that access hosts with malicious intent. Read the rest of this entry »

No Comments »

Hotlinking – Is it really that big of a deal?

Posted: March 15th, 2010
Filed under: IIS & HTTP, Web and Application Security
Tags: , , , , ,


Well, if having your bandwidth stolen right out from under you without your permission can be considered a “big deal”, then yes, yes it is.

Let’s say you have a 100K JPEG that someone links to and places the image on their site, presenting the image as their own. However, the image is still calling from your server. Now, let’s say that particular JPEG sees 1,000 hits a day on the page, that’s 100MB of data that’s being transferred from your site without your knowledge, or permission, all without having the benefit of having any actual visitors coming to your site. I’d say this is a fairly big deal. Read the rest of this entry »

No Comments »

PCI DSS 6.5.6

Posted: January 20th, 2010
Filed under: IIS & HTTP, Web and Application Security
Tags: , ,


Information Leakage and Improper Error Handling

Information leakage and improper error handling happen when web applications do not limit the amount of information they return to their users. Web applications have the potential of leaking information about the version of web server (IIS, Apache, etc..) you are running, operating system, patch levels, and name and versions of web applications (PHP, SSL, SQL) your site may be utilizing. This in itself is an important lack of security, but showing detailed error bugs or debug code is as well.
Read the rest of this entry »

No Comments »

Tally Ho and Onward to 2010

Posted: December 15th, 2009
Filed under: IIS & HTTP, Web and Application Security, Web Speed and Performance


2009 has proven to be a busy year of product development for Port80 Software, and we don’t see 2010 being any less productive. We have launched major upgrades and improvements in our tools such as added IIS 7/7.7 support to both CacheRight, our popular caching program, and LinkDeny, our easy to use anti-hotlinking tool.  We’ve also seen point upgrades filled with new features and usability improvements to httpZip, ServerMask, ZipEnable, and ServerDefenderAI.

The future looks bright at Port80 with a major httpZip update with IIS 7/7.5 and Windows 2008 support in early 2010. ServerDefenderVP, our new powerful Web Application Firewall is in its final shakedown as you read this.  By the time you are back to work it might be already out or very shortly after, in time for you to deal with your New Year’s resolution to really lock your Web site/application down.

We look forward to continuing to provide our customers with the professional tools they have come to expect and the device compatibly they can use. We wish all of our clients a happy holiday and a very productive and profitable New Year.

Thank you for your continued patronage.

From all of us at Port80

No Comments »

You Can’t Catch What You Can’t See

Posted: July 20th, 2009
Filed under: IIS & HTTP, Web and Application Security
Tags: , , , , , ,


The importance of Web application firewalls

The front of your website can appear as calm as a lake surface, but underneath do you really know what kind of trouble is brewing? While your website is online it is being subjected to traffic; tons of traffic for some of you lucky ones, some legitimate, some suspect. The not-so-wanted traffic can include hackers and spammers who are trying to break through the defenses of your site to get to your server and then either corrupt or steal information from your databases. Read the rest of this entry »

No Comments »

Announcing SDVP Webinar Event

Posted: July 8th, 2009
Filed under: Web and Application Security
Tags: , , ,


Port80 Software Product Webinar Event
Hosted by Thomas Powell, CEO, Port80 Software

Tuesday, July 14, 2009
10:00 – 11:00 am (pst)

Introducing ServerDefender VP

This (1) one hour informational webinar will include an in-depth overview of our powerful new IIS Web application firewall software. During this event you will be able to see ServerDefender VP in action and learn how this tool can work for your organizations’ Web security needs.

Contact Shannon (smccollough@port80software.com) today to reserve your spot for this event!

No Comments »

Have you been XSSed?

Posted: April 20th, 2009
Filed under: Web and Application Security
Tags: , , , , , , ,


In his recent article on XSS vulnerabilities, Brian Krebs of the Washington Post reports that last year thousands of Web sites were cited for harboring security flaws that could be used to attack others online.

“At issue are sites that harbor so-called cross-site scripting (XSS) vulnerabilities, which occur when Web sites accept input from a user usually from something like a search box or e-mail form but do not prevent users from entering malicious code or other instructions.” Read the rest of this entry »

No Comments »

Untangling the Acronyms of Web Application Security

Posted: February 10th, 2009
Filed under: IIS & HTTP, Web and Application Security


OWASP, WAFEC, CVE… An excellent post from Jeremiah Grossman just caught my eye, where he tried to untangle the mess of acronyms that is Web application security. In his words, he was trying to “organize and describe some of the more focused [Web security] terminology/standard/framework public initiatives.” In his usual way, he brings clarity to an industry that could use it… a worthwhile read. Read the rest of this entry »

No Comments »

Data Privacy Day… for Your Server?

Posted: January 28th, 2009
Filed under: Web and Application Security
Tags:


Today is the second annual Data Privacy Day, designed to raise awareness and generate discussion about data privacy practices and rights. The goal is to help users, especially teens, understand what info should really keep to themselves online.

The event is mainly focused on educating consumers, but it got me thinking. Part of our mission with ServerMask is to tell everyone with a server, “Hey, you don’t have to broadcast information about you server if you don’t want to!” Read the rest of this entry »

No Comments »

To Link or Not to Link…

Posted: January 26th, 2009
Filed under: Web and Application Security
Tags:


Widely reported a couple weeks ago, the unusual lawsuit involving Gatehouse Media, Inc. and the New York Times Co. (parent of The Boston Globe) should make it to a federal courtroom this week. The upshot is that Gatehouse, publisher of 125 local newspapers across Massachusetts,  is unhappy that the Boston Globe’s new local websites are linking to their content. Read the rest of this entry »

1 Comment »

Online Screencasts Are Here

Posted: January 8th, 2009
Filed under: Web and Application Security, Web Speed and Performance
Tags:


We know, you’ve all been waiting for this moment… We here at Port80 have pulled together some overview Screencasts of our products, including the most recent release of ServerMask 4.1.1, not yet a month old!

Check them out at www.port80software.com/screencasts

Cheers!

Jenny @ Port80

No Comments »

Free tools to improve IIS security

Posted: May 28th, 2008
Filed under: Web and Application Security
Tags:


Here is a short and sweet list of free IIS security tools by Kevin Beaver @ TechTarget (he wrote the classic Hacking for Dummies):

http://searchsecurity.techtarget.com.au/articles/24798-Free-tools-to-improve-IIS-security

Port80’s HeaderCheck and other free HTTP analysis tools are mentioned  in there as well (toot-toot goes the horn), but it is a useful list of tools.  And free is nice, given the price of gas and all!

Cheers,
Port80

PS Our Deal Packs are not “free“, but they are a little lighter on the ol’ budget — check them out at http://www.port80software.com/performance.

No Comments »

Microsoft Says SQL Injection Attack Not Their Fault (Translation: Get a Web App Firewall!)

Posted: April 28th, 2008
Filed under: Web and Application Security
Tags: ,


The recent wave of SQL injection attacks has made mainstream news, just in case you have not seen it:

Hundreds of Thousands of Microsoft Web Servers Hacked

Jeremiah Grossman and others have made the point, accurately, that this is not a Microsoft IIS Web server issue, but rather that Web developers not adhering to security best practices are to blame (for shame, it is not like we have enough to do already!):

Security expert: Don’t blame Microsoft for mass site defacements

To solve this puzzle, look no further than controlling parameters, permissions and sanitizing your inputs with a Web application firewall or WAF like ServerDefender AI or the upcoming ServerDefender VP.  Yes, you can learn to write more secure code, but why wait to get protected or deal with recoding legacy bits?  Get a WAF, and get PCI complaint, something we all need to be focusing on now.

Cheers,
Port80

PS BTW thanks to Jeremiah for being one of the early believers in ServerMask… it is nice to watch as his security star rises!

No Comments »