ServerDefender VP FAQ
Security & Usability
Can you give me a basic overview of ServerDefender VP?
ServerDefender Vulnerability Protection Intelligence or ServerDefender VP is a Web application software firewall that combines white-listing and black-listing rules with a behavior-based analysis component. This component uses pattern-based rules to detect and stop hack attempts, rather than a set of attack signatures that constantly need to be updated. ServerDefender VP also uses sessions to track and score users behavior, slowing bad-users down and eventually blocking them. ServerDefender VP protects Windows-based servers installed with Microsoft Internet Information Services (IIS) from known, new, internal and external system threats and misuse.
ServerDefender VP is designed to overcome the limitations of security products that rely solely on configured rules, policies, and attack signature matching. ServerDefender VP protects IIS from an array of exploits and vulnerabilities including SQL injection, brute force, Denial of Service (DoS), file uploading, cross site scripting/XSS, directory traversal, privilege escalation, parameter manipulation, buffer overflow, cookie tampering, and others Web-based attacks.
What's the difference between Standard View and Expert View?
Standard View: Control security and logging broadly through two sliders. Security and logging level will be displayed with icons. Allows for minimal control over security settings.
Expert View: Control security and logging through granular controls that allow for highly specific rules to be set. Allows for high level of control over security settings.
Should I use Standard or Expert View when evaluating SDVP?
It is recommended that users use Standard View in Log Only mode when first beginning to evaluate SDVP. This will allow SDVP to gather data about site usage and events (i.e. where on the site users will be blocked), and allow users to familiarize with the basic controls before digging in. Once LogOnly mode has been run for a period of time, and SDVP is put into “On Mode”, use of Expert View vs. Standard View comes down to user preference and need. For those who prefer or need more granular controls, Expert View is the way to go. Those who want simpler controls and don’t need the granularity of Expert View can use Standard View.
What is Log Only Mode?
Once installed, ServerDefender VP should run in Log Only mode, where it will collect and organize IIS-specific data (HTTP/HTTPS requests and IP addresses) to learn and understand normal use patterns (both trusted and untrusted) within the server environment. In LOG ONLY mode, SDVP applies the security controls required by the configured Enforcement Level, and logs the resulting security events that fall within the configured Logging Level. It does not, however, take any action against these requests. The process of organizing these clusters is guided through the use of a built-in knowledgebase of published attack signatures. Once the required number of training events has been collected, ServerDefender VP shifts automatically into "Monitoring" mode.
What are the different event types or classifications?
Event Classification in ServerDefender VP is simple. Proper classification of events is essential and can be accomplished as Security Alerts are displayed, or during periodic review of the Security Alert Log.
How long should I run ServerDefender VP in Log Only mode for?
The initial training phase is determined automatically and commences when ServerDefender VP is first installed. The duration of the initial training phase is determined by considering the specific characteristics of the server environment and related factors such as processor speed, memory and the configurable number of unique events deemed sufficient to establish the baseline database. Typically training is completed within 15 minutes to several hours.
Should I test ServerDefender VP in my production environment?
If at all possible, this should be avoided. The ideal scenario would be to test ServerDefender VP in a development environment before deploying it in a production environment. This way, ServerDefender VP can be configured properly, tested, and ensure compatibility without any potential negative effects to users. Should testing need to be done in a production environment, it should be done in Log Only mode and not turned On until configured properly.
What are the minimum system requirements required to install and run ServerDefender VP?
ServerDefender VP runs on Windows 2003, 2008, and 2012 Web servers with Microsoft's Internet Information Services (IIS 6 and 7.x).
Will ServerDefender VP run with my application environment?
ServerDefender VP is application neutral, meaning that it will not matter if you’re running Cold Fusion, PHP, ASP.NET, or others. So long as your setup meets the installation requirements, ServerDefender VP will work with any application environment.
Any incompatibility issues with firewalls or anti-virus applications?
There are no known compatibility conflicts with any anti-virus or firewall products, and ServerDefender VP is designed to augment these systems by adding Web application firewall protection over HTTP and HTTPS.
Is ServerDefender VP compatible with other Port80 tools?
ServerDefender VP's Settings Manager is implemented as a Microsoft Management Console (MMC) Snap-in, while the majority of Port80 Software's other tools have their own independent user interfaces that do not rely on an MMC snap-in. All Port80 Software products are fully compatible with each other and most third-party tools that extend the IIS Web server.
Security & Usability
I am trying to test ServerDefender VP locally (on the same machine I have it installed on), but nothing shows up in the logs. What is the issue?
If you are testing ServerDefender VP with a browser or load/stress tool from the same local machine that you have ServerDefender VP installed upon, make sure that your internal IP address is not on the Trusted IP Addresses list. Otherwise, your requests will not show up in the logs, create events, or be blocked, as Trusted IP traffic is not logged by ServerDefender VP.
Also, if you are concerned about "internal" hackers (employees or partners with access from your LAN), you may not want to trust those internal IP addresses within ServerDefender VP, as you will not be able to log any of those Trusted IP Address requests in ServerDefender VP unless you alter the defaults.
ServerDefender VP is blocking legitimate requests. How can I fix this?
How do I block by IP or block an entire country?
Enter Expert View and select Session Management. Within Session Management select the IP Policy tab. Here, a blacklist or whitelist of IPs can be created for single IPs or ranges of IPs. There is also the option to block IPs by country. This can be done by selecting the desired country from the drop down menu of available countries.
After I install ServerDefender VP, must I continue to run my existing firewall and other security solutions?
ServerDefender VP is complementary and fully compatible with most other popular security solutions that you may have deployed on your system. ServerDefender VP can detect and prevent many vulnerabilities (e.g. hacks over HTTP and HTTPS) which evade traditional firewalls, as they are not designed to provide this type of protection. ServerDefender VP can also be used to monitor "internal" activities that occur behind the firewall and out of the "line of sight" of typical network security utilities.
What types of data does ServerDefender VP monitor and assess?
ServerDefender VP is designed specifically to protect Microsoft IIS Web servers and the sites and applications running on it. ServerDefender VP uses an ISAPI filter to collect IIS-specific request/response variables to conduct analysis and threat prevention.
How do I set an exception?
When an event displays in the Log Viewer, such as an input validation error or SQL injection, that is not a valid error, but is instead a valid request, you will want to add an exception to prevent future requests from being blocked. In order to add an exception, you should right-click the desired incident to make an exception for and select “Create an Exception.” Now, enter the exception rule you would like to create, name it, create a comment for it, and click OK when complete to save it.
Does ServerDefender VP actually prevent threats and intrusions?
ServerDefender VP's primary point of differentiation is its effectiveness in detecting known and, most importantly, new or unaddressed threats. ServerDefender VP is configurable to initiate preventative actions to thwart intrusion attempts and other types of misuse by issuing alerts and executing specific preventative actions.
What interface is required to integrate ServerDefender VP with other applications?
ServerDefender VP's Settings Manager is implemented as a Microsoft Management Console (MMC) Snap-in. The data collection component for the service is an ISAPI filter.
I turned on ServerDefender VP and now I am getting “Internal Server Error” issues on my site. What’s happening?
ServerDefender VP has a default error handling mechanism to prevent 5xx errors from being displayed to visitors. This mechanism will detect when a 5xx error occurs in a page and will serve a template (a red and green ServerDefender VP template by default) that will include troubleshooting information. When a 5xx error occurs this troubleshooting information will say “internal server error.” This is a security best practice used to prevent hackers from obtaining valuable error information provided by error status codes and error details.
Sometimes it is unclear why these errors occur, in which case you may want to create an IP exception for your own IP address or your developer’s IP address (Expert View > Admin Options > IP Exceptions) so you can bypass the error template served by SDVP. Then you can browse to the URL experiencing the issue and see the error message and address it accordingly. Pages will sometimes appear to load fine and present no error message - this does not mean that there is no error.
If you are getting the ServerDefender VP error template with a Server Internal Error, please contact firstname.lastname@example.org and we will work with you to resolve the issue.
After I install ServerDefender VP I am getting an error that references "the WebResource.axd Handler" when I try to access my site/app - what is wrong?
If you are seeing an error that contains ""The WebResource.axd handler must be registered in the configuration to process this request," then you will need to follow the below instructions:
This issue is because the site uses validation controls and has a wildcard mapped ISAPI extension (SDVP). This issue is confirmed by Microsoft as a problem in IIS/ASP.Net and a hotfix is available.
Steps to install the hotfix:
- Visit http://support.microsoft.com/kb/2591200 (ASP.Net 4) / http://support.microsoft.com/kb/2505146 (ASP.Net 2)
- Click on View and request hotfix downloads
- Click on "Show hotfixes for all platforms and languages"
- Select the appropriate one, enter your email and you will get the download link in email. In this case we need the one for x64
- Run the downloaded file, it'll extract the files to the folder you specify
- Run the extracted hotfix setup file from above folder