Many shops haven't yet made the move to Windows Server 2012 and 2012 R2, but I'm starting to see IIS 8 and 8.5...
more and more in my work. Having been a fan of what Microsoft has done with security in Windows Server, it would be easy for me to assume that Microsoft's Web server would be mostly immune from attacks as well. After all, when you look at the vulnerability databases, there have been minimal security flaws impacting IIS recently.
Not everything is perfect with IIS 8.x security, and attack immunity is hardly the case. When you dig in further, IIS does indeed have some issues that can get you into a bind. The first set I describe may not directly expose sensitive information, but can certainly facilitate attacks and even generate some red flags during security audits -- especially if the auditor doesn't put any context around the criticality of the findings. The following are vulnerabilities that every IIS 8.x Web server likely has, right now:
- SSL version 3 is enabled. This facilitates the POODLE man-in-the-middle attack that's been popular lately. Even if the server also supports later versions of TLS, it can still be vulnerable.
- Cross-frame scripting that facilitates clickjacking. This can be used to trick users into clicking something different from what they perceive they're clicking.
- HTTP access is possible. This permits cleartext server connections that are not redirected to HTTPS.
In most situations, I typically consider these flaws "non-critical" since they may not be detrimental in their current state.
You also need to look beyond these server-centric vulnerabilities and consider what's running on top of your IIS 8.x servers. Just because your IIS 8.x Web servers "pass" basic vulnerability scans doesn't mean you shouldn't dig in further with a good vulnerability scanner that's dedicated to uncovering flaws within the Web applications themselves, such as NTOSpider, Acunetix Web Vulnerability Scanner, or Netsparker. These findings will paint the rest of the security picture.
The following security vulnerabilities don't get the press coverage that the fly-by-night brand-name software exploits get because they're more specific to each application, but they can create security risks in your environment more than anything else:
- Cross-site scripting which helps attackers manipulate user information and spread malware
- SQL injection which presents the database to the world through the Web front-end
- User session management weaknesses that allow application sessions to be manipulated by attackers
- Weak password policies that are often combined with a lack of intruder lockout
Even though they're not as obvious as Web server-centric issues above, these flaws are much more easily exploitable and likely to put sensitive information directly at risk. Again, there are many variables, but I typically rate these findings as critical -- things that need to be fixed as soon as possible.
Whether you're a manager, administrator or developer, I recommend you review the OWASP Top 10, which is a consensus listing of the Web security concerns that are believed to be the most important ones to focus on. Focusing on the server and the application layer -- on a periodic and consistent basis -- will help your organization get to where it truly needs to be with overall Web and Windows Server security.