Improve company productivity with a Business Account.Sign Up


IIS in Cloud

Posted on 2015-01-27
Medium Priority
Last Modified: 2015-02-01

Referring to the (3rd party) IIS Module, is it a safe security practice to install it in a tenant's
VM in cloud environment?
Question by:sunhux
  • 8
  • 2
LVL 85

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 80 total points
ID: 40572597
depends upon the 3rd party and what the module does.. normally I'd say that it isn't a security item

Author Comment

ID: 40573200
Just to elaborate further what I'm looking for:

a) in the case of Struts for Apache, we'll need to address Struts vulnerabilities from time to
     time on top of Apache's vulnerabilities.  So does this IIS module also add on this extra
     potential vulnerability that we have to address from time to time?

b) does Windows 2008 R2 and IIS patches that are released by MS affect this module?
     Any special handling needed?

c) is there any VA scanner like Nessus (or Outpos  in our case) that could scan for this
    module's vulnerability?

d) does any IIS & Windows 2008 R2 hardening affect this module in any way?

Author Comment

ID: 40573215
In the case of plug-ins, I've seen Firefox introducing vulnerabilities.

This module appears to be F5 (loadbalancer) related: we do use F5 but I'm uncertain how does it interact
or what is its impact on F5.

Some of the Firefox & IIS "plugins" related vulnerabilities that our IPS has reported:

,,,1000192 - Indexing Service ISAPI Extention Buffer Overflow Vulnerability,Web
Server IIS,2 - Normal,Critical,Prevent,Vulnerability,N/A,CVE-2001-0500,10.0,"Nov
ember 21, 2007"

,,,1001256 - Mozilla Firefox Acrobat Reader Plugin Universal Cross Site Scripting,
Web Client Mozilla FireFox,2 - Normal,Medium,Prevent,Vulnerability,N/A,CVE-200
7-0048,5.0,"January 17, 2008"

1004331 - Mozilla Firefox Plugin Parameter Array Dangling Pointer,Web Client Mozilla
FireFox,2 - Normal,Critical,Prevent,Exploit,N/A,CVE-2010-2755,10.0,"Aug 11, 2010"

1005329 - Foxit Reader Plugin For Browsers URL Processing Buffer Overflow
Vulnerability, Web Client Mozilla FireFox,2 - Normal,Critical, Prevent,Vulnerability,
N/A,N/A,10.0, "Feb 13, 2013"
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!


Author Comment

ID: 40573237
Is this module (given by the CDN provider) some sort of plugin?

Java/JRE plugins is another concern that we have to patch & apply IPS signatures from time to time.

Author Comment

ID: 40573254
In the case of Java/Firefox & some common plugins, we can still get patches from Oracle/Firefox but
I'm concerned that if this module is not well-supported & one day has a vulnerability, there's no
vendor to produce patch for it;  if it's uncommon, our IPS products may not produce signatures for it.

If it's not a plugin nor some add-ons that will give rise to security risk, then do let me know how it's
being assessed as such so that we'll proceed to have the tenant install it
LVL 29

Accepted Solution

Dan McFadden earned 1920 total points
ID: 40575392
OK, this is not a plug-in... it is an IIS ISAPI Filter.  Here is an overview of the IIS ISAPI Filter system:


What this 3rd party filter appears to do is to solve the issue of using IIS servers behind a Load Balancer.  The issue is that in this configuration, the c-ip (client IP) in the IIS http logs will always be the inside interface of the LB, not the actual user coming in from somewhere on the Internet.  This ISAPI Filter is a shim between the IIS base system and the IIS logging system, that allows you to extract the X-Forwarded-For header is inject it into the local IIS http logs.

Reference link:

As for introducing security issues into your infrastructure, all software can introduce vulnerabilities.  Its one of the jobs a Sysadmin must attend to.  Only you can ascertain if the additional software installation is acceptable in your environment.

The ISAPI Filter is not necessary if you are using something like 3rd party analytics (Google Analytics, piwik, etc.) to track user activity on your website(s).  In this situation, you would normally turn off http logging on the site using the JavaScript based analytics.  This shim is only necessary if you are activity consuming and analyzing the IIS http logs and want to be able to see the real client IP behind the http request.

IMO, I would research the vendor/distributor of the 3rd party software to figure out how trustable they seem for your taste.  Deploy the software into a dev/test environment to ascertain the affect on the system and to see if it meets your needs and/or expectations.  After a test phase, if you and your management find the risks (if any) are acceptable, then schedule a deployment into PROD.

I've used 3rd party ISAPI Filters in the past, in production for intranet use as well as on a few relatively high volume websites.  I have used logging shims similar to what this one does and hadn't experienced any issues.  I only had to keep track of the developer's progress on the current version and keep up on updates.  I would recommend purchasing a support/maintenance contract (if its pay for software) in order to keep the software current, especially if it makes it into your production environment.


Author Comment

ID: 40575622
1000192 - Indexing Service ISAPI Extention Buffer Overflow Vulnerability,WebServer IIS,2 - Normal,Critical,Prevent,Vulnerability,N/A,CVE-2001-0500,10.0,"November 21, 2007"Gee, that was a very insightful response.

I personally prefer to use software developed by big players like MS n Oracle as they are seen as frequently developing patches for the likes of IIS, .Net, Java/Jre.

Curious if the IPS filter I listed earlier has any relation to this Isapi module:

Author Comment

ID: 40575635
Sorry the formatting was out in my last post: the first 3 and a half lines was supposed to be at the bottom

Author Comment

ID: 40575646
I recall there is a way to configure in F5 LB such tt the clients source IP is logged in IIS logs : correct me if I m wrong.   If so we wont need this Isapi filter
LVL 29

Assisted Solution

by:Dan McFadden
Dan McFadden earned 1920 total points
ID: 40577660
There is a discussion about this topic in the IIS.NET forums.  Reference link below.


Basically Microsoft has support for grabbing the real c-ip by utilizing a function inside ARR (Application Request Routing) to enable getting the desired c-ip into your http logs.  You'd be interested in looking at the ARR Helper.

For IIS 7/7.5 (Server 2008/@008 R2) you will need ARR 2.5.

But all of this comes back to how your infrastructure is configured.  The F5 forum has a discussion that specifically addresses the network configuration issues that lead to not seeing the origin client ip.  I would read thru the following link to get an insight to the issues and compare them to your network config.



Author Comment

ID: 40582469

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

As the cloud has become an integral part of enterprises’ workflow worldwide, there is an increasing demand for cloud managed service providers that can bring the expertise to the process and help enterprises maximize their investment in the cloud.
Welcome to 2018! Exciting things lie ahead in the world of tech. To start things off, we compiled great member articles on how to stay safe, ways to learn, and much more! Read on to start your new year right.
Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question