Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


IIS in Cloud

Posted on 2015-01-27
Medium Priority
Last Modified: 2015-02-01

Referring to the (3rd party) IIS Module, is it a safe security practice to install it in a tenant's
VM in cloud environment?
Question by:sunhux
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 2
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 80 total points
ID: 40572597
depends upon the 3rd party and what the module does.. normally I'd say that it isn't a security item

Author Comment

ID: 40573200
Just to elaborate further what I'm looking for:

a) in the case of Struts for Apache, we'll need to address Struts vulnerabilities from time to
     time on top of Apache's vulnerabilities.  So does this IIS module also add on this extra
     potential vulnerability that we have to address from time to time?

b) does Windows 2008 R2 and IIS patches that are released by MS affect this module?
     Any special handling needed?

c) is there any VA scanner like Nessus (or Outpos  in our case) that could scan for this
    module's vulnerability?

d) does any IIS & Windows 2008 R2 hardening affect this module in any way?

Author Comment

ID: 40573215
In the case of plug-ins, I've seen Firefox introducing vulnerabilities.

This module appears to be F5 (loadbalancer) related: we do use F5 but I'm uncertain how does it interact
or what is its impact on F5.

Some of the Firefox & IIS "plugins" related vulnerabilities that our IPS has reported:

,,,1000192 - Indexing Service ISAPI Extention Buffer Overflow Vulnerability,Web
Server IIS,2 - Normal,Critical,Prevent,Vulnerability,N/A,CVE-2001-0500,10.0,"Nov
ember 21, 2007"

,,,1001256 - Mozilla Firefox Acrobat Reader Plugin Universal Cross Site Scripting,
Web Client Mozilla FireFox,2 - Normal,Medium,Prevent,Vulnerability,N/A,CVE-200
7-0048,5.0,"January 17, 2008"

1004331 - Mozilla Firefox Plugin Parameter Array Dangling Pointer,Web Client Mozilla
FireFox,2 - Normal,Critical,Prevent,Exploit,N/A,CVE-2010-2755,10.0,"Aug 11, 2010"

1005329 - Foxit Reader Plugin For Browsers URL Processing Buffer Overflow
Vulnerability, Web Client Mozilla FireFox,2 - Normal,Critical, Prevent,Vulnerability,
N/A,N/A,10.0, "Feb 13, 2013"
Protect Your Retail Business and Reputation

Wi-Fi access doesn't just impact your business & customer experience, it can also affect your security.  Join us for an informative webinar to learn more about the top threats and trends impacting retail today, and the key solutions to protecting retail networks and reputations.


Author Comment

ID: 40573237
Is this module (given by the CDN provider) some sort of plugin?

Java/JRE plugins is another concern that we have to patch & apply IPS signatures from time to time.

Author Comment

ID: 40573254
In the case of Java/Firefox & some common plugins, we can still get patches from Oracle/Firefox but
I'm concerned that if this module is not well-supported & one day has a vulnerability, there's no
vendor to produce patch for it;  if it's uncommon, our IPS products may not produce signatures for it.

If it's not a plugin nor some add-ons that will give rise to security risk, then do let me know how it's
being assessed as such so that we'll proceed to have the tenant install it
LVL 28

Accepted Solution

Dan McFadden earned 1920 total points
ID: 40575392
OK, this is not a plug-in... it is an IIS ISAPI Filter.  Here is an overview of the IIS ISAPI Filter system:


What this 3rd party filter appears to do is to solve the issue of using IIS servers behind a Load Balancer.  The issue is that in this configuration, the c-ip (client IP) in the IIS http logs will always be the inside interface of the LB, not the actual user coming in from somewhere on the Internet.  This ISAPI Filter is a shim between the IIS base system and the IIS logging system, that allows you to extract the X-Forwarded-For header is inject it into the local IIS http logs.

Reference link:

As for introducing security issues into your infrastructure, all software can introduce vulnerabilities.  Its one of the jobs a Sysadmin must attend to.  Only you can ascertain if the additional software installation is acceptable in your environment.

The ISAPI Filter is not necessary if you are using something like 3rd party analytics (Google Analytics, piwik, etc.) to track user activity on your website(s).  In this situation, you would normally turn off http logging on the site using the JavaScript based analytics.  This shim is only necessary if you are activity consuming and analyzing the IIS http logs and want to be able to see the real client IP behind the http request.

IMO, I would research the vendor/distributor of the 3rd party software to figure out how trustable they seem for your taste.  Deploy the software into a dev/test environment to ascertain the affect on the system and to see if it meets your needs and/or expectations.  After a test phase, if you and your management find the risks (if any) are acceptable, then schedule a deployment into PROD.

I've used 3rd party ISAPI Filters in the past, in production for intranet use as well as on a few relatively high volume websites.  I have used logging shims similar to what this one does and hadn't experienced any issues.  I only had to keep track of the developer's progress on the current version and keep up on updates.  I would recommend purchasing a support/maintenance contract (if its pay for software) in order to keep the software current, especially if it makes it into your production environment.


Author Comment

ID: 40575622
1000192 - Indexing Service ISAPI Extention Buffer Overflow Vulnerability,WebServer IIS,2 - Normal,Critical,Prevent,Vulnerability,N/A,CVE-2001-0500,10.0,"November 21, 2007"Gee, that was a very insightful response.

I personally prefer to use software developed by big players like MS n Oracle as they are seen as frequently developing patches for the likes of IIS, .Net, Java/Jre.

Curious if the IPS filter I listed earlier has any relation to this Isapi module:

Author Comment

ID: 40575635
Sorry the formatting was out in my last post: the first 3 and a half lines was supposed to be at the bottom

Author Comment

ID: 40575646
I recall there is a way to configure in F5 LB such tt the clients source IP is logged in IIS logs : correct me if I m wrong.   If so we wont need this Isapi filter
LVL 28

Assisted Solution

by:Dan McFadden
Dan McFadden earned 1920 total points
ID: 40577660
There is a discussion about this topic in the IIS.NET forums.  Reference link below.


Basically Microsoft has support for grabbing the real c-ip by utilizing a function inside ARR (Application Request Routing) to enable getting the desired c-ip into your http logs.  You'd be interested in looking at the ARR Helper.

For IIS 7/7.5 (Server 2008/@008 R2) you will need ARR 2.5.

But all of this comes back to how your infrastructure is configured.  The F5 forum has a discussion that specifically addresses the network configuration issues that lead to not seeing the origin client ip.  I would read thru the following link to get an insight to the issues and compare them to your network config.



Author Comment

ID: 40582469

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Considering cloud tradeoffs and determining the right mix for your organization.
Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question