Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 187
  • Last Modified:

IIS in Cloud


Referring to the (3rd party) IIS Module, is it a safe security practice to install it in a tenant's
VM in cloud environment?
  • 8
  • 2
3 Solutions
David Johnson, CD, MVPOwnerCommented:
depends upon the 3rd party and what the module does.. normally I'd say that it isn't a security item
sunhuxAuthor Commented:
Just to elaborate further what I'm looking for:

a) in the case of Struts for Apache, we'll need to address Struts vulnerabilities from time to
     time on top of Apache's vulnerabilities.  So does this IIS module also add on this extra
     potential vulnerability that we have to address from time to time?

b) does Windows 2008 R2 and IIS patches that are released by MS affect this module?
     Any special handling needed?

c) is there any VA scanner like Nessus (or Outpos  in our case) that could scan for this
    module's vulnerability?

d) does any IIS & Windows 2008 R2 hardening affect this module in any way?
sunhuxAuthor Commented:
In the case of plug-ins, I've seen Firefox introducing vulnerabilities.

This module appears to be F5 (loadbalancer) related: we do use F5 but I'm uncertain how does it interact
or what is its impact on F5.

Some of the Firefox & IIS "plugins" related vulnerabilities that our IPS has reported:

,,,1000192 - Indexing Service ISAPI Extention Buffer Overflow Vulnerability,Web
Server IIS,2 - Normal,Critical,Prevent,Vulnerability,N/A,CVE-2001-0500,10.0,"Nov
ember 21, 2007"

,,,1001256 - Mozilla Firefox Acrobat Reader Plugin Universal Cross Site Scripting,
Web Client Mozilla FireFox,2 - Normal,Medium,Prevent,Vulnerability,N/A,CVE-200
7-0048,5.0,"January 17, 2008"

1004331 - Mozilla Firefox Plugin Parameter Array Dangling Pointer,Web Client Mozilla
FireFox,2 - Normal,Critical,Prevent,Exploit,N/A,CVE-2010-2755,10.0,"Aug 11, 2010"

1005329 - Foxit Reader Plugin For Browsers URL Processing Buffer Overflow
Vulnerability, Web Client Mozilla FireFox,2 - Normal,Critical, Prevent,Vulnerability,
N/A,N/A,10.0, "Feb 13, 2013"
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

sunhuxAuthor Commented:
Is this module (given by the CDN provider) some sort of plugin?

Java/JRE plugins is another concern that we have to patch & apply IPS signatures from time to time.
sunhuxAuthor Commented:
In the case of Java/Firefox & some common plugins, we can still get patches from Oracle/Firefox but
I'm concerned that if this module is not well-supported & one day has a vulnerability, there's no
vendor to produce patch for it;  if it's uncommon, our IPS products may not produce signatures for it.

If it's not a plugin nor some add-ons that will give rise to security risk, then do let me know how it's
being assessed as such so that we'll proceed to have the tenant install it
Dan McFaddenSystems EngineerCommented:
OK, this is not a plug-in... it is an IIS ISAPI Filter.  Here is an overview of the IIS ISAPI Filter system:

Link:  http://www.iis.net/configreference/system.webserver/isapifilters

What this 3rd party filter appears to do is to solve the issue of using IIS servers behind a Load Balancer.  The issue is that in this configuration, the c-ip (client IP) in the IIS http logs will always be the inside interface of the LB, not the actual user coming in from somewhere on the Internet.  This ISAPI Filter is a shim between the IIS base system and the IIS logging system, that allows you to extract the X-Forwarded-For header is inject it into the local IIS http logs.

Reference link:  https://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html

As for introducing security issues into your infrastructure, all software can introduce vulnerabilities.  Its one of the jobs a Sysadmin must attend to.  Only you can ascertain if the additional software installation is acceptable in your environment.

The ISAPI Filter is not necessary if you are using something like 3rd party analytics (Google Analytics, piwik, etc.) to track user activity on your website(s).  In this situation, you would normally turn off http logging on the site using the JavaScript based analytics.  This shim is only necessary if you are activity consuming and analyzing the IIS http logs and want to be able to see the real client IP behind the http request.

IMO, I would research the vendor/distributor of the 3rd party software to figure out how trustable they seem for your taste.  Deploy the software into a dev/test environment to ascertain the affect on the system and to see if it meets your needs and/or expectations.  After a test phase, if you and your management find the risks (if any) are acceptable, then schedule a deployment into PROD.

I've used 3rd party ISAPI Filters in the past, in production for intranet use as well as on a few relatively high volume websites.  I have used logging shims similar to what this one does and hadn't experienced any issues.  I only had to keep track of the developer's progress on the current version and keep up on updates.  I would recommend purchasing a support/maintenance contract (if its pay for software) in order to keep the software current, especially if it makes it into your production environment.

sunhuxAuthor Commented:
1000192 - Indexing Service ISAPI Extention Buffer Overflow Vulnerability,WebServer IIS,2 - Normal,Critical,Prevent,Vulnerability,N/A,CVE-2001-0500,10.0,"November 21, 2007"Gee, that was a very insightful response.

I personally prefer to use software developed by big players like MS n Oracle as they are seen as frequently developing patches for the likes of IIS, .Net, Java/Jre.

Curious if the IPS filter I listed earlier has any relation to this Isapi module:
sunhuxAuthor Commented:
Sorry the formatting was out in my last post: the first 3 and a half lines was supposed to be at the bottom
sunhuxAuthor Commented:
I recall there is a way to configure in F5 LB such tt the clients source IP is logged in IIS logs : correct me if I m wrong.   If so we wont need this Isapi filter
Dan McFaddenSystems EngineerCommented:
There is a discussion about this topic in the IIS.NET forums.  Reference link below.

link:  http://blogs.iis.net/deanc/archive/2013/07/08/iis7-8-logging-the-real-client-ip-in-the-iis-hit-logs.aspx

Basically Microsoft has support for grabbing the real c-ip by utilizing a function inside ARR (Application Request Routing) to enable getting the desired c-ip into your http logs.  You'd be interested in looking at the ARR Helper.

For IIS 7/7.5 (Server 2008/@008 R2) you will need ARR 2.5.

But all of this comes back to how your infrastructure is configured.  The F5 forum has a discussion that specifically addresses the network configuration issues that lead to not seeing the origin client ip.  I would read thru the following link to get an insight to the issues and compare them to your network config.

Link:  https://devcentral.f5.com/questions/get-clientip-address-behind-loadbalancer

sunhuxAuthor Commented:

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now