Many companies have not made the move to Windows Server 2012 and 2012 R2, but IIS 8 and 8.5 are starting to see increasing adoption rates. While we're a fan of what Microsoft has achieved with security for Windows Server not everything seems to be perfect within the IIS 8.x security camp, and there are several vulnerabilities you need to be aware of that could appear in your windows event logs.
The first list of IIS 8.x Web Server vulnerabilities may not directly expose sensitive information, but could generate some red flags during a security audit or even allow attacks. They are:
- HTTP access is possible, which allows clear-text server connections that are not redirected to HTTPS.
- Cross-frame scripting could be used for click-jacking, where the user is tricked into clicking something different than they expect.
- SSL version 3 is enabled, facilitating the currently popular POODLE man-in-the-middle attack. The server could still be vulnerable, even if is supports later versions of TLS.
These vulnerabilities could be perceived as "noncritical" if they are flagged up by your log, as they may not be detrimental in their current state.
But you will also need to consider what's running on top of your IIS 8.x servers, and use a good vulnerability scanner to uncover flaws with the web applications themselves to paint the rest of the security picture. The following vulnerabilities could create security risks in your overall environment:
- Weak password policies that are often coupled with a lack of intruder lockout
- Cross-site scripting that attackers could exploit to spread malware and manipulate user information
- SQL injection to present the database through the web front end
- User session management weaknesses that allow attackers to manipulate application sessions
These vulnerabilities might not be as obvious as the previous list, they are more easily exploitable, more likely to put sensitive information at risk and hence be ranked as "critical" issues by your logging system.
Whether you're a administrator, developer or manager, we would recommend that you review the OWASP Top 10, which is an informative ranking of web security concerns that you might need to focus on.
This knowledge, coupled with employing a powerful logging and monitoring system and focusing on the application and server layer, will help improve your company's overall Web and Windows Server security.
If you liked this article on IIS vulnerabilities then why not check out our blog on how logging can help you improve IoT device performance.