IT Tech Talk

With Internet Information Services (IIS) so widely used, several vendors have created commercial products you can use to test, improve or otherwise manage its security.

1. N-Stalker Free Edition - Web vulnerability scanner that checks for common Web server misconfigurations as well as application-specific flaws including cross-site scripting.
2. Acunetix WVS Free Edition — Another feature-rich Web vulnerability scanner that checks for some basics and cross-site scripting.
3. ParosProxy — Web proxy tool that lets you analyze (and manipulate) what’s coming and going from your IIS server applications when manually testing for security flaws. It has some basic vulnerability scanning capabilities built in as well.
4. Sandboxie — Application "sandbox" you can use on the client side with Internet Explorer and Firefox to see just what your IIS-based system is leaving in your browser’s cache. It’s very interesting to see what’s going on at this level — a common security oversight when testing Web applications.
5. SSL Diagnostics — Secure Sockets Layer (SSL) analysis and troubleshooting tool. You know me — I’m not a huge fan of hiding behind the security facade that many believe SSL offers — but this is a good tool for ensuring your configuration is correct. This is a common Web server configuration problem I see when testing Web applications for security flaws.
6. SSLDigger — An SSL strength analysis tool that is along the same lines as SSL Diagnostics but focuses solely on the strength of your SSL ciphers. You’ve got to have SSL anyway — might as well make sure it’s as secure as possible. Many admins don’t think about it, but it’s a flaw that can be exploited nonetheless.
7. FSMax and Blast — I know, technically two different tools. I list them here as one since they have a similar goal: stress testing. Commercial alternatives are few and far between and pricey at that, but denial of service and stress testing is something that should be run against any production IIS system.
8. Port80 Software Headercheck — A tool to see just what Web server information is being revealed to the world. The guys at Port80 Software also have some free online tools for running other Web-related tests you can check out at www.port80software.com/support/p80tools.
9. SiteDigger — Google hacking tool that searches Google’s cache for sensitive information that may have been stored on your Web server at some point in time. Results are few and far between but when it does find something, it’s usually pretty juicy.
10. Wfetch — HTTP header tool that allows you to see what’s going on behind the scenes in client-server communications. Another great way to manually test your IIS system for security vulnerabilities.

Bookmark It

Hide Sites