TEA Blog


Right out of the box, IIS could run as a fully functional web server without much need to configure various services. Unfortunately, attackers knew this and were able to compromise servers, and , that relied on IIS because many of the administrators who installed the software were not aware of what steps they needed to take to secure this application.

Much has changed over the years. In response to an increase in web-based application attacks, Microsoft made attempts to increase security in all of their products, including IIS. In version 6, they rolled out what was referred to as a lockdown by default approach where many features and services were left out, or disabled, in the default installation. They were still available, the administrator had to enable or install them giving them knowledge that they were running. In version 7, this approach changed again to take on a minimum install approach where only the bare minimum components are installed giving attackers a much smaller surface to work from.


Despite the strides taken to protect IIS 7 from attacks, there are still risks that a web administrator needs to be aware of if they are running this application as their web server - this is what makes using a WAF (Web application firewall) so appealing. Unfortunately, some of the things that make Microsofts IIS so appealing are also some of the issues that anyone using it needs to be aware of.

It is a Microsoft product

It is not insecure because it is a Microsoft product, but the fact that Microsoft still makes things easier for administrators still makes it a target. IIS can be installed and run on Server 2008 Core, which uses a command line interface rather than Windows. In this environment, the server is much more secure. However, when Windows the temptation to make use of Internet Explorer to connect to the web is far too great and happens far too often. When servers are allowed to access the web, they are put at risk. Windows makes it too easy for a lazy admin to simply fire up IE to find something from their server rather than a workstation.

It is too easy to install software

One of the biggest threats to security is a web application. Odds are that most servers using IIS are using Windows. In a Windows environment, it is far too easy to install web applications like WordPress, Joomla!, or ZenCart. Although this is a huge selling point, it also poses a risk because if the web administrator does not have background knowledge related to the vulnerabilities that are present in these, or any other web application, then they may unknowingly be installing insecure software onto their server.

Of course, this can be true of applications installed via a command line interface or GNU/Linux shell as well, however odds are that if a person is adept at using these tools, they are more aware of basic security risks as well.


Unfortunately for Microsoft, many web admins still remember what the Code Red and Nimda worms did to web servers using IIS. Defacing , hitting them with Denial of Service attacks, and exploiting path traversal vulnerabilities.

Due to Microsofts market share, it will always be a preferred target for malware attacks. Even as engineers work to patch known vulnerabilities, the thousands of pieces of malware being released into the wild every day that significant threats to any server running Microsoft.


Like any server, certain steps need to be taken to harden the operating system against attacks. While malware prevention, Intrusion Detection/Prevention Systems, network firewalls, and all of the other tools and techniques help prevent some attacks, they dont adequately prevent attacks launched against any third-party applications that have been installed on the server.

Protect IIS web servers against a variety of vulnerabilities to include:

  • Path Traversal

  • Known worms

  • Remote Command Execution

  • Probes

  • Denial of Service attacks

  • Compromised servers

your web application security needs:

  • Strong security against known and emerging hacking attacks

  • Best-of-breed predefined security rules for instant protection

  • Interface and API for managing multiple servers with ease

  • Requires no additional hardware, and easily scales with your business


Whether your web server is running IIS or Apache makes little difference. With hundreds of millions of dollars being stolen each year by cyber criminals vulnerabilities will continue to be a problem as known ones are exploited and new ones emerge.

In addition to money and data stolen as a result of compromised servers and , businesses have to contend with a damaged reputation after an attack. When a breach of security occurs, customers and visitors second guess visiting that site if they know that they are not safe. Once the search engines find malware or spam on a , it can be flagged as malicious and removed from the search engine results page causing a loss in legitimate traffic.

ARTICLE SOURCE: This factual content has not been modified from the source. This content is syndicated news that can be used for your research, and we hope that it can help your productivity. This content is strictly for educational purposes and is not made for any kind of commercial purposes of this blog.