Security for a day

In today’s competitive market, IIS (Internet Information Services) servers have become necessary for companies and business organizations. IIS is a web server application and a set of feature extension modules serving roughly 21% of websites on the internet – with over a whopping six million installations worldwide. As a result, your IIS web servers have become a big target when it comes to hackers and cyber-terrorists. The solution for this ever-growing problem is event log monitoring. Event log monitoring is a process of collecting, analyzing and signalling event occurrences on IIS web servers. These occurrences may stem from hardware and software; however the primary concern is hackers.

The problem is that new developments which compromise your organisations’ IIS web servers keep emerging. The simple truth is it doesn’t take an IT expert to penetrate through your web server security and access your private corporate information. Competitors and past employees might have their reasons for accessing your confidential information – and there are a number of ways through which that goal may be achieved.

Methods for hacking and hijacking web servers have become easier and more accessible. Nowadays someone with no prior infiltrating experience can cause a lot of damage for you by using specifically targeted programs which overload or exploit IIS web servers. When it comes to hacking IIS web servers, one of the simplest methods is through buffer overflows. This occurs when a code is sent to your server which ‘confuses’ the IIS and grants root access to the server. First, hackers would have to find an unpatched IIS server through a program like ‘Dreamscape IISscanner’, which allows hackers to scan individual IP addresses. Once the program identifies that your web server is IIS, then the hacker can go to work by corrupting, defacing or stealing your data and information. Alternatively hackers can use a program which exploits your systems’ vulnerability known as IPP Exploit.

Such methods of hacking are designed to completely bypass typically configured security precautions. Like standard firewall rules and similar safety measures you might have set up. So the question remains – if every Tom, Dick and Harry can access your private corporate information, how can you defend your organization? The answer is simple, ‘keep an eye on it’ and that’s pretty much what event log monitoring does.

Most attacks come in the form of exploiting tools of IIS servers by making use of your system files. By monitoring the activity of such files, you would be able to see all points of access, including if users are tampering with your files, because event log monitoring records and analyzes the event logs of all your network machines. Therefore, if a hacker pops in unannounced, then any changes these hackers try to implement will instantaneously cause an alert to be sent directly to you in real time. In order for this to occur your version of Windows needs to be configured to monitor intrusions, otherwise known as “Object Access”. You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\

What’s extraordinary about this system is that it is simple. Event log monitoring is user-friendly and will enable your organisation to monitor all users attempting to access system files, also personalizing the program to your specific needs. This means that through event log monitoring you will be able to create alerts for specific occurrences, back up or even clear event logs, and a whole lot more. Your goal should be ensuring security and through event log monitoring, this can be easily achieved.

This guest post was provided by Chris DeMicoli on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI events log monitoring solution.

All product and company names herein may be trademarks of their respective owners.