Thoughts on IIS Security vs Apache


I got the following interesting question about IIS security and whether it was better to “protect” IIS with an Apache server in front of it. Hmm, let’s take a step back and look at what is security…


Question:


Hey, I really like your blog. I was wondering if you could give me your quick thoughts on this: A guy at my office is concerned about us having an IIS web server that is exposed to the internet. He wants to “front” the IIS server with an Apache server and have the Apache server redirect to the IIS server for “better” security. Thoughts???


Answer:


Oh, hey, a juicy topic… IIS and security. :-) Please let the guy at your office voice his concerns and rationales as comments on this blog entry – I am very interested to hear and discuss it.


I presume the proposed network topology would have Apache facing the Internet, and it transparently forwards requests (using something like mod_rewrite and mod_proxy) to the IIS server on your Intranet (i.e. IIS server is otherwise not accessible via the Internet). IIS then processes the request, sends a response back to Apache, which then relays it back to the client in the Internet.


In general, I do not believe that simply fronting IIS with an Apache server results in “better” security. I find the statement to be a bit vague to base any sort of decision. Mind you, I do not wish to engage in any zealous or emotional behavior; I am simply stating impartial facts and drawing logical conclusions. :-)


Here is what I think of the proposed network topology and security in general:



  1. By inserting Apache in front of IIS for every request, all you accomplish is execute more code (both Apache and IIS) per request from the Internet. All code has non-zero defect rate, so inserting more code simply increases your chance of encountering a defect per request, and some percentage of those defects are security related. Thus, by inserting Apache, you merely increase the risk of triggering a security defect for each request.
  2. By isolating IIS in the Intranet, away from direct Internet access except through Apache, all you accomplish is deny Internet-based access to all ports on the IIS machine except for those that are open on Apache. You can accomplish this same effect by placing a firewall, either a hardware device or software running on the IIS machine, that only allows the same open ports on Apache for clients to access. You do not need Apache to do this.

Thus, at best, your proposed network topology cannot improve security.


What? You mean Apache does not Improve Security? Blasphemy!


Now, I know that you have heard all those reports saying how IIS5 is insecure and that Apache 1.x is solid and runs 70% of the worlds websites, so you wager that “since IIS5 is insecure, blanketing it with Apache should improve its security, right?” However, such a statement is based on emotions and a warm, fuzzy feeling and not the cold, hard facts. So, sorry for busting up your fairy tales about Apache and introducing some real-world concepts that qualify and quantify security to a point where you can logically determine whether a given action increases or decreases security. Only then can you make decisions that result in measurably “better” security. :-)


Basic Security Terminology and Theory


To talk about security, we must agree on a couple of terminologies and concepts:



  • Valuables – these are your worthy resources that you are trying to protect.
  • Threats – these are the bad guys that are trying to steal or otherwise compromise your Valuables.
  • Vulnerability – this is the means by which a Threat can compromise your Valuables.
  • Exploit – When a Threat is successful in utilizing a Vulnerability to compromise your Valuables.

Clearly, the basic problem in security rests on protecting one’s Valuables. What are some of the ways to do this?



  1. Have no Valuables. If there is nothing worthy to take, then you are secure from having things taken from you.
  2. Eliminate Threats. Take care of the bad guys before they take care of you.
  3. Eliminate Vulnerabilities. Get rid of ways for bad guys to take things from you.
  4. Stop Exploits. Utopian world where there are no bad guys interested in being a Threat.

Most of the approaches are extreme and rare to accomplish. Most of this world tries to accomplish #3 – eliminate vulnerabilities.


About Security Vulnerabilities


When talking about security vulnerabilities, we are NOT just talking about the MS05-00XX bulletins. Software security is multi-faceted and consists of:



  • Software – this is the system under discussion that accesses the Valuables
  • Configuration – this is the configuration of the Software that accesses the Valuables
  • Policy – this is the human usage pattern of the Software and Configuration

Unfortunately, the media and most of the world simply focus on the “Software” aspect of security and try to pin Microsoft as solely responsible when the truth is far from it:



  • The most securely configured and tight security policied system can fall victim if the Software has a remote anonymous LocalSystem exploit.
  • The most securely written and tight security policied system can fall victim if IIS is Configured to allow anonymous user Write and Execute permissions on a virtual directory.
  • The most securely written and configured software system can fall victim if the user has a poor Policy of leaving the console unlocked (or have username/password on a Post-It note…).

What You can do


Now, from a user perspective, you can rarely affect Software defect rates (Open/Closed Source does not matter – most users do not compile their own Software anyway). For a perspective on Software defect rates, read this URL.


For insights on how Microsoft is proactive reducing Software defects in security, just read Michael Howard’s blog. He is one of the key folks driving security at Microsoft and incidentally has a long history with the IIS team.


What a user CAN control is Software Configuration and System usage Policy. I am going to assume that you can come up with a reasonably secure System usage Policy since that is strictly your computer and your responsibility.


Thus, at the end of the day, what we have left to discuss is just Software Configuration and how to eliminate Vulnerabilities in it. To deal with this issue conceptually, it is useful to think about the concept of “Attack Surface” (i.e. these are the avenues opened by Configuration through which Threats can attempt to Exploit your Valuables) and focus on reducing the Attack Surface, thereby limiting the number of exposed vulnerabilities that can be exploited.


All about the Attack Surface


Here are some thoughts on how to reduce the Attack Surface of web servers like IIS or Apache.


The Attack Surface of a web server like IIS or Apache is basically the HTTP Request itself and the code that runs to process that request.



  • With firewalls, you can close off the remainder of the server from external contact and just have port 80 open and allowing HTTP Requests to reach your web server. Reducing the number of ports accessible via the Internet reduces the Attack Surface by reducing server code listening on ports from ever being accessible.
  • With tools like URLScan, which examine characteristics of the Request URL and Headers for “funny behavior”, you can reject bogus or otherwise prevent functional code on the IIS server from ever executing, thus reducing the Attack Surface of the server.
  • By running IIS Lockdown, you tighten up various configurations on IIS to prevent unwanted or unknown functionality from ever executing, thus reducing the Attack Surface of the server.

By now, the theme should be clear. Reducing the Attack Surface of the server by restricting it to only exposing the set of behaviors and necessary support code for a given functionality is a real way to reduce security vulnerability due to Configuration.


IIS5 vs IIS6


Unfortunately with IIS5, non-security assumptions and ideas were the norm, but with IIS6, security is front and center. This results in the multi-pronged security approach of IIS6, which goes something like this:



  • IIS6 is not even installed on Windows Server 2003 by default, unless it is the Web Blade or Small Business Server SKU. User has to take explicit action to install IIS6. This is contrary to IIS5, which is installed and running by default under the assumption that user ease of use is key.
  • Once you install IIS6, it only serves static content that has a defined Content-Type. Thus, you can serve plain HTM/JPG/GIF as well as download EXE/ZIP files. Specifically, you cannot download ASP files to read its source code. On IIS5, everything can be served, which makes $DATA exploits for ASP possible.
  • If you want to run dynamic content on IIS6, you must explicitly enable dynamic content execution by IIS as well as enable dynamic code with a Web Service Extension. If you do not enable an ISAPI or CGI as a Web Service Extension, IIS6 will not run it to execute dynamic content. Period. On IIS5, everything can be run as soon as you enable IIS to do so, which makes virtual directories with Write and Execute permissions suicidal.
  • Even if you manage to run dynamic code on IIS6, it only has access to an unprivileged Network Service account by default. So, even if there is an exploit, the resulting damage scope is low. Contrary to IIS5, which can run code as Local System where damage from an exploit is high.

And the list of multi-pronged, multi-layer security approach of IIS6 goes on and on…


Conclusion


Hopefully, it is now clear why simply fronting IIS with Apache does not improve security. You simply increase the amount of code that processes the request, which increases the Attack Surface of the server and thus increases the chance of encountering a Vulnerability which raises the possibility that a Threat can take advantage of the Vulnerability to successfully Exploit your Valuables.


And how to improve security? By reducing the Attack Surface of the web server and reducing number of features exposed by the web server to the minimum necessary to accomplish its task. This has nothing to do with placing Apache in front of IIS since that does not reduce the Attack Surface. Instead, it has to do with configuring IIS5 with URLScan and IIS Lockdown as well as other common security practices to lock down the server, or just run IIS6 and turn on the Windows Firewall of SP1. Then, you can directly run IIS6 on the Internet without fear because you know what is open and enabled on the server and how securely you configured it.


Security is not an absolute goal; it is a journey.


//David

Comments (8)

  1. Jeff Parker says:

    In my personal opinion the key to this whole post is "All about the Attack Surface"

    I don’t care what kind of Server, PC, OS, Hardware appliance, what ever, if you put it out on the web by itself wide open. It is going to get hacked and dropped. A Web server really only needs port 80, or 443 if running ssl. Thats it, shut everything down. I have been running on IIS servers on the internet since about 98. I ran on Unix before that. Once and only once have I had a server go down on the net from an attack. It was a virus that specifically targeted my firewall I was using. It didn’t target windows or IIS. You need to set up a DMZ, plain and simple. Microsoft.com runs IIS and has for years, whens the last time it has been hacked. http://toolbar.netcraft.com/site_report?url=http://www.microsoft.com

    sun runs the Sun Java System, whens the last time they were hacked. http://toolbar.netcraft.com/site_report?url=http://www.sun.com

    This whole thing about which one is more secure is bunk, it is how secure you set it up.

  2. David Wang says:

    Jeff – Amen. :-)

    The "Security" of a software System depends on the Software, its Configuration (i.e. Attack Surface), and user Policy of the system. Thus, one cannot just focus on "which one is more secure" because effective Security is just the weakest link of any those aspects. On top of which, security evolves over time such that it is a journey, not a destination.

    In my view, this is what distinguishes "real" security vs just rhetoric. Glad to be hearing from you.

    //David

  3. Jack says:

    Hello, i have subscription of Redmond magainze and wow i can’t believe i still remeber the artcle about Apache and IIS since the issue is dated back April 2005. anywho…

    http://mcpmag.com/images/0405red_F2Apache_chart1.jpg

    that’s how some comapnies run Apache, they run it like MS ISA like the photo said a way to protect an IIS web server farm from the Internet.

    It look like Apache in front and IIS at back of more secure network is very common.

  4. Jack says:

    forgot to add, if you like to read the article about using Apache as front use . here is the link http://redmondmag.com/features/article.asp?EditorialsID=471&a=#findit

  5. David Wang says:

    Jack – Thanks for the URL.

    I really do not want to start a flame war, but this one is just too juicy to give up. 😉

    http://blogs.msdn.com/david.wang/archive/2005/10/01/Thoughts_on_IIS_Security_vs_Apache_Part_2.aspx

    I am just a techie, so I have no secret agenda other than "improve technology and the people will come." I view Apache and IIS from an internal/technical perspective, and really, they are quite similar… so I favor users evaluating with full details and choosing whatever makes sense for their situation. It should hopefully make technical and logical sense and not be clouded by rhetoric or emotions…

    Thus, we are really just talking about the Media, Spin, and bad Press… which pushes some of my indignation buttons, so I will rant. :-)

    //David

  6. Tom says:

    I’ve worked with both and while I haven’t had many security scares with either, I’d lean towards employing Apache as my server of choice. The White House uses it, ESPN, CNN, and E-Trade use it. That should answer those that just follow what big entities do. The second reason would be that it’s free, why pay for a Windows license (unless you already have one). Third, the bulk of the web server related worms out there are written to exploit IIS vulnerabilities. Don’t expose yourself to that potential risk.

  7. David Wang says:

    Ok… I’m sure the zealots will eventually come tar and feather me and distort the conversation I started…

  8. David.Wang says:

    Tom – You gave fine reasons, but I am not certain they support your conclusion.

    http://blogs.msdn.com/david.wang/archive/2006/03/08/Thoughts_on_IIS_Security_vs_Apache_Part_3.aspx

    //David