in Resources

Securing IIS Web Servers: An In-Depth Guide to WebKnight WAF

default image

Hi there! As an IIS administrator myself, I know how vital it is to lock down your web servers. The threat landscape is always growing, so having robust defenses in place is crucial.

In this comprehensive guide, I‘ll walk you through installing, configuring, and leveraging WebKnight WAF to better protect your IIS environment. I‘ll share my insights as an experienced technology geek along the way!

The Rising Threats Targeting IIS

Before we dive into WebKnight, let‘s briefly overview the threats that make a WAF so necessary:

  • SQL Injection – This attack injects malicious SQL into application inputs to access or manipulate data. According to Positive Technologies, SQL injection was the most common web app vulnerability in 2018, impacting over 30% of organizations.

  • Cross-Site Scripting (XSS) – XSS attacks inject client-side scripts into web pages to bypass access controls. Webroot Threat Trends found XSS attacks increased 180% in Q3 of 2018 compared to the previous quarter.

  • Cross-Site Request Forgery (CSRF) – CSRF tricks users into unknowingly executing actions on a web app where they‘re already authenticated. Over 8% of the web apps analyzed by High-Tech Bridge contained CSRF flaws.

And the list goes on. With attackers constantly finding new vulnerabilities, proactive security is a must!

Why IIS Needs Special Attention

As one of the most widely used web servers, IIS is an enticing target for hackers. Some key stats:

With IIS under constant fire, protecting your servers is imperative. Keep reading to see how WebKnight WAF can help significantly improve your IIS security posture.

WebKnight WAF – An Ideal Security Shield for IIS

So what exactly is WebKnight WAF? It‘s an open-source web application firewall purpose-built for IIS.

By inspecting all incoming HTTP requests, WebKnight blocks attacks like SQLi, XSS, and unauthorized access attempts. Here are some standout benefits:

Lightweight and optimized for IIS – Weighing in at just 5 MB, WebKnight delivers powerful protection without slowing down your servers. The IIS-native development ensures seamless compatibility.

Easy configuration – The admin console provides simple point-and-click configuration for setting policies, managing blocked IPs, and more. No need to be a security expert to set it up!

Real-time protection – WebKnight scans traffic immediately without requiring any IIS service restarts. The runtime engine efficiently identifies and blocks threats as they happen.

Custom reporting – Detailed logging and statistics give you visibility into all blocked attacks and policy violations for forensic analysis.

Open-source transparency – You can review the source code yourself or even contribute improvements back to the project.

Considering these advantages, WebKnight is a wise choice for fortifying IIS deployments. Now let‘s look at how to install and configure it.

Installation – Getting WebKnight Up and Running

The installation process is very straightforward:

  1. Make sure your IIS version (5, 6, 7, 8, 10) is supported and ISAPI filters are enabled.

  2. Download the latest WebKnight full package from the official site.

  3. Extract the zipped folder and browse to WebKnight.x.x/Setup/x64

  4. Run the WebKnight_x64.msi installer, accept the license agreement, and choose "Complete" for full installation.

  5. Launch the configuration utility from the final setup screen.

After a few clicks, WebKnight will be protecting your IIS with the out-of-the-box security policy. Let‘s look at customizing the configuration next.

Configuration – Optimizing the WebKnight Policy

While the default settings provide ample protection, tuning the policy for your specific environment is recommended.

Here are some key parameters I‘d advise customizing:

  • Logging – Enable full request logging to capture forensic details in case of an incident.

  • Methods – Permit additional HTTP methods like PUT and DELETE if required.

  • IP Blocking – Blacklist any known malicious IPs preemptively.

  • Hotlink Protection – Block unauthorized sites from leeching your content via hyperlinking.

  • Custom Rules – Add any application-specific rules to lock down access further.

Take some time to dial in these settings for your unique IIS environment and apps. For example, enable hotlink protection if unauthorized image leeching is problematic or add restrictions for non-standard HTTP methods used by your custom web services.

The configuration utility makes it simple to adapt the policy to your needs. Just remember to save your changes!

Now let‘s look at how WebKnight prevents real-world attacks.

Seeing WebKnight in Action Against Attacks

To test out protection, I tried sending some malicious payloads like cross-site scripting and SQL injection. Here are two examples blocked by WebKnight:

XSS Attack

/?<script>alert(‘xss‘)</script>

WebKnight Log

2016-08-31 ; 14:05:46 ; W3SVC1 ; OnPreprocHeaders ; ::1 ; ; localhost ; GET ; /?<script>alert(‘xss‘)</script> ; BLOCKED: URL is not RFC compliant

SQL Injection Attempt 

/search.php?name=‘ OR 1=1 --

WebKnight Log 

2016-09-01 ; 09:23:16 ; W3SVC2 ; OnPreprocHeaders ; 192.168.1.5 ; malicious-user ; evil-website.com ; POST ; /search.php?name=‘ OR 1=1 -- ; BLOCKED: Tautology detected.

As you can see, WebKnight successfully blocked the attack payloads and logged forensic details like the blocked parameters and violation reason.

While WebKnight provides robust core protection, you may need more advanced capabilities…

Taking IIS Security Further

For some, WebKnight delivers sufficient IIS lockdown. But you may want additional features like:

  • Managed WAF Service – Let a provider like Sucuri handle configuration, maintenance, and 24/7 monitoring.

  • Virtual Patching – Automatically protect against new zero-day threats before official patches are released.

  • Advanced Machine Learning – Leverage AI algorithms to detect emerging attack patterns.

  • Granular Application Rules – Define policies with extreme precision tailored to your web apps.

In that case, a commercial WAF like Sucuri offers an enterprise-grade solution, albeit for a price. Evaluate your needs to decide if the extra capabilities warrant the investment.

Final Thoughts

I hope this guide gave you a comprehensive look at securing IIS with WebKnight WAF. Feel free to reach out if you have any other questions! Leveraging a WAF is a huge step towards locking down your IIS servers. Combine it with other best practices, and you can drastically reduce your risk.

Stay safe out there!

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.