This month’s tools add software-based Web application protection and a quick and easy way to transfer files.
Attackers frequently target Web applications. They break through to get at vital information like Social Security numbers and credit card information. You need to do everything you can to defend your Web servers: keep them up-to-date with the latest patches and service packs, implement a hardware firewall “in front” of them, and use a software-based Web application firewall for an additional layer of protection to reduce the attack surface and mitigate threats.
ServerDefender VP from Port80 Software Inc. is one possible layer of software-based protection. This enterprise-class solution is touted as “a complete Web Application Security Lifecycle management tool.” Unlike hardware firewalls, installing ServerDefender VP requires minimal downtime. You can run in a “log only” mode before proactively blocking incoming connections to ensure that you have it configured to suit your needs.
The program comes configured and ready for action, but you’ll most likely want to (and the application will warn you if you don’t) use the built-in Safe Start Wizard learning tool that examines your server’s request and response patterns. It also analyzes existing log files to determine “normal” traffic guidelines for your site. The wizard scans your logs, analyzes the 404s, and asks you to set a cookie grace period for active sessions before you enable request filtering.
ServerDefender VP protects against cross-site scripting attacks, SQL and script injection flaws, cross-site script forgery (CSRF), improper error handling, session management, broken access control and similar types of Web attacks. You also get buffer-overflow protection, Denial of Service and other brute-force attack detection, input validation and cookie-tampering protection.
ServerDefender VP works with IIS 6, 7 and 7.5 for both SSL and standard HTTP requests and responses. If you run credit cards on your site, you’ll be happy to know that ServerDefender VP complies with the Payment Card Industry Data Security Standard (PCI DSS) for protecting cardholder information.
Besides analyzing your IIS logs, if you run the tool in “log only” mode, you can analyze the application log to get a clearer view of your request pattern. You can also validate your configuration to ensure you aren’t filtering false positives, which could block legitimate requests. ServerDefender VP has a Configuration Wizard that examines your site bindings, application pools, ASP.NET session state, and RSS feeds to ensure compatibility and set default configuration options. You can tell the application if you’re using a load balancer with non-sticky sessions.
The ServerDefender VP interface has a Microsoft Management Console (MMC) feel to it. You’ll see your server and Web sites in the left pane, and the configuration and reporting interface in the main pane. The main pane is split into tabs for Site Status, Request Management, Response Management, Session Management, Error Management and Administrative Options. In the Site Status tab, performance counters show request and response statistics, attack counters, blocked IPs and 404 alerts.
You can configure alerts based on a number of triggers to ensure you’re aware of potential problems. You can have notifications sent via e-mail, SNMP, event log and syslog. You can also view logs and generate HTML activity reports.
The Request Management tab lets you configure how the application handles incoming traffic and how it filters those requests. You can configure input validation, buffer overflow settings, allowed resource and HTTP request methods, certain URL pattern restrictions, settings for file uploads (including blocking them completely), and any request item or pattern exclusions.
You can use the Response Management tab to block verbose 500 errors (helpful for when developers forget to set that ASP.NET option in their web.config files), prevent HTTP response splitting, and block or tighten directory browsing. The Session Management tab lets you enforce single IPs per session, verify refers, define cookie and session policies, and add policies for IP blocks and even bot restrictions. On the Error Management tab, you can define error templates, request throttling and error throttling settings, set return generic error codes in place of specific error codes (these may give an attacker too much detail on the configuration of your Web server), and set specific error messages. Finally, the Administrative Options tab is where you manage log settings and application-reporting configuration.
ServerDefender VP is $1,495.95 for a single-server license. Port80 Software also has its ServerDefender AI product, which has fewer features than the enterprise product but still gives you signature-based protection and proactive request blocking for $649.95. What you won’t get with the AI version are options like CSRF protection, session management, protection for file transfers, brute-force mitigation, cookie-tampering protection and per-site configuration. If you’re looking for an additional layer of protection for your Web application infrastructure, you might want to take a look at ServerDefender VP or AI.
Have you ever been in a spot where you needed a file or set of files, but they were just too large for e-mail and you had no file share to get it? FTP is a great way to get files from here to there, but usually that involves a special program, which isn’t the best option for one-off transfers or just may not be a possibility in your location. Quick ’n Easy FTP Server Lite from Pablo Software Solutions is one tool that can help.
This tool is free for non-commercial use and runs as a standalone executable with no installer, so you have an “instant” FTP server on the go. When you launch the portable executable of the Quick ’n Easy FTP Server for the first time, you get a setup wizard that will quickly get you up and running. It guides you through the basic configuration of ports, proxies, users and directories.
Configuration details are saved to an XML file, so you’ll be ready to go the next time you launch your server. The server has the configuration options you would expect from a standard FTP server, including connection limits, timeouts, active and passive FTP connection ports, logging, and hello and goodbye messages. Even though it’s a portable single executable, you can have it launch on Windows startup.
Adding users is simple. You also store those details in the XML file with encrypted passwords. You can set home directories for the accounts, and allow or deny privileges for uploads, downloads, deletions, modifications, and creating files and folders. Quick ’n Easy FTP Server lets you see active connections and the activity log so you can monitor the server in real time. There’s also a server statistic summary view that shows you overall connection, upload/download and data stats.
Commercial users will want to check out the low-cost Quick ’n Easy FTP Server Pro, which runs $29.95 for a single license. The commercial version adds some useful extras such as IP address range filtering, support for virtual directories, limiting transfer speed, remote administration and directory listing format configuration. There’s also a service-based version. If you’re looking for a simple-to-use, easy-to-configure, no-install FTP server to have as an addition to your IT toolbox, take a look at the Pablo Software Quick ’n Easy FTP Server Lite or Pro on your next troll about the Web.
Greg Steen is a technology professional, entrepreneur and enthusiast. He’s always on the hunt for new tools to help make operations, QA and development easier for the IT professional.
Not a TechNet Subscriber?
Confidently evaluate Microsoft software and plan deployments with a Microsoft TechNet Subscription.