Web Server Penetration Testing

What makes a good Web server administrator? Is it the number of Web servers that you support daily? Do you measure by overall uptime? Do you count the number of malicious attempts in your statistics? One popular measure these days is the penetration test.

For penetration testing, you hire someone to deliberately attempt to discover and exploit vulnerabilities on your Web server. Typically, full-time security professionals (often consultants) perform this task for you. They use every known method to try to find vulnerabilities and penetrate the security on your server. They provide a deliverable to your company showing how they got in, your server's vulnerabilities, and what you can do to correct them. Depending on how far they get into your site, they can also prove the risk that you face by showing you the internal data they collected.

Management has to make only one decision before hiring someone to conduct penetration testing on your Web presence: whether to have the security professional give your administrators a good scare, or to have the security professional act as a liaison and work directly with the administrators. Either way, you can improve the security of your site. It's up to you to decide which approach works best for your shop.

The first approach, scaring the noodles out of the administrators and management, might be necessary for overcoming the "We're so secure, nobody's getting in!" attitude. I've been guilty of this attitude from time to time, too. Sometimes, a good wake-up call is necessary.

The second approach, willingly inviting the security professional to spend time with the Web server administrators before and after the attempts, can be beneficial if your Web server administrators have never been through the rigorous ordeal of catching and prosecuting an intruder. (I'll cover this very topic in a future issue of IIS Administrator.)

There's a big argument about whether it's acceptable to give outside consultants inside information before executing penetration testing. After all, it's important to know just how far and how much information a determined intruder can get. However, not all intruders are working without inside information. Social engineering and inside information from your employees can help any intruder get past even your best security. Disgruntled employees can be a big help to intruders or even take a direct part in an attack. So, when dealing with penetration testing, a combination of both approaches is appropriate.

The bottom line is, think how many exploits you've seen on IIS so far this year. This prevalence is primarily the result of a lot of malicious effort focused on that one Web server product. By comparison, how many new Macintosh vulnerabilities have you seen in the past year? It's all a matter of what's popular in the marketplace. There's certainly a lot to keep up with. In this newsletter and IIS Administrator, our print newsletter, we try to bring you all the exploits: From there, it's up to you. Handing Web server administrators a password list obtained unknowingly from one of their Web servers can do a lot to change an attitude.