Microsoft Internet Information Services (IIS) server is one of the most popular web servers on the internet. It’s frequently used to serve ASP.NET web applications with Microsoft SQL Server backends running on Windows operating systems. Like any other software stack, the IIS web server has its own security issues and attack surface, especially if you’re running legacy IIS servers (particularly IIS 6 and IIS 7).
Aside from the basics like applying the latest security patches or modifying your webconfig.xml to prevent the server from disclosing its IIS version, a lot of focus should be given to the security of web applications served by that web server. The easiest way to get started is to run an automated scan for security holes.
This is where Acunetix fits in. Acunetix is a web application security tool that automatically performs a vulnerability assessment of a website or web application and discovers server misconfigurations. Acunetix allows you to run security checks for thousands of vulnerabilities quickly and accurately on a regular basis. It is integrated with a market-leading network scanner and can check network security of your IIS server, too.
Wide Technology Coverage
While some attacks may be detectable by server security software such as intrusion detection systems (IDS) and web application firewalls (WAF), these technologies are not able to stop client-side attacks such as DOM-based Cross-site Scripting (DOM XSS).
Unrivalled Speed and Accuracy
Web application security scans are typically known for being slow. Acunetix is set to change that. With a blazing-fast crawler and scanner, it is by far the fastest web application security scanner on the market, allowing you to perform automated security testing across a large number of applications concurrently.
Acunetix also provides AcuSensor, an optional sensor for ASP.NET, PHP and Java applications that are deployed server-side to further increase accuracy during scans and even inspect calls to and from the web application to the database server.
Beyond Vulnerability Scanning
Another problem that Acunetix solves, which many other vulnerability scanners fall short of, is the ability to produce great reports. Acunetix can instantly generate a wide variety of other technical, regulatory, and compliance reports such as PCI DSS, HIPAA, OWASP Top 10, and many others. Additionally, Acunetix allows users to export discovered vulnerabilities to issue trackers such as Atlassian Jira, GitHub, GitLab, Mantis, Bugzilla, and Microsoft Team Foundation Server (TFS).
Frequently asked questions
To protect your IIS installation, you need a web vulnerability scanner. A typical network scanner will just check if you have the right ports closed and if you have an up-to-date version of IIS. A web vulnerability scanner will check your IIS configuration and, most importantly, let you verify the security of all the web pages and web applications that you are hosting on your IIS. Acunetix will do it all.
The only way to effectively check the security of a dynamic website or web application is to try to break into it. You can hire a penetration tester to do it manually but it will cost a lot and take a lot of time. You can also use a web vulnerability scanner, discover most vulnerabilities quickly and automatically, and leave very little work for penetration testers.
Every dynamic website and web application is susceptible to web vulnerabilities such as SQL Injections and Cross-site Scripting (XSS). Based on our research, most web applications have such vulnerabilities. A web vulnerability may let an attacker completely take over your system or use it for phishing others.
A default installation of IIS is not secure. To make it safe, you need to install the right modules, disable certain options, turn on restrictions, enable logging, and more. You must also make sure that you always have the latest version of the operating system with up-to-date patches as well as the latest version of IIS.
Learn more about prominent vulnerabilities, keep up with recent product updates, and catch the latest news from Acunetix.
“We use Acunetix as part of our Security in the SDLC and to test code in DEV and SIT before being promoted to Production.”Kurt Zanzi, Xerox CA-MMIS Information Securtiy Office, Xerox