rogue iis modules

Interesting story for those of us who administer IIS 7+ web servers: “The Curious Case of the Malicious IIS Module” from SpiderLabs. As sort of shown in the article, even an SSL-wrapped site isn’t safe, since once you’re inside IIS, you’re actually behind the SSL encryption process which is handled in the OS starting with IIS 7/Win2008. Even in earlier versions, getting that far gives you unencrypted visibility, pretty much.

The up side is if someone has this level of access to drop a new IIS module on your web server, they likely have access to just flat out change your code. So other than particularly nefarious attackers or automated tools that just do it for them, I’d not expect to see rogue IIS modules. However, this is definitely something to look for in modern IIS web servers and something to inventory and poll and alarm on anything new appearing.