Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: Installing and configuring Mod_Security on Windows Server  (Read 81003 times)

0 Members and 1 Guest are viewing this topic.

jomyt

  • Guest
Installing and configuring Mod_Security on Windows Server
« on: August 14, 2017, 06:39:22 pm »
ModSecurity is an open-source web application firewall that has been widely deployed on Apache based web servers to protect web applications from security vulnerabilities and has recently been made available in a stable version for IIS based servers from version 7.X and above. 

Installation steps.
===================

1) Access your Windows Server using RDP and open the browser and download Microsoft’s Web Platform Installer (WebPI)


2) Before installing ModSecurity install the Visual Studio 2010 Runtime(s):

* If you’re on a 32bit OS (Windows Server 2008 and IIS7) you’ll install just the 32 bit runtimes.

* But if you’re on a 64bit OS and run both 32bit and 64bit application pools, you’ll want to install both the 32bit and 64bit version.

Please follow the link given below to install Visual Studio 2010 Runtime(s):

* 32-bit OS: http://www.microsoft.com/en-us/download/details.aspx?id=5555

* 64-bit OS: http://www.microsoft.com/en-us/download/details.aspx?id=14632


3) ModSecurity had a missing dependancy “Wlanapi.dll” This was installed by installing the “Wireless LAN Service” as follows:

a) Open Server Manager

b)Select Features | Add Feature

c)Select Wireless LAN Service

d)Install, Close and call it a day.


4) Now go ahead and run the Microsoft’s Web Platform Installer (WebPI) and install ModSecurity.  Load your site and make sure the site loads.  You’ll also want to check the application log and make sure mod security loaded.  ( Administrative Tools >> Event Viewwer >> Windows Logs >> Application )

If not just roll back your applicationhost.config file. either remove the three lines that include ModSecurity or go to c:\inetpub\history and restore the most recent backup of your applicationhost.config file into c:\windows\system32\inetsrv\config


Configuring our ModSecurity Ruleset.
====================================

1) Install the ModSecurity ruleset in c:\inetpub\wwwroot\owasp_crs\

2) Open modsecurity.conf in the above referenced folder and change the first line from SecRuleEngine DetectionOnly to  SecRuleEngine On


3) After that create a test rule SecRule ARGS, "zzz" phase:1,log,deny,status:503,id:1 and place it in the bottom of the modsecurity.conf


Enabling ModSecurity for our website.
=====================================

1) Access IIS with Administratir Previlege.

2) Unlock the VPS local host

3) Open Configuration Editor

4) Now access the webconfig file of your Website ( c:\inetpub\wwwroot\Website\web.config ) using the Configuration Editor and add the following rule )


-----------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <ModSecurity enabled="true"
           configFile="c:\inetpub\wwwroot\owasp_crs\modsecurity_iis.conf" />
    </system.webServer>
</configuration>
-----------------------------------


NB: Make sure to edit web.config file of your website using only Config Editor. Otherwise it my not be effective.


5) Restart your local host.


Verifying ModSecurity is loaded and detecting issues
=====================================================


1) After you enable ModSecurity you can verify it’s loaded by triggering our test rule. You can check using http://www.mydomain.com/index.php?a=zzz.

2) When the website is loaded you will get the message "The service is unavailable".

3) Access your server and check the application log ( Administrative Tools >> Event Viewwer >> Windows Logs >> Application )

4) You will receive the following


-------------------------------------------
[client 192.100.0.47:10911] ModSecurity: Warning. Pattern match “zzz” at ARGS:a. [file “c:\inetpub\wwwroot\owasp_crs\modsecurity.conf”] [line “215”] [id “1”] [hostname “HYPVXXXX”] [uri “/testing.aspx?a=zzz”] [unique_id “17798225729515689548”]

-------------------------------------------

The scrren shots are given below:
=================================

--------------------------------------------
https://snag.gy/WshDOH.jpg
https://snag.gy/iq7MUB.jpg
https://snag.gy/e7B5SY.jpg
--------------------------------------------

Cheers!!  :) :)