This is the Trace Id: cb928ceb188ef65cf86a3ccfdb7ca951
Skip to main content Report Security Vulnerability Report Abuse Report Infringement Submission FAQs Reporting Vulnerability Security Update Guide Exploitability index Developer API documentation Frequently Asked Questions Technical Security Notifications Glossary Microsoft Bug Bounty Programs Microsoft Active Protections Program BlueHat Security Conference Researcher Recognition Program Windows Security Servicing Criteria Researcher Resource Center Microsoft Security Response Center Security Research & Defense BlueHat Conference Blog Security Researcher Acknowledgments Online Services Researcher Acknowledgments AI Safety Acknowledgements Security Researcher Leaderboard

Introducing ModSecurity IIS 2.7.2 Stable Release

Security Research & Defense
/ By swiat /

We are pleased to announce the release of a stable version of the open source web application firewall module ModSecurity IIS 2.7.2. Since the announcement of availability of the beta version in July 2012, we have been working very hard to bring the quality of the module to meet the enterprise class product requirements. In addition to numerous reliability improvements, we have introduced following changes since the first beta version was released:

  • optimized performance of request and response body handling
  • added “Include” directive, relative path and wildcard options to the configuration files
  • re-written installer code to avoid .NET Framework dependency and added installation error messages to system event log
  • integrated OWASP Core Rule Set in the MSI installer with IIS-specific configuration
  • fixed about 10 functional bugs reported by ModSecurity IIS users.

Microsoft also released recently a TechNet article entitled “Security Best Practices to Protect Internet Facing Web Servers”, which explains in details benefits of deploying a WAF module on a web server.

Integrated OWASP Core Rule Set

In version 2.7.2 of ModSecurity IIS we have included OWASP Core Rules Set pre-configured to serve most common scenarios encountered on IIS server. The rule set gets installed into c:\inetpub\wwwroot\owasp_crs directory, from which it can be included in any web.config file by adding:

<ModSecurity enabled=“true” configFile=“owasp_crs\modsecurity_iis.conf” />

The default setting enables request body access, disables response body access, does not use audit log, and sets temporary files and data folder to c:\inetpub\temp. User can
enable or modify these and other features by uncommenting appropriate ModSecurity directives in modsecurity.conf or modsecurity_crs_10_setup.conf files.

2012 Toolsmith Tool of the Year Award: ModSecurity for IIS

Russ McRee over at HolisticInfosec held open voting in January for the 2012 Toolsmith Tool of the Year Award and ModSecurity for IIS won!

We are glad that the Toolsmith readers found value in the IIS version of ModSecurity and we hope that it will help them to quickly mitigate emerging threats to their Microsoft IIS/ASP/.Net environments.

Acknowledgements

I would like to thank Nazim Lala and Ashish Kurmi from Microsoft for their help in module testing, Breno Silva and Ryan Barnett from Trustwave for continuous support of the IIS version, and Simon Kosinski for his valuable insights and suggestions.

Greg Wroblewski, MSRC

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Software companies Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads