The main EWP solution workhorse and source of events is SecureIIS. A security-enhancing ISAPI plugin for IIS, SecureIIS protects against known and unknown vulnerabilities. Windows administrators familiar with Microsoft's URLScan will find SecureIIS easy to navigate; plus, it offers more features and granularity than URLScan. In many ways, SecureIIS acts as a host-based HTTP protocol firewall, inspecting each request and looking for signs of attack. SecureIIS focuses on global HTTP request aspects, which is more than enough to protect your Web server, but not necessarily enough to protect your Web applications. Unlike a true Web application proxy/firewall, it does not inspect or enforce hidden form fields, cookie tampering and so on.
Monitoring Events
The REM Events Server is the main collection point for SecureIIS events, including policy violations, attack attempt notifications and administrative notices related to SecureIIS configuration. An REM Events Server Client is installed on each individual SecureIIS machine, and it is responsible for taking the SecureIIS events and sending them to the REM Events Server in a secure manner using public/private key encryption. Once the REM Events Server receives the event, it is placed in a preexisting ODBC-compliant database. This version of REM Events Server requires you to provide your own database server software. I would like to have had a database engine included--specifically, Microsoft's free MSDE engine.
After the events are safely tucked into the database, there are two ways to view them. The first way is to have the REM Events Server export all events to the Windows event log, allowing other event management systems like Tivoli or HP OpenView to pick up the log events. This allows integration into existing helpdesk/IT event management infrastructure. The second way to view events collected by the REM Events Server is to use the REM Events Manager, a multiuser Web portal application that installs into an existing IIS server. It allows viewing, searching and reporting of received events.
The REM Events Manager is designed to act as an IT helpdesk or trouble-ticket system. Incoming events can be sifted and automatically delegated to the appropriate personnel for action; delegated events are tracked until completion. The REM Events Manager can produce myriad reports, detailing information such as events, tasks and the top 20 event types grouped by severity, source or destination.