We just had an update meeting with the ASW team. Heres what we are working on in ASW:

modsecurity just as it is in ASL - we will use a stripped down apache with just a hand full of modules as a proxy for IIS (IIS isnt quite there yet for native integration). This has the added advantage of making it possible to protect anything on Windows, apache, lighttp, IIS, etc.

OSSEC and all its features

DB based logging, and independent GUI

CLAMAV on Windows - we are working on a kernel shim to also do AV on windows real time (which is a must really for Windows). Right now we can do everything we can do in Linux today with clamav (uploads, scans, etc.) - realtime is almost there.

Hardening/compliance configurator

Stack hardening pretty close to what we can do in Linux (possibly 100%, but more testing required)

Vuln scans

There are modules for IIS such as Helicon Ape which gives a full Apache emulation on IIS, such as mod_rewrite, http.conf, vhost.conf, .htaccess, mod_gzip, etc which if you could emulate some functionality like that I think it would be a very powerfull offering

http://www.helicontech.com/ape/doc/compatibility.htm

If you could emulate the apache experience in IIS it could open the door for easier linux -> windos ports

Nice tip, do you know if it emulates the entire API for apache 2.x? modsecurity uses the 2.x filter capabilities in apache, so that would be key - if its supporting it then hurray for all of us!

it only has some modules and unfortunately is closed source so you cant piggy back on them, but the functionality is there so if you really wanted (or your windows guy gets bored) he can emulate all of that stuff since we know it can be done

Is this for IIS6 or IIS7? I was surprised at Zendcon how heavily MS was pushing Win2008 with IIS7 and how well it worked with PHP in FastCGI now (seemed to be a subtle nod in the direction of open source). The biggest feature of IIS7 seems to be a MS version of mod_rewrite.

That is sweet

Yeah I've had some stuff through on email regarding IIS and Win2008 support for PHP and other opensource enviroments. I was also surprised when I went to a recent MVP talk about Windows Azuraz that it too WILL support MySQL and PHP in the cloud. Seems like such a sudden move for Microsoft, seeing as not long ago they wouldn't even consider support for PHP.

Once ASL is out I will consider running a Windows Server again. My last experince of Windows Server as a hosting enviroment, was when a former employer put up an NT4 box to host there new platform they were developing. The server got hack in under a month and turned into a torrent seed. The bandwidth bill almost gave my boss a nervous breakdown. Needless to say I was given the job of locking that server down. Fun. Thats was back in 2000 when our head of development thought he new how to put up a server. Didn't make that mistake again

Matt

We run quite a few servers - almost 100 - all of those windows (we dont count the linux in that ) and none of them have ever been hacked in 5 years (since I worked there).

Yeah, mine was 9 years ago and down to the lack of knowledge of the developer who put it up. I only came into the picture after the event. Still it was a funny day