IIS Security - Using a Linux Box as a Sentry?

Steven Yi asks: "This is a suggestion - why not consider IIS an 'application server', similar to they way we consider BEA WebLogic an app server? Continue using your Windows Servers to process your programming logic and ASP pages - but use a box running Apache as your true web server. This is the way many other app-server driven hardware setups are like. Internet --> (Apache Web Server) --> (IIS 'App Server'). The obvious point is that there isn't an Apache plugin to redirect Microsoft/ASP page requests, but couldn't this be written fairly quickly? I think this would be a much cheaper migration path where existing Microsoft applications/hardware can be preserved and your internet security would be greatly enhanced with a Linux/UNIX Apache server guarding the internet connection." Many saavy readers should realize that a mod_rewrite + mod_proxy combination should be all you need to implement such a feature. Has anyone deployed something similar for their production systems?

Macromedia (Allaire) ColdFusion

[jea6]

Macromedia's ColdFusion Server can be configured in this manner. The instructions for Version 5 can be downloaded here. The instructions for Version 4.51 can be downloaded here (Linux/Solaris) and here (NT). There is a performance hit in configuring this way, though I don't have specific benchmarks.

Just use URLScan

[TheRealSlimShady]

Just download and install URLScan from Microsoft. It's an ISAPI plugin for IIS that filters requests before the rest of the web server sees them. It can forbid access to URL's based on extensions (e.g. .exe, .ida), and those URL's that use encoded characters. It also lets you rewrite the server header (I'm currently reporting my IIS 5.0 server as Apache), as well as restricting what HTTP commands you can send to the server.