Select Page
Welcome to our Support Center
< All Topics

How to Install ModSecurity on Windows Server with OWASP Core Rule Set?

Complete Guide: Install ModSecurity on Windows Server with OWASP Core Rules

 

Introduction

ModSecurity is a powerful open-source web application firewall (WAF) that helps protect your websites from various threats and attacks. This tutorial provides step-by-step instructions for installing and configuring ModSecurity on a Windows Server running Internet Information Services (IIS). By implementing ModSecurity, you’ll add an essential security layer to your web applications, helping to prevent SQL injection, cross-site scripting (XSS), and other common vulnerabilities.

Prerequisites

Before beginning the installation process, ensure you have:

 

  • Administrator access to your HostingHome Windows RDP Server
  • IIS already installed and configured
  • Basic knowledge of IIS management
  • A backup of your current server configuration
  • Remote Desktop Connection client installed on your computer

Step 1: Download & Install Visual C++ 2015-2022 Redistributable

ModSecurity requires Microsoft Visual C++ Redistributable to function properly.

 

  1. Download the latest version from Microsoft:
    🔗 https://aka.ms/vs/17/release/vc_redist.x64.exe
  2. Run the installer (vc_redist.x64.exe) and follow the on-screen instructions.
  3. Restart the server if prompted.

Step 2: Install ModSecurity for IIS

We will use the ModSecurity MSI Installer for easy setup.

 

  1. Download ModSecurity MSI from Atomicorp
    🔗 https://updates.atomicorp.com/channels/rules/binaries/ModSecurityIIS_2.9.3-64b.msi
  2. Run the installer (ModSecurityIIS_2.9.3-64b.msi) and follow the wizard.
    • Verify installation
        • Open IIS Manager
        • Check if ModSecurity appears under Modules

    Step 3: Install OWASP Core Rule Set (CRS)

    The OWASP CRS provides protection against common web attacks.

     

    1. Download OWASP ModSecurity CRS from GitHub:
    2. 🔗 https://github.com/coreruleset/coreruleset
    3. Click “Code” → “Download ZIP”
    4. Extract the ZIP file to:
     C:\Program Files\ModSecurity IIS\owasp-modsecurity-crs 

    Configure ModSecurity to use OWASP rules:

    Open C:\Program Files\ModSecurity IIS\modsecurity.conf in a text editor

    Add the following lines at the end:

     Include C:\Program Files\ModSecurity IIS\owasp-modsecurity-crs\crs-setup.conf
    Include C:\Program Files\ModSecurity IIS\owasp-modsecurity-crs\rules\*.conf 

    Restart IIS to apply changes:

    Open Command Prompt (Admin) and run:

     iisreset /restart 

    Step 4: Verify ModSecurity & OWASP Rules

     

    1. Check if ModSecurity is active:
        • Open IIS Manager → Select a website → “Modules” → “ModSecurity IIS 64bits/32bits” → Check if rules are loaded.
    2. Test a blocked request (e.g., SQL Injection):
        • Try accessing
       http://yourserver.com/?id=1 OR ‘1’=‘1’ 

      Conclusion

      You have successfully installed and configured ModSecurity on your Windows Server with IIS. This powerful web application firewall will help protect your websites from various threats and attacks. Remember to regularly update your rule sets and monitor the logs for any issues.

      For optimal security, consider combining ModSecurity with other security measures such as proper input validation, output encoding, and regular security audits. With these tools in place, your web applications will be much more resistant to common web attacks. 

      HostingHome Tip: For better performance, fine-tune the rules in crs-setup.conf to reduce false positives.

      Need help? Contact HostingHome Support for expert server security assistance! 🚀