|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Web Server TypeI recently had a vulnerbility test conducted on one of web servers and the
recommendation that was made to us that web server server type was detectable as Microsoft-IIS/6.0. The conclusion was this is a vulnerabilty. The recommended solution was to configure the server to use an alternative name. Does anyone have any idea how to do this or heard anything like this. Hi,
You can try URLScan, it removes IIS header from response Marcelo V. Show quoteHide quote "George Schneider" <georgedschneider@news.postalias> wrote in message news:47FB1C9E-6E7D-427E-9712-B1AC30604B79@microsoft.com... > I recently had a vulnerbility test conducted on one of web servers and the > recommendation that was made to us that web server server type was detectable > as Microsoft-IIS/6.0. The conclusion was this is a vulnerabilty. The > recommended solution was to configure the server to use an alternative name. > Does anyone have any idea how to do this or heard anything like this. How would I do that?
Show quoteHide quote "Marcelo Villalón" wrote: > Hi, > > You can try URLScan, it removes IIS header from response > > Marcelo V. > > > "George Schneider" <georgedschneider@news.postalias> wrote in message > news:47FB1C9E-6E7D-427E-9712-B1AC30604B79@microsoft.com... > > I recently had a vulnerbility test conducted on one of web servers and the > > recommendation that was made to us that web server server type was > detectable > > as Microsoft-IIS/6.0. The conclusion was this is a vulnerabilty. The > > recommended solution was to configure the server to use an alternative > name. > > Does anyone have any idea how to do this or heard anything like this. > > > Download and install URLScan
I disagree that it is a big vulnerability. Attackers have many ways they can determine what software you're running, even with a renamed banner. More info: http://www.microsoft.com/technet/security/tools/urlscan.mspx Although this is not the same as the banner, Microsoft says that "[Windows 2003] IIS 6.0 does not include the [URLScan] RemoveServerHeader feature because this feature offers no real security benefit. Most server attacks are not operating system?specific. Also, it is possible to detect the identity of a server and information about the operating system by mechanisms that do not depend on the server header." copied from: http://www.securityadmin.info/faq.asp?banner How to mask IIS version number using URLScan - http://support.microsoft.com/?kbid=317741 Configuring URLScan - http://support.microsoft.com/?kbid=326444 Installing IISlockdown and URLScan - http://support.microsoft.com/?kbid=325864 Even with URLScan installed, an IIS server will leak other information about its version. For example: * URLScan with the default settings will also prevent a hacker from using the HTTP OPTIONS method to get information from WebDAV on your IIS server [unless you are not using URLScan or choose to permit HTTP OPTIONS]. * You may also need to disable ASP Session State. This will also improve the performance of your IIS server and the .ASP applications on it, but this will disable your ability to use the Session object to maintain client state. Disabling ASP Session State is described at: http://support.microsoft.com/?kbid=244465 * The error messages that your web server serves up [such as the 404.htm, 403.htm, etc.] may reveal your version of IIS and Windows. You may use the IIS MMC or third party software to change these error messages. * The existence of certain default web pages on your web server [such as default.asp, iisstart.asp, your IIS help files, etc.] can reveal your version of IIS and Windows. You should consider deleting all files from the webroot / wwwroot folder or starting with a blank new folder before building your web page. Also, be sure you have followed the checklist procedures on hardening IIS at www.microsoft.com/technet/security. * The use of any .ASP files, ActiveX, FrontPage Server Extensions, Integrated Windows Authentication or other technologies that are primarily associated with IIS will reveal to a hacker that you are probably running IIS on a Windows computer. [There is no fix to this, short of avoiding using technologies such as these.] * A hacker can still determine your operating system by looking at what ports you have open, or by sending specially crafted packets from a variety of scanning tools such as Nmap or Queso. Firewalls will probably not block all of these scans. For more information on these issues and others not mentioned here, see the following articles: http://community.whitehatsec.com/articles/02/10/09/1813224.shtml http://www.nextgenss.com/papers/iisrconfig.pdf -- Show quoteHide quotekind regards, Karl Levinson, CISSP, CCSA, MCSE [MS MVP] ------------------------- Microsoft Security FAQ: http://www.securityadmin.info "George Schneider" wrote: > How would I do that? > > "Marcelo Villalón" wrote: > > > Hi, > > > > You can try URLScan, it removes IIS header from response > > > > Marcelo V. > > > > > > "George Schneider" <georgedschneider@news.postalias> wrote in message > > news:47FB1C9E-6E7D-427E-9712-B1AC30604B79@microsoft.com... > > > I recently had a vulnerbility test conducted on one of web servers and the > > > recommendation that was made to us that web server server type was > > detectable > > > as Microsoft-IIS/6.0. The conclusion was this is a vulnerabilty. The > > > recommended solution was to configure the server to use an alternative > > name. > > > Does anyone have any idea how to do this or heard anything like this. > > > > > > Whilst this is information disclosure, it's not really a huge security
vulnerability. If you remove that header, does it some how protect you against any sort of malicious attack? Nor really. An attacker can easily hurl malicious code for every possible attack against every possible type of webserver against your box using an automated tool, and no matter whether you remove the banner or not, the attack will still succeed if your server is vulnerable. Cheers Ken Show quoteHide quote "George Schneider" <georgedschneider@news.postalias> wrote in message news:47FB1C9E-6E7D-427E-9712-B1AC30604B79@microsoft.com... >I recently had a vulnerbility test conducted on one of web servers and the > recommendation that was made to us that web server server type was > detectable > as Microsoft-IIS/6.0. The conclusion was this is a vulnerabilty. The > recommended solution was to configure the server to use an alternative > name. > Does anyone have any idea how to do this or heard anything like this. 
Other interesting topics
AD & ADAM together in harmony
IIS passing server credentials rather than user credentials Security templates and IUSR account log on locally IE does not offer to open item downloaded via https Basic Authentication for only one special user Secure SFTP Server Exception from HRESULT: 0x800A0046 Credentials not passed on when using ASP.NET SelfSSL and multiple sites in IIS6? how can I stop attempted logons by hackers through IIS? |
|||||||||||||||||||||||
