I recently had a vulnerbility test conducted on one of web servers and the
recommendation that was made to us that web server server type was detectable
as Microsoft-IIS/6.0. The conclusion was this is a vulnerabilty. The
recommended solution was to configure the server to use an alternative name.
Does anyone have any idea how to do this or heard anything like this.
Hi,
You can try URLScan, it removes IIS header from response
Marcelo V.
"George Schneider"
news:47FB1C9E-6E7D-427E-9712-B1AC30604B79@microsoft.com...
> I recently had a vulnerbility test conducted on one of web servers and the
> recommendation that was made to us that web server server type was
detectable
> as Microsoft-IIS/6.0. The conclusion was this is a vulnerabilty. The
> recommended solution was to configure the server to use an alternative
name.
> Does anyone have any idea how to do this or heard anything like this.
How would I do that?
"Marcelo Villalón" wrote:
> Hi,
>
> You can try URLScan, it removes IIS header from response
>
> Marcelo V.
>
>
> "George Schneider"
> news:47FB1C9E-6E7D-427E-9712-B1AC30604B79@microsoft.com...
> > I recently had a vulnerbility test conducted on one of web servers and the
> > recommendation that was made to us that web server server type was
> detectable
> > as Microsoft-IIS/6.0. The conclusion was this is a vulnerabilty. The
> > recommended solution was to configure the server to use an alternative
> name.
> > Does anyone have any idea how to do this or heard anything like this.
>
>
>
Download and install URLScan
I disagree that it is a big vulnerability. Attackers have many ways they
can determine what software you're running, even with a renamed banner. More
info:
http://www.microsoft.com/technet/security/tools/urlscan.mspx
Although this is not the same as the banner, Microsoft says that "[Windows
2003] IIS 6.0 does not include the [URLScan] RemoveServerHeader feature
because this feature offers no real security benefit. Most server attacks are
not operating system?specific. Also, it is possible to detect the identity of
a server and information about the operating system by mechanisms that do not
depend on the server header."
copied from: http://www.securityadmin.info/faq.asp?banner
How to mask IIS version number using URLScan -
http://support.microsoft.com/?kbid=317741
Configuring URLScan -
http://support.microsoft.com/?kbid=326444
Installing IISlockdown and URLScan -
http://support.microsoft.com/?kbid=325864
Even with URLScan installed, an IIS server will leak other information about
its version. For example:
* URLScan with the default settings will also prevent a hacker from using
the HTTP OPTIONS method to get information from WebDAV on your IIS server
[unless you are not using URLScan or choose to permit HTTP OPTIONS].
* You may also need to disable ASP Session State. This will also improve
the performance of your IIS server and the .ASP applications on it, but this
will disable your ability to use the Session object to maintain client state.
Disabling ASP Session State is described at:
http://support.microsoft.com/?kbid=244465
* The error messages that your web server serves up [such as the 404.htm,
403.htm, etc.] may reveal your version of IIS and Windows. You may use the
IIS MMC or third party software to change these error messages.
* The existence of certain default web pages on your web server [such as
default.asp, iisstart.asp, your IIS help files, etc.] can reveal your version
of IIS and Windows. You should consider deleting all files from the webroot
/ wwwroot folder or starting with a blank new folder before building your web
page. Also, be sure you have followed the checklist procedures on hardening
IIS at www.microsoft.com/technet/security.
* The use of any .ASP files, ActiveX, FrontPage Server Extensions,
Integrated Windows Authentication or other technologies that are primarily
associated with IIS will reveal to a hacker that you are probably running IIS
on a Windows computer. [There is no fix to this, short of avoiding using
technologies such as these.]
* A hacker can still determine your operating system by looking at what
ports you have open, or by sending specially crafted packets from a variety
of scanning tools such as Nmap or Queso. Firewalls will probably not block
all of these scans.
For more information on these issues and others not mentioned here, see the
following articles:
http://community.whitehatsec.com/articles/02/10/09/1813224.s html
http://www.nextgenss.com/papers/iisrconfig.pdf
--
kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
-------------------------
Microsoft Security FAQ:
http://www.securityadmin.info
"George Schneider" wrote:
> How would I do that?
>
> "Marcelo Villalón" wrote:
>
> > Hi,
> >
> > You can try URLScan, it removes IIS header from response
> >
> > Marcelo V.
> >
> >
> > "George Schneider"
> > news:47FB1C9E-6E7D-427E-9712-B1AC30604B79@microsoft.com...
> > > I recently had a vulnerbility test conducted on one of web servers and the
> > > recommendation that was made to us that web server server type was
> > detectable
> > > as Microsoft-IIS/6.0. The conclusion was this is a vulnerabilty. The
> > > recommended solution was to configure the server to use an alternative
> > name.
> > > Does anyone have any idea how to do this or heard anything like this.
> >
> >
> >
Whilst this is information disclosure, it's not really a huge security
vulnerability. If you remove that header, does it some how protect you
against any sort of malicious attack? Nor really.
An attacker can easily hurl malicious code for every possible attack against
every possible type of webserver against your box using an automated tool,
and no matter whether you remove the banner or not, the attack will still
succeed if your server is vulnerable.
Cheers
Ken
"George Schneider"
news:47FB1C9E-6E7D-427E-9712-B1AC30604B79@microsoft.com...
>I recently had a vulnerbility test conducted on one of web servers and the
> recommendation that was made to us that web server server type was
> detectable
> as Microsoft-IIS/6.0. The conclusion was this is a vulnerabilty. The
> recommended solution was to configure the server to use an alternative
> name.
> Does anyone have any idea how to do this or heard anything like this.