host header names as security devices
From: Chris Davis (chris.davis@computerjobs.com)
Date: 03/03/03
- Previous message: Fred.Langston@guardent.com: "RE: One Time Passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Chris Davis <chris.davis@computerjobs.com> To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com> Date: Mon, 3 Mar 2003 11:23:42 -0500
The IIS "host header name" setting provides virtual naming capability for a
single IP/port assignment. I am curious if the use of a host header name
adds any security against IP address range port 80 scanners that attempt to
exploit target hosts.
In the event of an HTTP request sent to the IP address (rather than to the
hostname) of an IIS server running a web site configured with an IIS host
header name, in absence of a default site, the IIS server will return "No
web site is configured at this address" because the HTTP request did not
match a configured host header name and there was no default site to return.
Does IIS short circuit all the ISAPI filtering and such in this case where
the request does not match a configured host header name and no default site
exists? If so, then are unpatched/unknown vulnerabilities not exploitable
when a request is made by IP address rather than host name since the request
may not make it to the ISAPI filters that have buffer overflows (or
encoding%20issues or other vulnerabilities)?
If IIS does short circuit the ISAPI filtering of the request, it seems that
use of host header names (while disabling the default site) can act as an
impediment to automated scanners that scan IP ranges trying exploits without
knowing hostnames.
(The IIS lockdown tool will filter requests with cmd.exe and root.exe and
*.dll and *.ida and such, which you would still want to use to prevent
attacks that do use your configured host header name. In addition to the
IIS lockdown tool's features, the possible host header name ISAPI
short-circuit might add a security layer that excludes all IP block scanner
requests that attempt exploits from the possibility of success.)
Does anybody have inside knowledge of how far an HTTP request to an IIS
server without a default site will be processed before "No web site is
configured at this address" is returned when the HTTP request does not match
a configured host header name? Is there a true security gain in
implementing this concept?
Thanks
Chris Davis, Senior CS Major
Computer Science
Southern Polytechnic State University
http://www.WinSnmpWalk.org
- Previous message: Fred.Langston@guardent.com: "RE: One Time Passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
