Re: NT/IIS decoy

From: Michael Katz (mike@procinct.com)
Date: 12/10/01 

Date: Mon, 10 Dec 2001 13:34:09 -0800
To: Lambott@aol.com, <pen-test@securityfocus.com>
From: Michael Katz <mike@procinct.com>

At 12/7/2001 03:52 AM, Taiye Lambo wrote:

>Does anyone know how to hide or mask the identity of a IIS 4.0 or 5.0
>server such that if a "GET" command is issued following a telnet to the
>server on port 80, the server will display a different server type so as
>to hide it's true identity.
>
>I searched the IIS installation drive using the following strings -
>Microsoft-IIS/4.0 and Microsoft-IIS/5.0
>The result was a file called w3svc.dll which is aparently the IIS world
>wide web publishing service, I manually stopped this service, backed up
>the file and then ammended it to reflect my decoy server type, however,
>next time I attempt to start the service it failed.
>I have heard of honey pot type program that can also achieve my desired
>result, but never actually played with one myself.
>
>Has anyone come across this and does anyone know of any solution for what
>I am trying to achieve.

Taiye,

With IIS4 on Windows NT 4.0, you can edit the w3svc.dll file using a hex
editor and change the relevant string to something else.

You cannot do this with IIS 5 on Windows 2000, unless you disable Windows
File Protection.

However, you can use the tool URLscan (now IIS Lockdown) from Microsoft
with either IIS4 on NT or IIS5 on Windows 2000, to modify the server header
response. According to the documentation: "Also, UrlScan provides the
administrator with the option of deleting or altering the "Server:" header
in the response."

You can obtain URLScan from
http://www.microsoft.com/technet/security/URLScan.asp

Note that URLScan has been integrated into the Lockdown tool previously
released from MS and is now called the IIS Lockdown Wizard version 2.1. It
was released on November 14, 2001.

Michael Katz
mike@procinct.com
Procinct Security

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • RE: NT/IIS decoy
    ... Does anyone know how to hide or mask the identity of a IIS 4.0 or 5.0 server ... Principal Security Consultant ... Best Individual Income Protection Provider 2001 - Health Insurance Magazine ...
    (Pen-Test)
  • Re: URLscan problem
    ... I did indeed restart the IIS server after ... I took a look at the URLscan log files and found my ... >URLscan seems to be causing a problem with public folder ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS6 on W2k3 DCs
    ... How many times in big server land do I see folks that don't have backups ... >But Small Business Server 2003 runs with IIS on our domain controller. ... >Where's MY security risks these days? ... >>By referring to numerous security guides written specifically for NT4 ...
    (Focus-Microsoft)
  • Re: SBS 2003 After Service Pack 1 for SBS
    ... Controllers" groups have been added to the new CERTSVC_DCOM_ACCESS security ... we can have Certificate Services update the DCOM security settings ... down time for the server - probably over a weekend. ... Then please run command "iisreset" to refresh IIS ...
    (microsoft.public.windows.server.sbs)
  • Re: REPOST: IIS4 Security Advice
    ... Well, I assume you know you need more than the latest IIS security patch, ... win 2000, one for IIS, one for Index Server, etc.] ... After installing iislockdown ...
    (microsoft.public.inetserver.iis.security)