How do you hide the HTTP Server header?

From: Joe (jlima@port80software.com)
Date: 06/12/02

• Next message: x y: "Re: Opening Documents on Website Within Browser"
• Previous message: Shunosaurus: "[IIS5] How to Disable SSL?"
• In reply to: Jim Tam: "How do you hide the HTTP Server header?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Joe" <jlima@port80software.com>
Date: Wed, 12 Jun 2002 09:56:45 -0700

IISLockdown (with the URLScan add on) is a good tool for
taking care of a whole variety of security issues in IIS.
But if you just want to anonymize your IIS box by removing
or changing the server header, MS provides source code
with which you can build a specialized ISAPI filter that
will do the job:

http://support.microsoft.com/default.aspx?scid=kb;EN-
US;Q294735

If you don't want to build test and install your own ISAPI
filter (and if you'll excuse a shameless plug here for my
own outfit), you could also try a product called
ServerMask (www.servermask.com). It's easy to configure
via MMC, and, unlike the MS filter, it'll play nicely with
Cold Fusion (also tested with ASP, ActiveState Perl and
PHP).

I don't know if URLScan's header manipulation has any
issues with scripting environments, but if it uses the
same technique as the freely available source, it probably
will. (Response header manipulation can get tricky when
the page is being assembled dynamically and sent out via
chunked transfer coding.)

I'm looking for ways to enhance ServerMask, so any
suggestions would be appreciated. Some obvious next steps
are simulating the header "signatures" of other servers
(e.g., through header sequence) and masking ASP files.

cheers,

Joe

>-----Original Message-----
>Simple security question, how do you hide the HTTP server
>header so you don't get hit with so many bots and stuff
>trying to probe for IIS? I heard something about IIS
>lockdown or something....
>.
>

---

• Next message: x y: "Re: Opening Documents on Website Within Browser"
• Previous message: Shunosaurus: "[IIS5] How to Disable SSL?"
• In reply to: Jim Tam: "How do you hide the HTTP Server header?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: NT/IIS decoy ... Does anyone know how to hide or mask the identity of a IIS 4.0 or 5.0 server ... Principal Security Consultant ... Best Individual Income Protection Provider 2001 - Health Insurance Magazine ... (Pen-Test) Re: IIS6 on W2k3 DCs ... How many times in big server land do I see folks that don't have backups ... >But Small Business Server 2003 runs with IIS on our domain controller. ... >Where's MY security risks these days? ... >>By referring to numerous security guides written specifically for NT4 ... (Focus-Microsoft) Re: SBS 2003 After Service Pack 1 for SBS ... Controllers" groups have been added to the new CERTSVC_DCOM_ACCESS security ... we can have Certificate Services update the DCOM security settings ... down time for the server - probably over a weekend. ... Then please run command "iisreset" to refresh IIS ... (microsoft.public.windows.server.sbs) Re: REPOST: IIS4 Security Advice ... Well, I assume you know you need more than the latest IIS security patch, ... win 2000, one for IIS, one for Index Server, etc.] ... After installing iislockdown ... (microsoft.public.inetserver.iis.security) [NT] Cumulative Patch for Internet Information Services ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... security patches released for IIS 4.0 since Windows NT 4.0 Service Pack ... encoding transfer mechanism via Active Server Pages in IIS 4.0 and 5.0. ... attacker who exploited this vulnerability could overrun heap memory on the ... (Securiteam)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)