Re: How do you hide the HTTP Server header?
From: David Dietz [MS] (daviddietz@microsoft.com)
Date: 06/12/02
- Next message: Oliver: "SSL"
- Previous message: David Dietz [MS]: "RE: settting up secure page, but get 'page cannot be displayed'"
- In reply to: x y: "Re: How do you hide the HTTP Server header?"
- Next in thread: Ray: "Re: How do you hide the HTTP Server header?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: daviddietz@microsoft.com (David Dietz [MS]) Date: Wed, 12 Jun 2002 18:18:27 GMT
Jim,
jamescagney is dead on the mark. One additional suggestion, you can change
the file extensions and application mapping for asp pages so they appear to
be ColdFusion or Java Scriptlets.
David Dietz -- IIS Technical Lead
Search our online Knowledge Base
http://support.microsoft.com/support/
This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved
--------------------
|>From: "x y" <jamescagney90210@yahoo.com>
|>References: <dd0701c211a1$4400dfb0$39ef2ecf@TKMSFTNGXA08>
|>Subject: Re: How do you hide the HTTP Server header?
|>Date: Wed, 12 Jun 2002 00:33:43 -0400
|>Lines: 23
|>X-Priority: 3
|>X-MSMail-Priority: Normal
|>X-Newsreader: Microsoft Outlook Express 5.50.4133.2400
|>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
|>Message-ID: <ezm6gpcECHA.1216@tkmsftngp02>
|>Newsgroups: microsoft.public.inetserver.iis.security
|>NNTP-Posting-Host: 1cust59.tnt1.richmond.va.da.uu.net 67.201.152.59
|>Path: cpmsftngxa07!tkmsftngp01!tkmsftngp02
|>Xref: cpmsftngxa07 microsoft.public.inetserver.iis.security:7572
|>X-Tomcat-NG: microsoft.public.inetserver.iis.security
|>
|>IISlockdown includes URLscan which is I think an excellent security tool,
|>highly recommended. Get it from www.microsoft.com/download and also read
|>the security checklists and install all the latest microsoft patches from
|>www.microsoft.com/security.
|>
|>URLscan can help hide the IIS version from being sent to the client,
though
|>there are other ways to determine the web server software version or
become
|>a target of certain scans. Having any .ASP files is a clue that you've
|>probably got IIS 4 or 5. Ditto the presence of certain other files. If
you
|>try using URLscan to attempt [somewhat futilely] to hide the server
software
|>version, you'll want to customize the response the server gives in the
|>urlscan.ini file, or else it will be obvious that you're running URLscan
and
|>thus that you're running IIS.
|>
|>
|>"Jim Tam" <jtam23@hotmail.com> wrote in message
|>news:dd0701c211a1$4400dfb0$39ef2ecf@TKMSFTNGXA08...
|>> Simple security question, how do you hide the HTTP server
|>> header so you don't get hit with so many bots and stuff
|>> trying to probe for IIS? I heard something about IIS
|>> lockdown or something....
|>
|>
|>
- Next message: Oliver: "SSL"
- Previous message: David Dietz [MS]: "RE: settting up secure page, but get 'page cannot be displayed'"
- In reply to: x y: "Re: How do you hide the HTTP Server header?"
- Next in thread: Ray: "Re: How do you hide the HTTP Server header?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
