Re: IIS Banner Change?
From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 10/28/02
- Next message: Alexander: "IIS security problem"
- Previous message: Karl Levinson [x y] mvp: "Re: "OE removed access...""
- In reply to: Karl Levinson [x y] MVP: "Re: IIS Banner Change?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@excite.com> Date: Mon, 28 Oct 2002 12:29:03 -0500
"Karl Levinson [x y] MVP" <jamescagney90210@excite.com> wrote in message
news:uM3XHAbfCHA.3556@tkmsftngp08...
>
> "Keith" <Keith.Howells@bms.com> wrote in message
> news:816f01c27cb1$805f73b0$39ef2ecf@TKMSFTNGXA08...
> > I'd like to know if there is a way to change the banner
> > information. I don't want to divuldge any information if
> > possible. We have scanned ourselves with Nessus and it
> > tells what version of IIS your running, FTP version, SMTP
> > version, etc. Anyone know of a way to tweak this?
>
> While you can change the banners for some of these products, and it's not
> such a bad idea to do it, there are a large number of other ways that your
> servers leak information about what software and windows version they're
> running, so that there are other things you will want to do. Your 404
error
> page probably does this; if you're running any .ASP pages, that's a
> giveaway; tools such as nmap and queso can send a specially crafted packet
> to your server and tell your windows version from the response. Also note
> that hackers and worms often don't bother to check any more what version
of
> software you're running before they attack.
>
> I've got more info on this at work, I'll try to remember to post it on
> Monday.
Here's how to use URLscan and also other things you may want to consider.
Even after all this, someone can still use a very well known tool such as
NMAP to get your OS.
=================
How can I hide the version number of the Windows / IIS / Web server / FTP
server / Exchange server software I am using from hackers?
A: It is true that generally good security practice includes trying to
restrict information about your system. However, changing your IIS or
Exchange server banner is not likely to be very useful to increasing your
security. This is because many hacker and worm attacks don't try to learn
what version of software your computer is running before attacking. Even if
you change the banner information that your server gives out when a computer
connects to it, a hacker can still determine your operating system by
looking at what ports you have open, or by sending specially crafted packets
from a variety of scanning tools such as Nmap or Queso. Firewalls will
probably not block all of these scans.
It is far more important that you have first taken the customary steps to
harden and otherwise secure your computer, including using a firewall.
BEFORE you consider options for changing the banners on your system, be sure
you've installed all service packs and security fixes and followed the
instructions for hardening Windows and IIS at
www.microsoft.com/technet/security [as well as the additional checklist
instructions at www.nsa.gov, www.labmice.net/security, http://rr.sans.org
and other web sites]. For more information, see the sections in this FAQ
entitled "How can I harden my computer or server to secure it from hackers?"
and "Which firewall should I choose? Which firewall is the best?"
Having said that, the following information may help you change your
banners:
SEEING THE BANNERS ON YOUR COMPUTER:
If you want to see the banners that your computer is showing to other
computers, click on Start, Run, then type one of the following commands and
click OK:
TELNET yourcomputername 80 [the web server banner]
TELNET yourcomputername 21 [the FTP server banner]
TELNET yourcomputername 25 [the SMTP server banner]
TELNET yourcomputername 119 [the NNTP server banner]
TELNET yourcomputername 110 [the POP3 server banner]
TELNET yourcomputername 143 [the IMAP server banner]
TELNET yourcomputername 23 [the Telnet server banner]
[You may need to press the Enter key a few times after you connect to see
the banner. To end the connection, try closing the Telnet window, or
holding the CTRL and C keys simultaneously, or typing EXIT or QUIT followed
by the Enter key.]
WEB / HTTP / WWW BANNERS:
The free IISlockdown tool from www.microsoft.com/download includes URLScan,
which can be used to change or remove the banner from your web server. This
is done by editing the URLSCAN.INI file [e.g.
c:\windows\inetsrv\urlscan\urlscan.ini ] to include the following line:
RemoveServerHeader=1
...and then restarting IIS [e.g. by using the IISRESET command]. URLScan is
also very helpful in protecting your web server from present and future
vulnerabilities like Code Red / Nimda and is highly recommended. For more
information, read the documentation that comes with URLScan and/or the
articles below:
How to mask IIS version number using URLScan -
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317741
Configuring URLScan -
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q326444
Installing IISlockdown and URLScan -
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q325864
Even with URLScan installed, an IIS server will leak other information about
its version. For example:
* URLScan with the default settings will also prevent a hacker from using
the HTTP OPTIONS method to get information from WebDAV on your IIS server
[unless you are not using URLScan or choose to permit HTTP OPTIONS].
* You may also need to disable ASP Session State. This will also improve
the performance of your IIS server and the .ASP applications on it, but this
will disable your ability to use the Session object to maintain client
state. Disabling ASP Session State is described at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q244465
* The error messages that your web server serves up [such as the 404.htm,
403.htm, etc.] may reveal your version of IIS and Windows. You may use the
IIS MMC or third party software to change these error messages.
* The existence of certain default web pages on your web server [such as
default.asp, iisstart.asp, your IIS help files, etc.] can reveal your
version of IIS and Windows. You should consider deleting all files from the
webroot / wwwroot folder or starting with a blank new folder before building
your web page. Also, be sure you have followed the checklist procedures on
hardening IIS at www.microsoft.com/technet/security.
* The use of any .ASP files, ActiveX, FrontPage Server Extensions,
Integrated Windows Authentication or other technologies that are primarily
associated with IIS will reveal to a hacker that you are probably running
IIS on a Windows computer. [There is no fix to this, short of avoiding
using technologies such as these.]
* A hacker can still determine your operating system by looking at what
ports you have open, or by sending specially crafted packets from a variety
of scanning tools such as Nmap or Queso. Firewalls will probably not block
all of these scans.
For more information on these issues and others not mentioned here, see the
following articles:
http://community.whitehatsec.com/articles/02/10/09/1813224.shtml
http://www.nextgenss.com/papers/iisrconfig.pdf
FTP BANNERS:
There is no supported way to change the FTP banner on Windows XP or older
[without using a third-party FTP server instead]. This also might not be
possible under .NET server.
NNTP / NEWS BANNERS:
There is no supported way to change the NNTP banner on Windows XP or older,
as well as Exchange 2000 and older [without using a third-party NNTP server
instead]. This also might not be possible under .NET server.
EXCHANGE 2000 BANNERS:
You can change the SMTP, POP and/or IMAP banners [only in Exchange 2000 and
newer] using the article below [other Exchange banners such as NNTP News
cannot be changed]:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q303513
EXCHANGE 5.5 [AND OLDER] BANNERS:
You cannot change the banners in Exchange 5.5 or older.
TELNET SERVER BANNERS:
You can change the banner for the Telnet service [only on Windows 2000 and
newer] using the article below:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q245095
________________________________________________________
(11.4) How can I install or configure IISlockdown and/or URLScan?
A: Information on how to install and configure URLScan and IISlockdown is
available in the documentation that came with URLScan and also in the
following articles:
Configuring URLScan -
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q326444
Installing IISlockdown and URLScan -
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q325864
See the section in this FAQ entitled "IISlockdown with URLScan is causing
problems on my IIS web server" for more information.
________________________________________________________
(11.5) IISlockdown with URLScan is causing problems on my IIS web server.
A: With any URLScan problem, edit the URLSCAN.LOG file [e.g.
c:\winnt\system32\inetsrv\urlscan\urlscan.log ] to see what, if anything, is
being blocked by URLScan and why.
Then, edit the URLSCAN.INI file [e.g.
c:\winnt\system32\inetsrv\urlscan\urlscan.ini ] as needed to permit the
blocked file or URL to be accessed.
Changes to the urlscan.ini file will not take effect until IIS is restarted
[for example, you can run the IISRESET command to restart IIS].
One frequent problem is that access to a particular file type, such as .DLL,
might be blocked by the default URLScan settings because of the file's name
and extension.
Another frequent problem is that URLScan with the default settings may block
access to the root of the web server, e.g. http://www.yourcompany.com though
access to other files such as http://www.yourcompany.com/default.asp This
problem can be fixed by allowing null extensions as described in the
following article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q312376
ALL server administrators using URLScan should probably check the
URLSCAN.LOG file every few days or weeks to see what is being requested from
and blocked by the web server. Some of the items in the log may represent
legitimate users who were denied access to a particular file, and you may
want to change the relevant setting in the URLSCAN.INI file. Other entries
in the URLSCAN.LOG file may represent attempted hacking that was blocked, or
worm "viruses" such as Nimda and Code Red that were blocked by URLScan.
More information on how to install and configure URLScan and IISlockdown is
available in the documentation that came with URLScan and also in the
following articles:
Configuring URLScan -
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q326444
Installing IISlockdown and URLScan -
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q325864
- Next message: Alexander: "IIS security problem"
- Previous message: Karl Levinson [x y] mvp: "Re: "OE removed access...""
- In reply to: Karl Levinson [x y] MVP: "Re: IIS Banner Change?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
