Re: Chnge reported web server type
From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 11/06/02
- Next message: Karl Levinson [x y] mvp: "Re: How to Maintain an IIS Server?"
- Previous message: Stephen Pak: "Re: How to Maintain an IIS Server?"
- In reply to: Tim: "Chnge reported web server type"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@excite.com> Date: Wed, 6 Nov 2002 14:30:35 -0500
"Tim" <jim@work.com> wrote in message
news:830701c285c2$31bffad0$36ef2ecf@tkmsftngxa12...
> We are using Nessus to scan our internal network for
> holes. On our IIS servers it is reporting the following:
> (The remote web server type is :
>
> Microsoft-IIS/5.0
>
> Solution : You can use urlscan to change reported server
> for IIS.)
>
> I have installed URLSCAN and need to know how to change
> the above.
Changing the HTTP banner may help a little and is not a bad idea, but it's a
little harder than just that. Read below, and be sure to check out the
following links too:
http://community.whitehatsec.com/articles/02/10/09/1813224.shtml
http://www.nextgenss.com/papers/iisrconfig.pdf
=============
How can I hide the version number of the Windows / IIS / Web server / FTP
server / Exchange server software I am using from hackers?
A: It is true that generally good security practice includes trying to
restrict information about your system. However, changing your IIS or
Exchange server banner is not likely to be very useful to increasing your
security. This is because many hacker and worm attacks don't try to learn
what version of software your computer is running before attacking. Even if
you change the banner information that your server gives out when a computer
connects to it, a hacker can still determine your operating system by
looking at what ports you have open, or by sending specially crafted packets
from a variety of scanning tools such as Nmap or Queso. Firewalls will
probably not block all of these scans.
It is far more important that you have first taken the customary steps to
harden and otherwise secure your computer, including using a firewall.
BEFORE you consider options for changing the banners on your system, be sure
you've installed all service packs and security fixes and followed the
instructions for hardening Windows and IIS at
www.microsoft.com/technet/security [as well as the additional checklist
instructions in the sections in this FAQ entitled "How can I harden my
computer or server to secure it from hackers?" and "Which firewall should I
choose? Which firewall is the best?"
Having said that, the following information may help you change your
banners:
SEEING THE BANNERS ON YOUR COMPUTER:
If you want to see the banners that your computer is showing to other
computers, click on Start, Run, then type one of the following commands and
click OK:
TELNET yourcomputername 80 [the web server banner]
TELNET yourcomputername 21 [the FTP server banner]
TELNET yourcomputername 25 [the SMTP server banner]
TELNET yourcomputername 119 [the NNTP server banner]
TELNET yourcomputername 110 [the POP3 server banner]
TELNET yourcomputername 143 [the IMAP server banner]
TELNET yourcomputername 23 [the Telnet server banner]
[You may need to press the Enter key a few times after you connect to see
the banner. To end the connection, try closing the Telnet window, or
holding the CTRL and C keys simultaneously, or typing EXIT or QUIT followed
by the Enter key.]
WEB / HTTP / WWW BANNERS:
The free IISlockdown tool from www.microsoft.com/download includes URLScan,
which can be used to change or remove the banner from your web server. This
is done by editing the URLSCAN.INI file [e.g.
c:\windows\inetsrv\urlscan\urlscan.ini ] to include the following line:
RemoveServerHeader=1
...and then restarting IIS [e.g. by using the IISRESET command]. URLScan is
also very helpful in protecting your web server from present and future
vulnerabilities like Code Red / Nimda and is highly recommended. For more
information, read the documentation that comes with URLScan and/or the
articles below:
How to mask IIS version number using URLScan -
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q317741
Configuring URLScan -
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q326444
Installing IISlockdown and URLScan -
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q325864
Even with URLScan installed, an IIS server will leak other information about
its version. For example:
* URLScan with the default settings will also prevent a hacker from using
the HTTP OPTIONS method to get information from WebDAV on your IIS server
[unless you are not using URLScan or choose to permit HTTP OPTIONS].
* You may also need to disable ASP Session State. This will also improve
the performance of your IIS server and the .ASP applications on it, but this
will disable your ability to use the Session object to maintain client
state. Disabling ASP Session State is described at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q244465
* The error messages that your web server serves up [such as the 404.htm,
403.htm, etc.] may reveal your version of IIS and Windows. You may use the
IIS MMC or third party software to change these error messages.
* The existence of certain default web pages on your web server [such as
default.asp, iisstart.asp, your IIS help files, etc.] can reveal your
version of IIS and Windows. You should consider deleting all files from the
webroot / wwwroot folder or starting with a blank new folder before building
your web page. Also, be sure you have followed the checklist procedures on
hardening IIS at www.microsoft.com/technet/security.
* The use of any .ASP files, ActiveX, FrontPage Server Extensions,
Integrated Windows Authentication or other technologies that are primarily
associated with IIS will reveal to a hacker that you are probably running
IIS on a Windows computer. [There is no fix to this, short of avoiding
using technologies such as these.]
* A hacker can still determine your operating system by looking at what
ports you have open, or by sending specially crafted packets from a variety
of scanning tools such as Nmap or Queso. Firewalls will probably not block
all of these scans.
For more information on these issues and others not mentioned here, see the
following articles:
http://community.whitehatsec.com/articles/02/10/09/1813224.shtml
http://www.nextgenss.com/papers/iisrconfig.pdf
FTP BANNERS:
There is no supported way to change the FTP banner on Windows XP or older
[without using a third-party FTP server instead]. This also might not be
possible under .NET server.
NNTP / NEWS BANNERS:
There is no supported way to change the NNTP banner on Windows XP or older,
as well as Exchange 2000 and older [without using a third-party NNTP server
instead]. This also might not be possible under .NET server.
EXCHANGE 2000 BANNERS:
You can change the SMTP, POP and/or IMAP banners [only in Exchange 2000 and
newer] using the article below [other Exchange banners such as NNTP News
cannot be changed]:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q303513
EXCHANGE 5.5 [AND OLDER] BANNERS:
You cannot change the banners in Exchange 5.5 or older.
TELNET SERVER BANNERS:
You can change the banner for the Telnet service [only on Windows 2000 and
newer] using the article below:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q245095
- Next message: Karl Levinson [x y] mvp: "Re: How to Maintain an IIS Server?"
- Previous message: Stephen Pak: "Re: How to Maintain an IIS Server?"
- In reply to: Tim: "Chnge reported web server type"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
