Re: IIS 6 and banners

From: BB (Bernard_at_3exp.com)
Date: 04/05/03


From: "BB" <Bernard_at_3exp.com>
Date: Sat, 5 Apr 2003 19:36:30 +0800


If you upgrade from IIS 5.0 with Urlscan installed,
WWW service is enable, without urlscan it's set to disabled.

so if you upgrade from this, my guess is still valid and
worth a try.

anyhow.. changing banner won't really protect you.
refer www.microsoft.com/security for more info on security.

-- 
Regards,
Bernard Cheah
http://support.microsoft.com/
"Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
news:eiqNUlr#CHA.1996@TK2MSFTNGP12.phx.gbl...
> See below for confirmation.  It would appear that most of URLScan has been
> added to or improved on natively within IIS 6, except the ability to block
> the banner does not appear to be included unless you add the existing
> version of URLScan.  It is true that IISLockdown is not compatible with
IIS
> 6, but the current versions of URLScan ARE.
>
> Instructions for extracting URLScan without installing IISLockdown:
> http://www.microsoft.com/technet/security/tools/tools/URLScan.asp
>
>
http://www.google.com/groups?as_q=urlscan&as_oq=iis-6%20.net&safe=off&ie=ISO
> -8859-1&as_ugroup=microsoft.public.*&lr=&hl=en
>
>
http://www.google.com/groups?hl=en&lr=&ie=UTF-8&safe=off&threadm=epWPeNp3CHA
>
.1588%40TK2MSFTNGP12.phx.gbl&rnum=10&prev=/groups%3Fas_q%3Durlscan%26as_oq%3
>
Diis-6%2520.net%26safe%3Doff%26ie%3DISO-8859-1%26as_ugroup%3Dmicrosoft.publi
> c.*%26lr%3D%26hl%3Den
>
> "From: David Wang [Msft] (someone@online.microsoft.com)
> Subject: Re: UrlScan available for IIS 6.0?
> Newsgroups: microsoft.public.inetserver.iis.security
> Date: 2003-02-27 11:08:51 PST
>
> This is a frequently asked question:
> 1. URLScan is not a part of IIS 6
> 2. Existing versions of URLScan can run on IIS 6, but you will have to
> manually extract and run the URLScan installer.
>
> A Lockdown tool is not needed for IIS6 because it already comes locked
down.
> Thus, you will not need URLScan to get secure -- you can run URLScan
> optionally for defense in depth, though some URLScan features are not as
> fine-grained as IIS6 features."
>
>
http://www.google.com/groups?q=urlscan+iis-6+OR+.net+group:microsoft.public.
>
*&start=10&hl=en&lr=&ie=UTF-8&safe=off&selm=euAvkTLkCHA.1756%40tkmsftngp12&r
> num=16
>
> "From: Wade A. Hilmo [MS] (wadeh@microsoft.com)
> Subject: Re: How do I remove the server header in IIS6? View: Complete
> Thread (6 articles) Original Format
> Newsgroups: microsoft.public.inetserver.iis.security
> Date: 2002-11-20 08:53:03 PST
>
> Hi Bernt,
>
> You can use the UrlScan doesn't ship with IIS 6, because all of the
> "important" functionality of UrlScan exists natively in IIS 6.  Removing
the
> server header is not one of the things that IIS 6 does out-of-the-box
(since
> removing the server header is not really a security measure for two
reasons:
> first, it's not really an effective way to obscure the identity of the web
> server; and second, most attacks don't bother to look for it anyway).
>
> The existing version of UrlScan is compatible with IIS 6, so if you still
> want any of the functionality that wasn't built directly into IIS 6, such
as
> this, you can still just run UrlScan."
>
>
> "Leandro" <ldlv@ig.com.br> wrote in message
> news:053e01c2faa1$0faa8fb0$a201280a@phx.gbl...
> > Hello Karl,
> >
> > Thanks for your help, but IIS Lockdown tool didn't install
> > in my Windows 2003 server. The system alerts that the
> > version of IIS is not the 4 or 5. I read on the
> > documentation, and Microsoft sad that it works just on 4,5
> > and 5.1 versions...
> > Microsoft (Support in Brazil) didn't respond my
> > question... I don't know what can I do...
> > I think that I'll wait for the support...
> >
> > THANKS A LOT...
> > Regards...
> >
> >
> >
> > >-----Original Message-----
> > >My understanding from previous Microsoft posts here is
> > that URLScan DOES
> > >work under IIS 6.  You do need to extract it from the IIS
> > Lockdown tool
> > >following the instructions on the URLScan documentation
> > and web page [e.g.
> > >you probably should not try to install the IIS lockdown
> > tool].  If it does
> > >not work, then there is some bug somewhere.  For more
> > information, search
> > >microsoft.public.* by going to
> > www.google.com/advanced_group_search
> > >
> > >
> > >"Leandro" <ldlv@ig.com.br> wrote in message
> > >news:041e01c2fa05$57b4ea90$3001280a@phx.gbl...
> > >> Hello,
> > >>
> > >> I need help to hide IIS Banners in Windows 2003, anybody
> > >> know how ????? I remember that the IIS version is 6.0
> > and
> > >> URLScan don't work in this version. In other versions of
> > >> windows it works fine....
> > >>
> > >> Thanks a lot.
> > >
> > >
> > >.
> > >
>
>