IIS MASK
Mask IIS
from Vulnerability Scans
This is a quick
overview for website developers on
how to mask the information
Microsoft Internet Information
Server gives out. The majority of
compromised websites were exploited
because the web master failed to
apply patches provided by the
software vendor.
These weaknesses are
typically found by running a
vulnerability assessment program or
script that produces a list of
possible exploits of the target
system. There are also issues such
as improper coding, setup and
security settings.
By changing the
information your server gives out,
many of the vulnerability scanners
and scripts will assume you have a
different server operating system;
this assumption leads to inaccurate
reports and the attacker moves on to
another system. Listed below are
five simple steps to masking IIS
information.
1) Change
your extension:
Under default
website properties, choose the Home
Directory tab, choose the
Configuration button, choose Add,
type
C:\WINDOWS\System32\inetsrv\asp.dll
in the Executable Box and .CGI for
the extension. Verbs can be set to
the following: GET,HEAD,POST,TRACE.
You can skip the file exists option.
Now, just take any
.asp page, change the extension to
.CGI and away you go. When a visitor
looks at your page, they see the
.CGI extension. Better yet, when
your site is scanned, it appears you
are using a system other than IIS.
You can use extensions other than
.CGI, like .PHP for example
(provided you are not really using
PHP).
[Note: Your .ASP pages will still
work]
2) URLScan
You should also use
URLScan that comes with the IIS
Lockdown tool to specify a
replacement for IIS's built in
Server Header; this will give false
server information. Just find the
line below inside the urlscan.ini
and add your false server or cut and
paste this example:
IISlockdownAlternateServerName=Netscape-Enterprise/3.6
3) Session
ID
IIS also gives
itself away with the ASPSESSIONID.
If you are not using session
variables, you can prevent this
information exposure by disabling
the session state found under Home
Directory, Configuration, Options.
4) Error
Handling
Of course, you will
want some type of custom error
messages. If you do not change your
default error messages, a user could
type in a non-existent page and
receive an IIS error page,
essentially defeating your work.
5) Automatic
Updates
Be aware of updates
and make sure you apply any fixes /
patches.
http://www.justvb.net/it/