• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 840
  • Last Modified:

Hidden IIS header information


My currnet IIS server (hosting a web site wrote by ASP.NET) was tested by one of the security consultant. My server were  identifies as IIS/5.0 and also identifies that NTLM authentication is in use.

Is there anyway to block this information from searching by external ?

Thanks
0
AXISHK
Asked:
AXISHK
  • 2
  • 2
1 Solution
 
Irwin SantosComputer Integration SpecialistCommented:
No ...by W3 consortium specs...this is incorporated
0
 
Irwin SantosComputer Integration SpecialistCommented:
those are server variables

visit the link below for more info on the W3c specifications
http://www.w3.org/
0
 
canaliCommented:
you have 2 options
1)download urlscan from microsoft http://www.microsoft.com/technet/security/tools/urlscan.mspx
install it and change in urlscan.ini the key from 0 to 1
RemoveServerHeader=1           ; If 1, remove the 'Server' header from response.

2)http://www.snapfiles.com/get/iisbanner.html (a freeware that patch W3SVC.DLL)
I prefer the microsoft solution than the binary patch, urlscan is a nice tool to protect IIS
 also remove the custom header X-Powered-By: ASP.NET

for NTLM challenge response disable it
 (select your web site ->properties->directory security->authentication and access control edit -> uncheck integrated windows authentication)

how to mask IIS
http://www.seoconsultants.com/articles/1000/security.asp

remember other services (smtp, ftp)<are exposing the identity of yuor server

Gastone
0
 
AXISHKAuthor Commented:
#1 couldn't work on my IIS (5.0) and I could still see detail in the http header. #2 seem work fine but afterwards, I find that my ASP applicaton (written by a external company) couldn't work anymore and I need to fallback to my orginial status.

Any possible for this ? Does it mean the application need to use the HTTP header to transfer some information (eg. session, cookies ) and the solution will also disable this transfer.

Thanks.
0
 
canaliCommented:
I verified urlscan on IIS 5.0 and was  ok, the server header disappeared or  
 you can change (not remove it) the server header too.
Try again urlscan is a microsoft product is supported and this security tool helps prevent potentially harmful requests from reaching the server.

CHANGE SERVER HEADER. modify  urlscan.ini and then from command prompt run iisreset:

RemoveServerHeader=0           ; If 1, remove the 'Server' header from response.
;
; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
;
AlternateServerName=GasWWWserver

you can't remove all header, yes are used to transfer information (session, mime filetype,  compressed html ...etc)
probably is better change banner header (masking your iis to be  an apache server) than remove it...

this is a comunication between my iis with header modified, and u can see some not foundamental header
 X-Powered-By: ASP.NET
 

GET / HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: it
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: localhost
Connection: Keep-Alive
Cookie: WEBTRENDS_ID=127.0.0.1-1666424928.29782757::F8D71EC2E900B3D787E35047C94BF144

HTTP/1.1 200 Ok
Date: Tue, 06 Jun 2006 21:02:46 GMT
X-Powered-By: ASP.NET
Content-Type: text/html
Server: GasWWWserver
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now