Solved

changing http & ssl banners for iis 6.0

Posted on 2006-07-07
11
1,116 Views
Last Modified: 2012-05-05
Greetings All,

How does one change the banners that are displayed by iis 6.0 for http and ssl?  I have an exchange server that has owa setup and i would like to change the banner for port 443 (ssl).   Any advice on this issue would be greatly appreciated !
0
Comment
Question by:ligmania
11 Comments
 
LVL 6

Expert Comment

by:e_vanheel
ID: 17064676
goto your IIS manager.  Expand to your default web page and right click properties.  Goto the Custom Errors Tabs and change to the .HTML document that you want to change the error for.

If you want to modify the existing error pages they are located in C:\WINNT\help\iisHelp\common.

I hope that helps!
0
 

Author Comment

by:ligmania
ID: 17065361
The error pages i have are customized already.  My intention was to change banner so when people port scan my system they will see the open port but not the banner that indicates it is a microsoft system.  I want to change this banner for port 443 and 80.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17067770
This should help you do it;

http://www.snapfiles.com/get/iisbannerchanger.html

Cheers,
Rajesh
0
 
LVL 13

Expert Comment

by:hstiles
ID: 17073716
If you would like a microsoft suppied and supported tool to do this, then you would need to download URLscan from Microsoft

http://www.microsoft.com/downloads/details.aspx?familyid=23D18937-DD7E-4613-9928-7F94EF1C902A&displaylang=en

It is pretty simple to implement.

Microsoft did not include the facility to remove the banner from within IIS because they do not regard it as that much of a security risk.  Strange that as it's one of the first things that pen testers pick up on.
0
 

Author Comment

by:ligmania
ID: 17075310
Rajesh,

Think would be good but the link you gave me http://www.snapfiles.com/get/iisbannerchanger.html is broken.  
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:ligmania
ID: 17075774
hstiles,

Even with urlscan installed nmap can still come up with the service name.  I configured urlscan to remove the server header but nmap still see's the header.  My only guess is the urlscan only gets invoked when it recieves a malformed request, thus if nmap sends a normal request to it urlscan is not run.  I also don't see any files created in the log directory to indicate it caught a suspicious attempt.
0
 
LVL 13

Accepted Solution

by:
hstiles earned 500 total points
ID: 17081077
Have a look att his article which states that removing server banners won't really help as nmap can still glean information about server trpe by using specially crafted packets.

http://www.securityadmin.info/noframes/faq.asp?banner

In fact, I'd say that the only guaranteed way to prevent someone finding out what web servers you are running would be to place them behind a proxy such as ISA or using a proxied HTTP rule on your firewall.  THis would create significant overheads on such a device though and would impact web server performance
0
 

Author Comment

by:ligmania
ID: 17081413
hstiles,

Would a load balancer such as BIG-IP help or work better than ISA ?
0
 
LVL 13

Expert Comment

by:hstiles
ID: 17082287
I'm looking at the website now.  It is a layer 7 device, so it's application aware.  I'm guessing all requests are handled by the device which uses some algorithm to determine the server best suited to handle the request.  I guess it would therefore protect against low level information gathering hacks like banner grabs.  I'm assuming you already have a BIG-IP as this would be somewhat overkill just for the purpose of stopping banner grabs.
0
 

Author Comment

by:ligmania
ID: 17085479
We have some units but they won't serve this network.
0
 

Author Comment

by:ligmania
ID: 17085486
Thanks everybody for the good feedback.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now