• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 397
  • Last Modified:

IIS supports anonymous access, Basic, and Windows NT Challenge/Response (NTLM) authentication. The authentication mechanism in IIS could reveal the type of authentication in use to a remote attacker

Microsoft Internet Information Server (IIS) supports anonymous access, Basic, and Windows NT Challenge/Response (NTLM) authentication. The authentication mechanism in IIS could reveal the type of authentication in use to a remote attacker. A remote attacker can send a specially-crafted GET request to verify the authentication type in use, depending on the error message returned by the host.-How to remove these kind of Vulnerabilities from IIS
0
Brijeshk9
Asked:
Brijeshk9
  • 9
  • 7
1 Solution
 
Ted BouskillSenior Software DeveloperCommented:
Have you tried the IIS lockdown wizard?

You can't remove the GET request that asks for the authentication type.  That is required for the browser to submit authentication.  If you turn it off, only anonymous authentication will work.

You are better off using firewalls or monitoring software that detect malicious activity.
0
 
Brijeshk9Author Commented:
ok, what will be the better solution on it...!
0
 
Brijeshk9Author Commented:
Please help me to get the solution for IIS 5/6 & for Apache running on unix...
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
Ted BouskillSenior Software DeveloperCommented:
If you want information on protecting web servers using firewalls or monitoring then I'd recommend you ask another more specific question in those sections.
0
 
Brijeshk9Author Commented:
I want to remove this kind of Website Vulnerabilities..?
0
 
Ted BouskillSenior Software DeveloperCommented:
Once again, use the IIS Lockdown Wizard and even the Microsoft Baseline Security Analyzer.  There isn't a simple 'Click this' 'click that' answer for this.  People have careers specializing in locking down web applications.  I can't relay all that knowledge here.

http://www.iis.net/downloads/default.aspx?CategoryName=Microsoft&CategoryID=96&sort=modifieddate&direction=ascending&tabid=35&start=0&g=6
0
 
Brijeshk9Author Commented:
hmm, I have installed both the tool on my server, let me try to give my best on it...
Thanks for the suggestion
0
 
Ted BouskillSenior Software DeveloperCommented:
They are excellent tools.  However, they won't protect your server from badly written code.
0
 
Brijeshk9Author Commented:
i have installed the iis lockdown with urlscan 2.5 on my Server Win 2k(IIS5) and is there any more configuration required on it. to get the web server more secure from this kind of Vulnerabilities.
Thanks in advance..!
0
 
Brijeshk9Author Commented:
below is the evidence for the problem i am facing.

Basic auth

GET / HTTP/1.1
Host: 192.168.1.15
Authorization: Basic cTFraTk6ZDA5a2xt

No response from server
Try manually



NTLM auth

GET / HTTP/1.1
Host: 192.168.1.15
Authorization: Negotiate TlRMTVNTUAABAAAAB4IAoAAAAAAAAAAAAAAAAAAAAAA=

No response from server
Try manually
0
 
Ted BouskillSenior Software DeveloperCommented:
Why do you think that is a problem?  Is authentication failing?
0
 
Brijeshk9Author Commented:
ok, then what to do with this failure have installed IIS lockdown tool on my server, will  there any more configuration required..?
0
 
Ted BouskillSenior Software DeveloperCommented:
Sorry I didn't make my comment clear.  I see nothing wrong with the 'problem' you described in http:#2409144  That is normal by design handshaking by a web server.
0
 
Brijeshk9Author Commented:
I tried to get more on iis lockdown tool to get my iis more secure can you give some more idea about iis lockdown tool....?
0
 
Ted BouskillSenior Software DeveloperCommented:
Simply run it and respond to it's comments.  It will validate your server using the latest recommendations from Microsoft and provide recommendations about how to lock your server down.  The Baseline Security Analyzer will also highlight issues.
0
 
Brijeshk9Author Commented:
will do more research on it
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now