Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 393
  • Last Modified:

IIS supports anonymous access, Basic, and Windows NT Challenge/Response (NTLM) authentication. The authentication mechanism in IIS could reveal the type of authentication in use to a remote attacker

Microsoft Internet Information Server (IIS) supports anonymous access, Basic, and Windows NT Challenge/Response (NTLM) authentication. The authentication mechanism in IIS could reveal the type of authentication in use to a remote attacker. A remote attacker can send a specially-crafted GET request to verify the authentication type in use, depending on the error message returned by the host.-How to remove these kind of Vulnerabilities from IIS
0
Brijeshk9
Asked:
Brijeshk9
  • 9
  • 7
1 Solution
 
Ted BouskillSenior Software DeveloperCommented:
Have you tried the IIS lockdown wizard?

You can't remove the GET request that asks for the authentication type.  That is required for the browser to submit authentication.  If you turn it off, only anonymous authentication will work.

You are better off using firewalls or monitoring software that detect malicious activity.
0
 
Brijeshk9Author Commented:
ok, what will be the better solution on it...!
0
 
Brijeshk9Author Commented:
Please help me to get the solution for IIS 5/6 & for Apache running on unix...
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Ted BouskillSenior Software DeveloperCommented:
If you want information on protecting web servers using firewalls or monitoring then I'd recommend you ask another more specific question in those sections.
0
 
Brijeshk9Author Commented:
I want to remove this kind of Website Vulnerabilities..?
0
 
Ted BouskillSenior Software DeveloperCommented:
Once again, use the IIS Lockdown Wizard and even the Microsoft Baseline Security Analyzer.  There isn't a simple 'Click this' 'click that' answer for this.  People have careers specializing in locking down web applications.  I can't relay all that knowledge here.

http://www.iis.net/downloads/default.aspx?CategoryName=Microsoft&CategoryID=96&sort=modifieddate&direction=ascending&tabid=35&start=0&g=6
0
 
Brijeshk9Author Commented:
hmm, I have installed both the tool on my server, let me try to give my best on it...
Thanks for the suggestion
0
 
Ted BouskillSenior Software DeveloperCommented:
They are excellent tools.  However, they won't protect your server from badly written code.
0
 
Brijeshk9Author Commented:
i have installed the iis lockdown with urlscan 2.5 on my Server Win 2k(IIS5) and is there any more configuration required on it. to get the web server more secure from this kind of Vulnerabilities.
Thanks in advance..!
0
 
Brijeshk9Author Commented:
below is the evidence for the problem i am facing.

Basic auth

GET / HTTP/1.1
Host: 192.168.1.15
Authorization: Basic cTFraTk6ZDA5a2xt

No response from server
Try manually



NTLM auth

GET / HTTP/1.1
Host: 192.168.1.15
Authorization: Negotiate TlRMTVNTUAABAAAAB4IAoAAAAAAAAAAAAAAAAAAAAAA=

No response from server
Try manually
0
 
Ted BouskillSenior Software DeveloperCommented:
Why do you think that is a problem?  Is authentication failing?
0
 
Brijeshk9Author Commented:
ok, then what to do with this failure have installed IIS lockdown tool on my server, will  there any more configuration required..?
0
 
Ted BouskillSenior Software DeveloperCommented:
Sorry I didn't make my comment clear.  I see nothing wrong with the 'problem' you described in http:#2409144  That is normal by design handshaking by a web server.
0
 
Brijeshk9Author Commented:
I tried to get more on iis lockdown tool to get my iis more secure can you give some more idea about iis lockdown tool....?
0
 
Ted BouskillSenior Software DeveloperCommented:
Simply run it and respond to it's comments.  It will validate your server using the latest recommendations from Microsoft and provide recommendations about how to lock your server down.  The Baseline Security Analyzer will also highlight issues.
0
 
Brijeshk9Author Commented:
will do more research on it
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 9
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now