Link to home
Start Free TrialLog in
Avatar of FIFBA
FIFBA

asked on

IIS 6 IP Address Leak--How to prove NAT'ed IP is no longer visible

I need to ensure that our NAT'd IP address is not visible from the outside.We are using this server for Outlook Web Access (over SSL).  Please refer to this MS article for complete description.

http://support.microsoft.com/kb/834141

I have made the change recommended in Option 1 of the article. I have 2 questions...

Does this 'guarantee' that our internal IP is not leaked or are there some gotchas?

Most importantly...I need to prove to auditors that this item has been completely resolved. I need to provide screenshots/documentation...I can't just tell them that I did it. How can I prove this using a scan or some other method? Please be as specific and thorough as possible.

IIS 6 running on Windows 2003 SP2.

Avatar of Adrian Cantrill
Adrian Cantrill
Flag of Australia image

Just be sure that the host-name you are providing by using that workaround doesn't resolve back to an IP you want protected - other than that, you should be fine.
Avatar of FIFBA
FIFBA

ASKER

But I need to prove this is the case for auditors...How can I do this? I assume there are some commands I can run against the server that will give me some useful output...just need someone to walk me through this.
If you fixed the issue by applying the MS hotfix then why don't you submit a screenshot of the installed hotfix along with a screenshot of the relevant modified files and their versions, as shown in the link you provided above?
Avatar of FIFBA

ASKER

I would prefer to run some kind of command against the server to verify that the internal IP is not leaked. If this was a problem, there is obviously some way to test for the problem else it would not be a vulnerability. I appreciate the  help so far...I just feel the auditors are going to want some kind of real-time verification. If I give them screenshots of a hotfix (which is included in a prior service pack), this would imply that the issue is resolved. I would not want an auditor to come back with a 'gotcha' at a later date after I state (in writing) that the issue is resolved... This is out of my realm of expertise but I have seen posts out there where someone was able to determine their IP address is still leaked after following the MS article. I need to ensure that this is not the case in our environment.

ASKER CERTIFIED SOLUTION
Avatar of Adrian Cantrill
Adrian Cantrill
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of FIFBA

ASKER

Woolnoir: This is what I'm looking for. Can I test a https site with this also using the same syntax (except port 443)?
http://www.bearfruit.org/2008/04/17/telnet-for-testing-ssl-https-websites/ that shows a way to do it with HTTPS - you need Linux though ideally.