[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

URL Scan 3.1 with Sharepoint 2007

Posted on 2013-01-11
1
Medium Priority
?
911 Views
Last Modified: 2013-04-02
Hi

I'm making some tests with URL Scan 3.1 in a IIS  + Win 2008 R2 + Sharepoint 2007 or 2010. In order to lockdown the server.

The first test I made was set the RemoveServerHeader parameter to 1, in order to remove the server header on all responses. All my web pages works good, but when I try to open the Sharepoint designer it dosn't work. Apparently, Sharepoint designer needs the server header to know if is an IIS server.

Do you know how can i deal with this?

Thanks
0
Comment
Question by:jmatarranz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 38769438
looks like removing server header is out for sharepoint

http://www.paulgrimley.com/2009/10/removing-iis-5-6-7-server-header-from.html

This header lets our SharePoint gatherer know it is SharePoint and will then allow it to use the sitedata.asmx web service to enumerate through the sites to get ACL's, Lists & Libraries and Items in those lists & libraries.

However the gotcha is that if you remove the header and there was existing metadata against that page already in the index it will remain in the index. It is only when the index is reset that you lose the metadata.

even Microsoft stated not to remove server header for sharepoint in the link below
http://support.microsoft.com/kb/825538

There are other web server security as well and urlscan for web server is actually one good lockdown tool (ISAPI filter) as a whole. It does break thing due to such stringent but it cannot satisfy all, need to stirke a balance operationally and security.  Sharepoint will definitely be not happy with this as long as we turn off removing server header. But I did saw other blog saying it may hinder webdav etc...I diverted...

Actually server header to attacker is for fingerprinting but not the most critical tough it will give them an edge to know our weakness. If we will to have guard our ground diligently and leverage what urlscan other capability, we may not be worst off.

Hope not too much breaks ...to appl... below are some reads for info

Ways to Lock-down SharePoint Designer Server-Side
http://www.marc-lognoul.me/itblog-en/post/2009/10/01/Ways-to-Lock-down-SharePoint-Designer-Server-Side.aspx 

Securing Web server
http://msdn.microsoft.com/en-us/library/ff648653.aspx#c16618429_026
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
How does someone stay on the right and legal side of the hacking world?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question