Solved

URL Scan 3.1 with Sharepoint 2007

Posted on 2013-01-11
1
886 Views
Last Modified: 2013-04-02
Hi

I'm making some tests with URL Scan 3.1 in a IIS  + Win 2008 R2 + Sharepoint 2007 or 2010. In order to lockdown the server.

The first test I made was set the RemoveServerHeader parameter to 1, in order to remove the server header on all responses. All my web pages works good, but when I try to open the Sharepoint designer it dosn't work. Apparently, Sharepoint designer needs the server header to know if is an IIS server.

Do you know how can i deal with this?

Thanks
0
Comment
Question by:jmatarranz
1 Comment
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
looks like removing server header is out for sharepoint

http://www.paulgrimley.com/2009/10/removing-iis-5-6-7-server-header-from.html

This header lets our SharePoint gatherer know it is SharePoint and will then allow it to use the sitedata.asmx web service to enumerate through the sites to get ACL's, Lists & Libraries and Items in those lists & libraries.

However the gotcha is that if you remove the header and there was existing metadata against that page already in the index it will remain in the index. It is only when the index is reset that you lose the metadata.

even Microsoft stated not to remove server header for sharepoint in the link below
http://support.microsoft.com/kb/825538

There are other web server security as well and urlscan for web server is actually one good lockdown tool (ISAPI filter) as a whole. It does break thing due to such stringent but it cannot satisfy all, need to stirke a balance operationally and security.  Sharepoint will definitely be not happy with this as long as we turn off removing server header. But I did saw other blog saying it may hinder webdav etc...I diverted...

Actually server header to attacker is for fingerprinting but not the most critical tough it will give them an edge to know our weakness. If we will to have guard our ground diligently and leverage what urlscan other capability, we may not be worst off.

Hope not too much breaks ...to appl... below are some reads for info

Ways to Lock-down SharePoint Designer Server-Side
http://www.marc-lognoul.me/itblog-en/post/2009/10/01/Ways-to-Lock-down-SharePoint-Designer-Server-Side.aspx

Securing Web server
http://msdn.microsoft.com/en-us/library/ff648653.aspx#c16618429_026
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now