• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 926
  • Last Modified:

URL Scan 3.1 with Sharepoint 2007

Hi

I'm making some tests with URL Scan 3.1 in a IIS  + Win 2008 R2 + Sharepoint 2007 or 2010. In order to lockdown the server.

The first test I made was set the RemoveServerHeader parameter to 1, in order to remove the server header on all responses. All my web pages works good, but when I try to open the Sharepoint designer it dosn't work. Apparently, Sharepoint designer needs the server header to know if is an IIS server.

Do you know how can i deal with this?

Thanks
0
jmatarranz
Asked:
jmatarranz
1 Solution
 
btanExec ConsultantCommented:
looks like removing server header is out for sharepoint

http://www.paulgrimley.com/2009/10/removing-iis-5-6-7-server-header-from.html

This header lets our SharePoint gatherer know it is SharePoint and will then allow it to use the sitedata.asmx web service to enumerate through the sites to get ACL's, Lists & Libraries and Items in those lists & libraries.

However the gotcha is that if you remove the header and there was existing metadata against that page already in the index it will remain in the index. It is only when the index is reset that you lose the metadata.

even Microsoft stated not to remove server header for sharepoint in the link below
http://support.microsoft.com/kb/825538

There are other web server security as well and urlscan for web server is actually one good lockdown tool (ISAPI filter) as a whole. It does break thing due to such stringent but it cannot satisfy all, need to stirke a balance operationally and security.  Sharepoint will definitely be not happy with this as long as we turn off removing server header. But I did saw other blog saying it may hinder webdav etc...I diverted...

Actually server header to attacker is for fingerprinting but not the most critical tough it will give them an edge to know our weakness. If we will to have guard our ground diligently and leverage what urlscan other capability, we may not be worst off.

Hope not too much breaks ...to appl... below are some reads for info

Ways to Lock-down SharePoint Designer Server-Side
http://www.marc-lognoul.me/itblog-en/post/2009/10/01/Ways-to-Lock-down-SharePoint-Designer-Server-Side.aspx 

Securing Web server
http://msdn.microsoft.com/en-us/library/ff648653.aspx#c16618429_026
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now