URL Scan 3.1 with Sharepoint 2007


I'm making some tests with URL Scan 3.1 in a IIS  + Win 2008 R2 + Sharepoint 2007 or 2010. In order to lockdown the server.

The first test I made was set the RemoveServerHeader parameter to 1, in order to remove the server header on all responses. All my web pages works good, but when I try to open the Sharepoint designer it dosn't work. Apparently, Sharepoint designer needs the server header to know if is an IIS server.

Do you know how can i deal with this?

Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
looks like removing server header is out for sharepoint


This header lets our SharePoint gatherer know it is SharePoint and will then allow it to use the sitedata.asmx web service to enumerate through the sites to get ACL's, Lists & Libraries and Items in those lists & libraries.

However the gotcha is that if you remove the header and there was existing metadata against that page already in the index it will remain in the index. It is only when the index is reset that you lose the metadata.

even Microsoft stated not to remove server header for sharepoint in the link below

There are other web server security as well and urlscan for web server is actually one good lockdown tool (ISAPI filter) as a whole. It does break thing due to such stringent but it cannot satisfy all, need to stirke a balance operationally and security.  Sharepoint will definitely be not happy with this as long as we turn off removing server header. But I did saw other blog saying it may hinder webdav etc...I diverted...

Actually server header to attacker is for fingerprinting but not the most critical tough it will give them an edge to know our weakness. If we will to have guard our ground diligently and leverage what urlscan other capability, we may not be worst off.

Hope not too much breaks ...to appl... below are some reads for info

Ways to Lock-down SharePoint Designer Server-Side

Securing Web server
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.