Solved

URL Scan 3.1 with Sharepoint 2007

Posted on 2013-01-11
1
890 Views
Last Modified: 2013-04-02
Hi

I'm making some tests with URL Scan 3.1 in a IIS  + Win 2008 R2 + Sharepoint 2007 or 2010. In order to lockdown the server.

The first test I made was set the RemoveServerHeader parameter to 1, in order to remove the server header on all responses. All my web pages works good, but when I try to open the Sharepoint designer it dosn't work. Apparently, Sharepoint designer needs the server header to know if is an IIS server.

Do you know how can i deal with this?

Thanks
0
Comment
Question by:jmatarranz
1 Comment
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 38769438
looks like removing server header is out for sharepoint

http://www.paulgrimley.com/2009/10/removing-iis-5-6-7-server-header-from.html

This header lets our SharePoint gatherer know it is SharePoint and will then allow it to use the sitedata.asmx web service to enumerate through the sites to get ACL's, Lists & Libraries and Items in those lists & libraries.

However the gotcha is that if you remove the header and there was existing metadata against that page already in the index it will remain in the index. It is only when the index is reset that you lose the metadata.

even Microsoft stated not to remove server header for sharepoint in the link below
http://support.microsoft.com/kb/825538

There are other web server security as well and urlscan for web server is actually one good lockdown tool (ISAPI filter) as a whole. It does break thing due to such stringent but it cannot satisfy all, need to stirke a balance operationally and security.  Sharepoint will definitely be not happy with this as long as we turn off removing server header. But I did saw other blog saying it may hinder webdav etc...I diverted...

Actually server header to attacker is for fingerprinting but not the most critical tough it will give them an edge to know our weakness. If we will to have guard our ground diligently and leverage what urlscan other capability, we may not be worst off.

Hope not too much breaks ...to appl... below are some reads for info

Ways to Lock-down SharePoint Designer Server-Side
http://www.marc-lognoul.me/itblog-en/post/2009/10/01/Ways-to-Lock-down-SharePoint-Designer-Server-Side.aspx 

Securing Web server
http://msdn.microsoft.com/en-us/library/ff648653.aspx#c16618429_026
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques. This attack comes as a nightmare trifecta for email filtering services; sent from a familiar contact, using authentic tone and verbi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now