Mask IIS



This is a quick overview for website developers on how to mask the information Microsoft Internet Information Server gives out. The majority of compromised websites were exploited because the web master failed to apply patches provided by the software vendor. These weaknesses are typically found by running a vulnerability assessment program or script that produces a list of possible exploits of the target system. There are also issues such as improper coding, setup and security settings.

By changing the information your server gives out, many of the vulnerability scanners and scripts will assume you have a different server operating system; this assumption leads to inaccurate reports and the attacker moves on to another system. Listed below are five simple steps to masking IIS information.

1) Change your extension

Under default website properties, choose the Home Directory tab, choose the Configuration button, choose Add, type C:\WINDOWS\System32\inetsrv\asp.dll in the Executable Box and .CGI for the extension. Verbs can be set to the following: GET,HEAD,POST,TRACE. You can skip the file exists option.

Now, just take any .asp page, change the extension to .CGI and away you go. When a visitor looks at your page, they see the .CGI extension. Better yet, when your site is scanned, it appears you are using a system other than IIS. You can use extensions other than .CGI, like .PHP for example (provided you are not really using PHP).
[Note: Your .ASP pages will still work]

2) URLScan

You can also install URLScan, even with IIS6 which comes with the IIS Lockdown tool to specify a replacement for IIS’s built in Server Header; this will give false server information. Just find the line below inside the urlscan.ini and add your false server or cut and paste this example:

3) Session ID

IIS also gives itself away with the ASPSESSIONID. If you are not using session variables, you can prevent this information exposure by disabling the session state found under Home Directory, Configuration, Options.

4) Error Handling

Of course, you will want some type of custom error messages. If you do not change your default error messages, a user could type in a non-existent page and receive an IIS error page, essentially defeating your work.

5) Automatic Updates

Be aware of updates and make sure you apply any fixes / patches.

Tagged on:

Leave a Reply

Your email address will not be published. Required fields are marked *