We describe how to hide Microsoft’s IIS from post scanners or at least make it hard to read.
Mask IIS from Vulnerability Scans
This is a quick overview for website developers on how to mask the information Microsoft Internet Information Server gives out. The majority of compromised websites were exploited because the web master failed to apply patches provided by the software vendor. These weaknesses are typically found by running a vulnerability assessment program or script that produces a list of possible exploits of the target system. There are also issues such as improper coding, setup and security settings.
By changing the information your server gives out, many of the vulnerability scanners and scripts will assume you have a different server operating system; this assumption leads to inaccurate reports and the attacker moves on to another system. Listed below are five simple steps to masking IIS information.
1) Change your extension
Under default website properties, choose the Home Directory tab, choose the Configuration button, choose Add, type C:\WINDOWS\System32\inetsrv\asp.dll in the Executable Box and .CGI for the extension. Verbs can be set to the following: GET,HEAD,POST,TRACE. You can skip the file exists option.
Now, just take any .asp page, change the extension to .CGI and away you go. When a visitor looks at your page, they see the .CGI extension. Better yet, when your site is scanned, it appears you are using a system other than IIS. You can use extensions other than .CGI, like .PHP for example (provided you are not really using PHP).
[Note: Your .ASP pages will still work]
You can also install URLScan, even with IIS6 which comes with the IIS Lockdown tool to specify a replacement for IIS’s built in Server Header; this will give false server information. Just find the line below inside the urlscan.ini and add your false server or cut and paste this example:
3) Session ID
IIS also gives itself away with the ASPSESSIONID. If you are not using session variables, you can prevent this information exposure by disabling the session state found under Home Directory, Configuration, Options.
4) Error Handling
Of course, you will want some type of custom error messages. If you do not change your default error messages, a user could type in a non-existent page and receive an IIS error page, essentially defeating your work.
5) Automatic Updates
Be aware of updates and make sure you apply any fixes / patches.
Leave a Reply