|
Penetration Testing
mailing list archives
RE: NT/IIS decoy
From: Thor () HammerofGod com
Date: Tue, 11 Dec 2001 11:13:23 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 02:00 AM 12/11/2001, Clement-Evans, Rhys wrote:
The third method is by installing the Microsoft IIS Lockdown utility and
setting the URLScan RemoveServerHeader variable to 1, and the
AlternateServerName to the text of your choice. This would be my preferred
option as you don't need to worry about service pack/patch file overwrites
of w3svc.dll. Further details of lockdown are available from
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/locktool.asp - or for a quick look at the URLScan options -
http://www.iisfaq.com/Articles/384/
Not to be overly pedantic, but you need to have RemoveServerHeader set to
0, not 1.
A setting of 1 removes it altogether, regardless of what the Alternate is
set to.
To cross post a bit, I think it interesting that a single "GET" on IIS 5
does not reflect an alternate setting- it will tell you the default, but
not the alternate. IIS4 gives you both... a "GET / HTTP/1.x" does give
it to you on both, but not just a "GET"...
AD
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPBZa04hsmyD15h5gEQIe1gCg56uYC4oc2edWLdDEKK4+POvHCTcAoJpa
Ik/wsdXb+uIjKQNTyWjXJCCw
=PdfI
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
 By Date 
By Thread
Current thread:
|
Intro
