Mask IIS Tips - Website Masking Tutorial and Help

Computer Big Lab

Home

Previous Page

Hot Links

Mobile Tips

IT Certifications

About Us

Computer Security Tips

Mask IIS from Vulnerability Scans

This is a quick overview for website developers on how to mask the information Microsoft Internet Information Server gives out. The majority of compromised websites were exploited because the web master failed to apply patches provided by the software vendor.

These weaknesses are typically found by running a vulnerability assessment program or script that produces a list of possible exploits of the target system. There are also issues such as improper coding, setup and security settings.

By changing the information your server gives out, many of the vulnerability scanners and scripts will assume you have a different server operating system; this assumption leads to inaccurate reports and the attacker moves on to another system. Listed below are five simple steps to masking IIS information.

1) Change your extension:

Under default website properties, choose the Home Directory tab, choose the Configuration button, choose Add, type C:\WINDOWS\System32\inetsrv\asp.dll in the Executable Box and .CGI for the extension. Verbs can be set to the following: GET,HEAD,POST,TRACE. You can skip the file exists option.

Now, just take any .asp page, change the extension to .CGI and away you go. When a visitor looks at your page, they see the .CGI extension. Better yet, when your site is scanned, it appears you are using a system other than IIS. You can use extensions other than .CGI, like .PHP for example (provided you are not really using PHP).
[Note: Your .ASP pages will still work]

2) URLScan

You should also use URLScan that comes with the IIS Lockdown tool to specify a replacement for IIS's built in Server Header; this will give false server information. Just find the line below inside the urlscan.ini and add your false server or cut and paste this example:
IISlockdownAlternateServerName=Netscape-Enterprise/3.6

3) Session ID

IIS also gives itself away with the ASPSESSIONID. If you are not using session variables, you can prevent this information exposure by disabling the session state found under Home Directory, Configuration, Options.

4) Error Handling

Of course, you will want some type of custom error messages. If you do not change your default error messages, a user could type in a non-existent page and receive an IIS error page, essentially defeating your work.

5) Automatic Updates

Be aware of updates and make sure you apply any fixes patches.

In Previous Tips e

Computer Security

Wireless Network Security

Email Address Search

Mask IIS

Email Security

Honey Pots

Web Security Software

NTFS Recovery

Firewalls

Internet Safety

Pop Up Blockers

Secure Transactions Online