Re: Microsoft Urlscan Filter v3.0

["Jorge L. Vazquez" <jlvazquez825 () gmail com>]

amatachick () gmail com wrote:
> I'm looking into throwing this on our IIS servers and wanted to get feedback from y'all on two things:
>
> 1) Would this count as a Web Application Firewall? The reason I ask is for possible PCI Compliance benefits.
>
> 2) Has anyone used this and, if so what problems did you run into?
>
> This would be installed onto boxes running Windows Server 2003 and IIS versions 5 and 6.
>
> For convenience sake, here is the link to the Microsoft page talking about this tool:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=EE41818F-3363-4E24-9940-321603531989&displaylang=en#Instructions
>
> Doing some Googling I also found this site kinda helpful but it still doesn't answer the above questions.
>
> http://learn.iis.net/page.aspx/473/using-urlscan
>
> Thanks in advance!!
>
>   
one of the thing that urlscan does, is that it protects your web server
from been fingerprinted, for example when using network scanners like
nmap or nikto to do a server fingerprint, I know for a fact that when
urlscan is intalled on the server, nmap fails to fingerprint the server,
and also nikto, the one that comes closest to detecting the type of
server is httprint, and what it does it takes an educated guess and it
gives you the porcentage of how sure it is, and again when urlscan
installed httprint says is sure about 50 and 60% which is not good
enough, so as you can see it would hurt you to install urlscan, and of
course if you don't know what type of server is running on port 80 makes
it much difficult to find exploits for something you don't know.

you may want to check out this arlticle
http://www.pctechtips.org/pentesting_webservers_httprint_nikto_nessus.htm

here you can see how nmap fails to properly identify the kind of server
running on port 80


thanks

Jorge L. Vazquez
www.pctechtips.org
MCSE, CCNA, A+