Penetration Testing mailing list archives
RE: NT/IIS decoy
From: Thor () HammerofGod com
Date: Tue, 11 Dec 2001 11:13:23 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 02:00 AM 12/11/2001, Clement-Evans, Rhys wrote:
The third method is by installing the Microsoft IIS Lockdown utility and setting the URLScan RemoveServerHeader variable to 1, and the AlternateServerName to the text of your choice. This would be my preferred option as you don't need to worry about service pack/patch file overwrites of w3svc.dll. Further details of lockdown are available from http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ tools/locktool.asp - or for a quick look at the URLScan options - http://www.iisfaq.com/Articles/384/
Not to be overly pedantic, but you need to have RemoveServerHeader set to 0, not 1. A setting of 1 removes it altogether, regardless of what the Alternate is set to. To cross post a bit, I think it interesting that a single "GET" on IIS 5 does not reflect an alternate setting- it will tell you the default, but not the alternate. IIS4 gives you both... a "GET / HTTP/1.x" does give it to you on both, but not just a "GET"... AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPBZa04hsmyD15h5gEQIe1gCg56uYC4oc2edWLdDEKK4+POvHCTcAoJpa Ik/wsdXb+uIjKQNTyWjXJCCw =PdfI -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- NT/IIS decoy Lambott (Dec 10)
- Re: NT/IIS decoy Michael Katz (Dec 10)
- Re: NT/IIS decoy Chuck Fitzpatrick (Dec 10)
- <Possible follow-ups>
- RE: NT/IIS decoy nvondadelszen (Dec 10)
- RE: NT/IIS decoy Clement-Evans, Rhys (Dec 11)
- RE: NT/IIS decoy Thor (Dec 12)
- Re: NT/IIS Decoy Qazi M.M. Ahmed (Dec 12)