Penetration Testing mailing list archives

RE: NT/IIS decoy

From: Thor () HammerofGod com
Date: Tue, 11 Dec 2001 11:13:23 -0800


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 02:00 AM 12/11/2001, Clement-Evans, Rhys wrote:

The third method is by installing the Microsoft IIS Lockdown utility and
setting the URLScan RemoveServerHeader variable to 1, and the
AlternateServerName to the text of your choice. This would be my preferred
option as you don't need to worry about service pack/patch file overwrites
of w3svc.dll. Further details of lockdown are available from
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/locktool.asp - or for a quick look at the URLScan options -
http://www.iisfaq.com/Articles/384/


Not to be overly pedantic, but you need to have RemoveServerHeader set to 
0, not 1.
A setting of 1 removes it altogether, regardless of what the Alternate is 
set to.

To cross post a bit, I think it interesting that a single "GET" on IIS 5 
does not reflect an alternate setting- it will tell you the default, but 
not the alternate.  IIS4 gives you both...   a "GET / HTTP/1.x" does give 
it to you on both, but not just a "GET"...



AD
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPBZa04hsmyD15h5gEQIe1gCg56uYC4oc2edWLdDEKK4+POvHCTcAoJpa
Ik/wsdXb+uIjKQNTyWjXJCCw
=PdfI
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

NT/IIS decoy Lambott (Dec 10)
- Re: NT/IIS decoy Michael Katz (Dec 10)
- Re: NT/IIS decoy Chuck Fitzpatrick (Dec 10)
- <Possible follow-ups>
- RE: NT/IIS decoy nvondadelszen (Dec 10)
- RE: NT/IIS decoy Clement-Evans, Rhys (Dec 11)
- RE: NT/IIS decoy Thor (Dec 12)
- Re: NT/IIS Decoy Qazi M.M. Ahmed (Dec 12)