[thelist] Hide IIS6 Banner

Ken Schaefer ken.schaefer at gmail.com
Sun Oct 31 01:20:57 CST 2004


On Sat, 30 Oct 2004 07:45:06 -0700 (PDT), Scott Dexter
<dexilalolai at yahoo.com> wrote:
> > : With every page request, IIS6 sends back
> > : "Server: Microsoft-IIS/6.0" in the header.
> > : Does anybody know how to remove this
> >
> > Questions:
> > a) Why do you want to do this?
> 
> Because if I know what kind of server it is, I can plan my attack
> strategy accordingly. It's called a passive attack. I investigate
> what I'm dealing with, "Ooh! IIS6!" and go from there, "I can use xyz
> attack to break in!"

Doing this is generally called "security through obscurity", and if
you talk to security people, they will tell you that "security through
obscurity is not real security".

Whilst obscurity is good, it doesn't make you inherently any more
secure than otherwise. Certainly hiding the Server: header doesn't
really do a lot, as tools like NMap etc are capable of determining
your OS in other ways (TCP fingerprinting).

Additionally, in terms of exploiting webserver software
vulnerabilities, most attackers would simply hurl every known attack
against every possible webserver software against your box - why rely
on the Server: HTTP header to base your attack when people can change
it? Given that there are only a few dozen vulnerabilities, it takes a
very small amount of time to try them all, and see which ones bork the
server.


> > b) The Server header is part of the HTTP specification, so are you
> > looking
> > to replace the value of the header with something else?
> 
> Yup, that's the idea, replacing it with, "Web server." or something
> as innocuous...

Generally pointless. This pointed out on the URLScan page that Microsoft has:

<quote>
IIS 6.0 does not include the RemoveServerHeader feature because this
feature offers no real security benefit. Most server attacks are not
operating system specific. Also, it is possible to detect the identity
of a server and information about the operating system by mechanisms
that do not depend on the server header.
</quote>

http://www.microsoft.com/technet/security/tools/urlscan.mspx

Cheers
Ken


More information about the thelist mailing list