[thelist] Hide IIS6 Banner
Ken Schaefer
ken.schaefer at gmail.com
Sun Oct 31 01:26:02 CST 2004
On Sat, 30 Oct 2004 11:32:40 -0400, Joshua Olson <joshua at waetech.com> wrote:
> > There are 3rd party filters (I think port80 software makes
> > one), or you can use URLScan (which is an ISAPI filter) or
> > you can write your own. This hasn't changed between IIS5 and
> > IIS6 - on both platforms you need to use an ISAPI filter AFAIK.
>
> Ken,
>
> I found both solutions that you mentioned before posting my query. I prefer
> the URLScan solution as it doesn't bring in softwares from 3rd parties.
> But, I was under the understanding that URLScan wasn't necessary with IIS6,
> so I don't typically install it. Am I working off bad information?
IIS 6.0 already includes most of the functionality of URLScan.
Certainly the URL canonicalization protection code is now built-into
IIS 6.0. In an effort to protect IIS 6.0 against many of the attacks
that afflicted IIS 5.0, most (if not all) the string handling code has
been centralised into a single library, and this library was
extensively tested to ensure that it robustly handles canonicalization
issues.
There are a couple of things that URLScan does that IIS 6.0 doesn't
natively expose, and you can get a list on this page here:
http://www.microsoft.com/technet/security/tools/urlscan.mspx
FWIW, there is no built-in URLScan in IIS 6.0 per se. It's just that
most of the protective features that URLScan gave you on IIS 5.0 are
built into IIS 6.0 in one way or another, making URLScan (mostly)
redundant. The ability to remove/alter the Server header is not built
into IIS 6.0 because Microsoft (and I believe most other security
professionals/organisations) believes that it doesn't give you much
protection.
Cheers
Ken
More information about the thelist
mailing list