 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / IIS / IIS Security / July 2008Hide operating system version and iis version from external scan.
I have a windows server 2003 enterprise with iis and some sites. I have a firewall that permit icmp, http and https only. I've found that from a linux machine if i run "nmap -sV -O -v www.somedomain.com" or "nmap -O -v www.somadomain.com" i can see that my server run windows server 2003 sp1 and iis 6. Can i masquerade or hide these information? How can i do it? Thank'you. On Jul 26, 10:39 am, Massimo <Mass...@discussions.microsoft.com> wrote: > I have a windows server 2003 enterprise with iis and some sites. > I have a firewall that permit icmp, http and https only. [quoted text clipped - 6 lines] > > Thank'you. If I tell you that masquerading and hiding this information does NOT improve security of your system, would you still be interesting in spending time/money to do so? //David http://w3-4u.blogspot.com http://blogs.msdn.com/david.Wang // Ok i've always thought that fewer information about system a person can find and more difficult is to hack the system. > On Jul 26, 10:39 am, Massimo <Mass...@discussions.microsoft.com> > wrote: [quoted text clipped - 17 lines] > http://blogs.msdn.com/david.Wang > // In general, Information Disclosure is a good security tactic. The less you tell the hacker, the better. However, please do not confuse "Information Disclosure" and "Obscurity through Obscurity" because while the former is a good security tactic, the latter is a completely bogus form of security. In this case, the information you want to prevent disclosing is through obscurity and hence not worthwhile. And even if you want to prevent the disclosure -- IIS version can be easily determined by the OS because there is only one version per OS (other than XP Pro 32/64bit). And an OS over the network has many possible/benign-looking fingerprinting mechanisms that it is not worth trying to hide/obscure your network identity. The fact your TCP stack responds to the remote server is enough to fingerprint the system. There are software systems out there that attempt to masquerade the TCP stack, but that tampering can also be detected. In general, you get far greater bang-for-the-buck by focusing on the actual security configuration of the system, instead of trying to obscure the identity, because obscuring the identity does not buy you any security. Furthermore, computers make it easy to try every possible exploit in an optimized bang-for-the-buck fashion such that even if you obscure the identity, the hacker STILL tries the attacks to see which succeeds. In other words, suppose the hacker has a collection of hacks against Apache, IIS, and Sun WebServer. You have an IIS server and somehow masquerade it as a Sun server. Do you think the hacker is just going to try the Sun WebServer hacks and stop, thus rendering your server "secure"? Or do you think the hacker knows that people does obscuring and will try all his bag of hacks and see what hits. You bet the average hacker will do the latter because it is so cheap and easy to do... so what does your security through obscurity buy you? Absolutely nothing other than wasted time and effort. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // On Jul 27, 10:02 am, Massimo <Mass...@discussions.microsoft.com> wrote: > Ok i've always thought that fewer information about system a person can find > and more difficult is to hack the system. [quoted text clipped - 22 lines] > > - Show quoted text - |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.