Friday, March 30, 2007

Banner Removal in IIS 6.0 - Without URLScan

Back in the IIS 5.0 days, IISLockdown was an essential tool. Every IIS Security guide told you to run it....and for good reason.

The IIS Lockdown Tool functions by turning off unnecessary features, thereby reducing attack surface available to attackers. URLScan was part of IIS Lockdown and offered several positive security features as well.

Microsoft noticed the importance of URLScan and ended up integrated many of the security features directly into IIS 6.0. Many were even improved beyond what was offered in URLScan.

However, one feature was not included - RemoveServerHeader

By default, a Web server returns a header that identifies what Web server software it is running in all responses. This can increase the server vulnerability because an attacker can determine that a server is running IIS and then attack known IIS problems, instead of trying to attack an IIS server by using exploits that are designed for other Web servers. By default, this option is set to 0. If you set the RemoveServerHeader option to 1, you prevent your server from sending the header that identifies it as an IIS server. If you set RemoveServerHeader to 0, this header is still sent.
But on the release of IIS 6.0, Microsoft changed positions on the Header leakage issue...
IIS 6.0 does not include the RemoveServerHeader feature because this feature offers no real security benefit. Most server attacks are not operating system specific. Also, it is possible to detect the identity of a server and information about the operating system by mechanisms that do not depend on the server header.
This change took into account several new Web Server fingerprinting methods. Those methods are outlined here and here. These new methods allowed attackers to fingerprint servers well beyond the standard Header leakage issue.

Because of this, the general idea in the security world was that IIS 6.0 made URLScan obsolete.

But what about those super-security freaks that still wanted to remove the banner?

The answer was URLScan v2.5 on IIS6.0 - until now.

Recently, it was brought to my attention that a free tool existed could easily remove the Header Information in IIS 6.0 & IIS 7.0 Beta.

The technoheresy has been lifted!

It is called - Server Header. It is basically a custom ISAPI filter, created by Thomas Deml, which allows you to modify the Server Header of IIS4/5/5.1/6 and 7.0. He even included the source code!

Given, this is an ISAPI filter and this could have a negative performance impact on servers with very high traffic volumes. So take that into account before considering the tool. Of course, this is basically third party code, so as always; it is highly advised to test the tool in a non-production environment before deployment. In this case, the included source code is also a plus.

So the debate might continue on weather changing the header offers any REAL security benefits, but at least the security paranoid now have an option.