IIS Server Banner

Now, sometime you might want to remove the IIS banner information to 'hide' your server. Though, it doesn't really help you avoid any attack as the attackers or malicious program will just try to connect to every single possible host and then try any known exploits on it. So 'hiding' is not good, you should 'protect' your IIS server instead.

Anyway, you might want to know to hide it. Ok, let's look at:
Web - banner
HTTP: Server = Microsoft-IIS/5.0
You can hide it using URLScan, try..
HOW TO: Mask IIS Version Information from Network Trace and Telnet

FTP - banner
220 Microsoft FTP Service
This one is HOT!, just released by MS. but you need to ring PSS to get the fix, try
FIX: You cannot suppress the default FTP banner for the FTP service

SMTP - banner
220 hostname.domain.com Microsoft ESMTP MAIL Service
This apply to IIS SMTP and Microsoft Exchange SMTP component, try
XCON: How to Modify the SMTP Banner

NNTP - banner
No clues yet, but you can try the nntp binary dll and hex edit it.

Published Tue, May 11 2004 13:17 by bernard

Filed under: IIS News, IIS KBs

Comments

# bernard said on 11 May, 2004 08:13 PM: Is it doable for IIS6?
# bernard said on 12 May, 2004 08:22 AM: I love U baby!!!!I need this very soon!
# bernard said on 12 May, 2004 10:26 AM: Yes, all the above I believe work with IIS 5 and IIS 6.

IIS 4.0 ? what ? you still have NT 4 :) ... I believe the ftp fix apply to IIS 5.0 and above. though you still able to hide HTTP with urlscan and etc.
# bernard said on 20 May, 2004 04:26 PM: http://securityadmin.info/faq.asp#banner has some links to some other items that people wishing to hide their banners or OS information should consider.

You can see from the link above that I am lukewarm on the benefits of hiding banners. But while it is true that security through obscurity is not by itself effective, it can still be a worthwhile pursuit in combination with other countermeasures. After all, some hackers do still attempt system enumeration before attacking.
# bernard said on 22 May, 2004 02:19 PM: Cool to know that FTP banner issue is fixed.
So as you know there will be NNTP that is remaining...

By the way, from RC2 on, as for POP3 service you can modify the strings via registry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pop3 Service\Greeting

# I have been informed of this by Alex Feinman. He has been a geek of Whistler for quite a long time, too. ;-)
# bernard said on 22 May, 2004 02:27 PM: Ah, forgot to mention.

As you know, there are other two header fields of W3SVC, which are well-known.

We need to modify realm and content-location. ;-)

1. the Content-location header field
See the KB 218180...

2. realm (esp. for the basic auth.)
Likewise edit the following entry in the metabase.

cscript C:\inetpub\adminscripts\adsutil.vbs set w3svc/(the num. of the virtual site)/realm (strings to show)
# TrackBack said on 22 May, 2004 02:50 PM: KB: IIS Banner removal ????????
# TrackBack said on 22 May, 2004 02:52 PM: KB: IIS Banner removal ????????
# bernard said on 25 May, 2004 08:48 AM: Thanks Karl and Kenji ! Great stuff indeed. I will start part two right away :)
# TrackBack said on 25 May, 2004 09:21 AM
# TrackBack said on 27 May, 2004 03:48 AM

Server: Microsoft-IIS/7.5\r\n

IIS Server Banner

Comments

News

Search

This Blog

Tags

Archives

IIS Sites

MVPs - MVPs

IIS Related

Syndication