Top ASP 101 Stories Migrating to ASP.NET Getting Scripts to Run on a Schedule The Top 10 ASP Links @ Microsoft.com QUICK TIP: Query your database with ADO Show All Tips >>  ASP 101 Updates

Securing Your Web Server from Prying Eyes

Introduction

If you get into the mind of potential hackers to your site, you soon realize that it would be a great benefit for them to know what operating system and web server you are running. With this information, they could exploit weaknesses in the web server that have been documented by Microsoft and BugTraq. This article will show you how to hide the identity of your web site by making some configuration changes to IIS and using URLScan or by installing an ISAPI filter. The code for the ISAPI filter is available, or you can use a commercial available product.

The Server Header

One easy way for them to figure out what web server you are using is to look at the HTTP response headers coming back from a request to your web site. HTTP response headers are those headers that "explain" to the browser how to handle the page including expiration information, cookies, and what type of content is being returned. Included in the HTTP response headers from Microsoft IIS Server is the "Server:" header that tells the user what type of web server you are running. From that header, a hacker can determine what type of operating system you are running. Here is an example of an HTTP response header:

HTTP/1.1 200 OK
Date: Tue, 17 Jun 2003 22:07:31 GMT
Server: Microsoft-IIS/6.0
Content-Length: 36876
Content-Type: text/html
Expires: Tue, 17 Jun 2003 22:07:31 GMT
Cache-control: private

As you can see the server is IIS 6.0, which means the operating system is Windows 2003.

Imagine yourself as a hacker that has just gleaned thousand of domain names from Internic and you have researched a security flaw in Windows 2003 .NET Server from the Buqtraq database. Now all you have to do is figure out which servers are running Windows 2003. You make a quick HTTP call to those domain names, look at the "Server:" response header and you reduce the list to potential "targets".

One thing that IT administrators can do to protect themselves from attacks is remove the "Server:" header from their HTTP responses. This makes it very hard to determine what operating system or web server is running to handle requests to a particular domain.

Why doesn't Microsoft allow you to turn off the Server: response header like Apache does? Probably because they are trying to "win" the server market and statistical companies like Netcraft use the "Server:" header to count the number of web servers publicly exposed on the Internet. The media determines what company has the most server installations available using these statistics.

There are two ways to remove the "Server:" header from the HTTP response, one is to set RemoveServerHeader in the URLScan.ini file if you are running URLScan, the other is to use an ISAPI filter that strips this header. It is highly recommend that you run URLScan, and there is a new 2.5 version available for IIS 6.0 (URLScan 2.5). Example of turning off Server header in URLScan.ini:

RemoveServerHeader=1

ServerMask from Port 80 Software (http://www.port80software.com) is a commercially available ISAPI Filter that will strip the "Server:" header, however this article is going to show you how to code a simple ISAPI filter to do the job and the provide a free download (already compiled) that you can install on your server right away.

If you are IT Administrator and you don't care about source code or compiling just follow these instructions to get the download and use it on your box. The XMask.dll ISAPI Filter will work on Windows NT 4.0 SP6a with IIS 4.0, Windows XP Professional with IIS 5.1 installed, Windows 2000 Server with IIS 5.0, or Windows 2003 .NET Server with IIS 6.0 running with IIS 5.0 isolation mode or with it turned off.

Installing the Download

Windows 2000:

1. Download XMask.zip (24 KB)
2. Save XMask.dll to c:\winnt\system32\inetsrv.
3. Open up Internet Server Manager From Start | Programs | Administrative Tools
4. Expand the tree until you see your server name and right click on the server node of the tree
5. From the drop down menu choose "Properties"
6. Click on the edit Button under Master Properties
7. Choose the "ISAPI Filters" tab (See Figure 1)

   Figure 1

   
   
   
8. Press The "Add" Button (See Figure 2)

   Figure 2

   
   
   
9. Enter in XMask for the Filter Name and c:\winnt\system32\inetsrv\xmask.dll for the Executable.
10. Press Ok To Exit the Filters Properties.
11. Press Ok To Exit the WWW Master Service Properties.
12. Press Ok To Exit the server properties page.

Windows 2003:

1. Download XMask.zip (24 KB)
2. Save XMask.dll to c:\windows\system32\inetsrv.
3. Open up Internet Information Services (IIS) Manager From Start | All Programs | Administrative Tools
4. Expand the tree until you see the "Web Sites" node and right click on it.
5. From the drop down menu choose "Properties"
6. Choose the "ISAPI Filters" tab (See Figure 3)

   Figure 3

   
   
   
7. Press The "Add" Button (See Figure 4)

   Figure 4

   
   
   
8. Enter in XMask for the Filter Name and c:\winnt\system32\inetsrv\xmask.dll for the Executable.
9. Press Ok to exit the Filters Properties.
10. Press Ok to exit the Web Sites Properties.

That is all you have to do the ISAPI Filter is now removing the Server: HTTP Response header. However read over the additional notes below to make your server even more secure.

X-Powered By ASP.NET

Another easy way for a hacker to tell what type of web server you are running is to look at a new HTTP response header that ASP.NET sets on your machine. It is called X-Powered-By: ASP.NET and it gets automatically added when you install ASP.NET on your server. However, this one is very easy to remove and doesn't require a special ISAPI Filter. The way Microsoft added the HTTP response header was by using the Custom HTTP header interface in IIS. To remove it, follow these steps:

Windows 2000:

1. Open up Internet Server Manager From Start | Programs | Administrative Tools
2. Expand the tree until you see your server name and right click on the server node of the tree
3. From the drop down menu choose "Properties"
4. Click on the edit Button under Master Properties
5. Choose the "HTTP Headers" tab (See Figure 5)

   Figure 5

   
   
   
6. Under Custom HTTP header section choose "X-Powered-By: ASP.NET"
7. Press Delete
8. Press Ok to exit the WWW Master Service Properties.
9. Press Ok to exit the server properties page.

Windows 2003:

1. Open up Internet Information Services (IIS) Manager From Start | All Programs | Administrative Tools
2. Expand the tree until you see the "Web Sites" node and right click on it.
3. From the drop down menu choose "Properties"
4. Choose the "HTTP Headers" tab. (See Figure 6)

   Figure 6

   
   
   
5. Under Custom HTTP header section choose "X-Powered-By: ASP.NET"
6. Press Delete
7. Press Ok to exit the Web Site Properties.

Sessions

The Active Server Pages (ASP) Session object has a distinct HTTP response header that hackers can clue into, and even if you are not using ASP Session object, the response header is still present. One way to avoid this is to turn off the Session objects via the IIS manager. Note: you can only turn off ASP Session objects if you are not using them, if you are using them you should dump them right away for Cookies, since they cause a big performance problem for the box. Here is how to turn off ASP Session objects

Windows 2000:

1. Open up Internet Server Manager From Start | Programs | Administrative Tools
2. Expand the tree until you see your server name and right click on the server node of the tree
3. From the drop down menu choose "Properties"
4. Click on the edit Button under Master Properties.
5. Choose the "Home Directory" tab.
6. Press the Configuration Button.
7. Choose "App Options" (See Figure 7)

   Figure 7

   
   
   
8. Uncheck the Enable session state check box.
9. Press Ok to exit "Application Configuration" Property Pages.
10. Press Ok to exit the WWW Master Service Properties.
11. Press Ok to exit the server properties page.

Windows 2003:

1. Open up Internet Information Services (IIS) Manager From Start | All Programs | Administrative Tools
2. Expand the tree until you see the "Web Sites" node and right click on it.
3. From the drop down menu choose "Properties"
4. Choose the "Home Directory" tab.
5. Press the Configuration Button.
6. Choose the "Options" tab (See Figure 8)

   Figure 8

   
   
   
7. Uncheck the Enable session state check box.
8. Press Ok to exit Application Configuration Property Pages.
9. Press Ok to exit the Web Site Property Pages.

Distinct Extensions

A final way that hackers or regular users can detect that you are running an IIS server is to see what extensions you are using. For example, if you are using .asp extension it is very likely that you are running an IIS server. To mask your .asp extensions you can map them to a different extension, like .htm. Which means that all your .htm pages will run through the ASP engine, however the ASP engine has a fast path for all files that do not contain ASP code, so the performance hit is very minimal. If you feel uncomfortable with this, you can also make up an extension to use. You can do the same thing with ASP.NET and the .aspx extension. Here is how to map your .asp files to another extension:

Windows 2000:

1. Open up Internet Server Manager From Start | Programs | Administrative Tools
2. Expand the tree until you see your server name and right click on the server node of the tree
3. From the drop down menu choose "Properties"
4. Click on the edit Button under Master Properties.
5. Choose the "Home Directory" tab.
6. Press the Configuration Button.
7. Choose "App Options" (See Figure 9)

   Figure 9

   
   
   
8. Press the "Add…" button.
9. In "Executable:" set the ASP ISAPI extension to: C:\WINNT\System32\inetsrv\asp.dll (See Figure 10)

   Figure 10

   
   
   
10. Set the Extension to htm
11. Set the Verbs to Limit to: and add GET,HEAD, POST,TRACE
12. Make sure the "Script Engine" and "Verify that the files exists" are checked.
13. Press Ok to exit the "Add/Edit" Application Extension Mapping" dialog.

Windows 2003:

1. Open up Internet Information Services (IIS) Manager From Start | All Programs | Administrative Tools
2. Expand the tree until you see the "Web Sites" node and right click on it.
3. From the drop down menu choose "Properties"
4. Choose the "Home Directory" tab.
5. Press the Configuration Button.
6. Choose the "Mappings" tab (See Figure 11)

   Figure 11

   
   
   
7. Press the "Add…" button.
8. In "Executable:" set the ASP ISAPI extension to: C:\WINDOWS\system32\inetsrv\asp.dll (See Figure 12)

   Figure 12

   
   
   
9. Set the Extension to htm
10. Set the Verbs to Limit to: and add GET,HEAD,POST,TRACE
11. Make sure the "Script Engine" and "Verify that the files exists" are checked.
12. Press Ok to exit the "Add/Edit" Application Extnesion Mapping" dialog.
13. Press Ok to exit the Application Configuration Property Pages.
14. Press Ok to exit the Web Site Property Pages.

Once you have mapped the new extension in IIS you need to change all the extension for all your pages from .asp to .htm (or whatever extension you chose). You need to change all the links in those pages to point to the new extension also. This is probably the hardest part.

The Code

For those of you that are interested in the code for XMask, an ISAPI that removes the Server HTTP Header it is really very simple, once you have the ISAPI Filter API established it is just one line of code.

((PHTTP_FILTER_SEND_RESPONSE)pvNotification)->SetHeader(pfc,"Server:",'\0');

The rest of the code for the ISAPI Filter:

extern "C" BOOL WINAPI GetFilterVersion(PHTTP_FILTER_VERSION pVer)
{
  BOOL  bReturn = TRUE;
  try
  {
    // Call default implementation for initialization
    pVer->dwFlags = SF_NOTIFY_ORDER_DEFAULT;
    pVer->dwFilterVersion = HTTP_FILTER_REVISION;
    pVer->lpszFilterDesc[0] = '\0';
    // Clear the flags set by base class
    pVer->dwFlags &= ~SF_NOTIFY_ORDER_MASK;
    // Load High
    pVer->dwFlags |= SF_NOTIFY_ORDER_HIGH;
    // Set the flags we are interested in
    pVer->dwFlags  |= SF_NOTIFY_NONSECURE_PORT |
                              SF_NOTIFY_SECURE_PORT |
                              SF_NOTIFY_SEND_RESPONSE;
    // Load description string
    sprintf(pVer->lpszFilterDesc,"XMask V1.0");
  }
  catch(...)
  {
    bReturn = FALSE;
    goto End;
  }
End:
  return(bReturn);
}
// HttpFilterProc
extern "C" DWORD WINAPI HttpFilterProc(PHTTP_FILTER_CONTEXT pfc,
                                       DWORD dwNotificationType,
                                       LPVOID pvNotification)
{
  DWORD  dwReturn = SF_STATUS_REQ_NEXT_NOTIFICATION;
  try
  {
    switch (dwNotificationType)
    {
    case SF_NOTIFY_SEND_RESPONSE:
      {
        ((PHTTP_FILTER_SEND_RESPONSE)pvNotification)->SetHeader(pfc,"Server:",'\0');
      }
      break;
    default:
      {
      }
      break;
    }
  }
  catch(...)
  {
    // Error -- Exeception
    dwReturn = SF_STATUS_REQ_ERROR;
    goto End;
  }
End:
  return dwReturn;
}

Full download of the source for Visual Studio .NET is available here: XMaskSrc.zip (3.5 KB).

Summary

Taken the steps mentioned above, it is very easy to hide your web server from hackers, however it doesn't secure the server. Sort of like having a car alarm, it doesn't secure your car, however it might make the theif go find a car that is easier to break into.