Remove IIS server version worked for HTTP, but not HTTPS!

Question

Hello,
I used the HTTP Response headers and changed IIS to the Apache, but Nmap tool could detect IIS on port 443. How can I change it on port 443 too?

Thank you.

Answer 1

Can you share some of your experiences about the hackers?

Be happy to. Caveat: I have been retired the past 4 years so I've been out of touch a bit and I don't know what the current threat landscape is. Memory might be a little fuzzy too.

This is somewhat of an opinion, but I wouldn't mess around with Apache or trying to hide that you're running IIS. The hackers don't care if your site reports that it's IIS or Apache or CICS/COBOL. They're gong to throw every known exploit at you.

The biggest problem that we had was SQL injections. Some of our sites were ASP based and were particularly vulnerable. I implemented UrlScan to block certain requests. Later IIS versions have request filtering instead of urlscan.

https://blogs.iis.net/peterviola/blocking-sql-injection-with-iis-request-filtering

I wrote a VB script (circa 2002) to analyze the query strings in the IIS logs. What I noticed was that hacking requests usually contained 3 or more encoded spaces, "%20". They also had parens and brackets, "(" and "[". The script flagged these requests for me to analyze because sometimes they were legitimate requests. I also looked for ".exe" and ".dll" in the request.

I also see that at one point in time I was looking at these sequences. These came from UrlScan.

https://forums.iis.net/t/1165537.aspx

'   ..  ; Don't allow directory traversals
'   ./  ; Don't allow trailing dot on a directory name
'   \   ; Don't allow backslashes in URL
'   :   ; Don't allow alternate stream access
'   %   ; Don't allow escaping after normalization
'   &   ; Don't allow multiple CGI processes to run on a single request

I dug into my archives and here are the strings that I parsed out of my logs for UrlScan. Some might be redundant and as I mentioned earlier, memory might be a bit fuzzy here. You would need to do your own analysis on your logs to see what the current injection strings are.

%20and%20char(124)%2buser%2bchar(124)
%20as%20varchar(
%20as%20nvarchar
(select%20top%20
%20and%20db_name()
%20and%20%28db_name%28
%20from%20sysobjects%20where%20
%20varbinary(
%20cast(is_srvrolemember
%20table_name%20from%20information_schema.tables
(select%20top%201%20convert
select%20*%20from%20sysobjects)
cast(0x4400450043004c004100520045
cast(0x4445434c415245204054207661
%20and%20user%3e0%20and%20
)%2buser%2bchar(
%20from%20tbluser
%20cursor%20for%20select%20
%20from%20information_schema.columns%20
%20and%20user%2bchar(
)%2bdb_name()%2bchar(
%20and%20(select%20len
%20and%20len(db_name(
%20and%20unicode(substring
%20is_srvrolemember('sysadmin'
%20and%20'1'='1
%20and%20exists%20(select%20*%20from%20
select%20top%209%20userid%20from%20
=convert(int,(select%20top%20
%20and%20exists%20(select%20"

One final item was to look at any IP's that had high activity. We would block the IP's where the activity looked suspicious. As we moved sites to Akamai and behind content switches that kinda diminished in value. And the hackers would just move to different networks too. Still, it's something that you want to keep an eye on. The LogParser tool is great for that kind of analysis.

Wish I could help you more with request filtering but I left UrlScan in place and then with changes in my "work situation" I no longer cared if those folks got hacked or not.

Answer 2

Hello,
No idea about it?

Answer 3

configured an IIS web site to return a header

Add the response header at the server level instead of at the site level.

Or add the header to all web sites.

Answer 4

Nmap detected my server as an IIS:

Mine too. Even though I set the headers to report as MVS and CICS.

https://nmap.org/book/man-version-detection.html

After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses. Nmap tries to determine the service protocol (e.g. FTP, SSH, Telnet, HTTP), the application name (e.g. ISC BIND, Apache httpd, Solaris telnetd), the version number, hostname, device type (e.g. printer, router), the OS family (e.g. Windows, Linux).

https://nmap.org/book/vscan.html

To reiterate what I posted in my first reply, this falls into the "So What?" category. If' you've got a web server exposed to the internet, then you are likely running one of these web servers.

https://w3techs.com/technologies/overview/web_server

If you really have IIS running but you set the host headers to report that you are running Apache, It's not like any hacker is going to say: "well, he's running Apache, so we will only run Apache specific hack attempts against him".

Heck no, they are going to try every known exploit that they have access to to see if they can break into your server. Because you never know when an IIS exploit might work on Apache.

Disclaimer: The above reply is my personal opinion based on decades of professional experience. I do not represent Microsoft.

Answer 5

Should I remove it completely?

I would, I don't see any value in adding a header that says that you are running Apache.

Are you sure no one can hide the IIS version from the scanners like Nmap?

No, I am not sure. If your organization is extremely concerned with your public facing web site, then it might be a good idea to hire a security firm who specializes in penetration testing and web security analysis and have them probe your sites and see what they recommend. The company that I used to work for did that, but it was 6 years ago. I don't remember who did that for us.

You should be able to use the configuration editor and remove the header. Start at the server level and set it to false.

system.webServer/security/requestFiltering

Then check each of your sites to see that they are inheriting the server config.