Monday, May 16, 2005

ServerMask: Improve IIS Security

One feature of IIS that has often been requested is some way of removing all traces of the server version. If you surf to, the server rather gives away what version of IIS is running. Doing a get on my site produces, inter alia, the following headers:

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
X-Powered-By: ASP.NET

Knowing that this site is runing IIS 5 tells the potential cracker a lot about the OS that's runnning (i.e. Windows 2000) and therefore what attacks may work, or which do not work on that platform.

Port80's ServerMask product strips off the banners indicating what version of IIS you are running. Which in turn just adds another layer of protection to your defense in depth strategy.

No comments: