3

I was required to fix three low risk security issues of a Web Application on a Windows 2003 server, NetFramework 2.0, IIS/6.0.

  1. It is tracert-able. That may assist for crackers to know network topologies of the institute and the University.

    Suggestion >> ICMP packets should be blocked for both of inbound and outbound direction.

  2. contains visible Front Page where direct description of the version information of ‘server extensions’, authorizing programs (admin.exe, author.exe etc), and URLs of displaying program (shtml.exe) etc. That may help crackers effective attacks for the server and so on.

    Suggestions >> those files should be deleted, if you could, or if you need those files, give appropriate attributes or access protection.

  3. In HTTP service, response header and/or Web contents contains IP address information of the internal network. Those may help effective attack to the internal network.

I don’t know exactly where to look and what to do to fix the issues. Firewall? IIS?

Community
  • 1
jss
  • 141
  • 4
  • 3
    Hi jss, welcome to [security.se]. I think that the way the question is now, i.e. "how to configure the server", would be better served over on [sf]. However, I think a better (and more important) question that should first be asked, is whether or not to do these things at all, or rather what the risk actually is. (This should be asked here). You can edit the question, or if you want it can be moved to [sf] and you can ask a new question here. – AviD Oct 24 '12 at 22:56
  • If you think that my question should be moved, please do so. I am new at this site, so you'll make a better decision. – jss Oct 25 '12 at 00:23
  • @AviD: Just to notify you about my previous comment – jss Oct 25 '12 at 00:50

3 Answers3

2

1) To restrict ICMP messages:

  1. Open Windows Firewall, and click the Advanced tab.

  2. In ICMP, click Settings.

  3. In the ICMP Settings dialog box, do the following:

    To block an ICMP message (prevent the ICMP message from passing through Windows Firewall), clear the check box next to the ICMP message and then click OK.

Note: If you check the 'Allow incoming echo request' box you will not be able to ping your server.

2) Find those files on the server (do a search) and either delete the files or change the permissions. You can change the permissions of a file by right clicking on it and then going into properties.

3) Depending on your version of IIS, you can follow one of these instruction sets: http://support.microsoft.com/kb/218180

Community
  • 1
Hammo
  • 370
  • 1
  • 4
  • 1
    Thank you Hammo. I am working on it. kb/218180 bring me to another more detailed fix at http://blogs.msdn.com/b/webtopics/archive/2008/11/18/removing-an-iis-server-s-ip-address-from-http-responses.aspx for the IP addrees exposure (issue 3). – jss Oct 24 '12 at 23:58
  • @Hammon, related to issue 2 (exposition of information of authotizing programs, etc.). html files in C:\inetpub\wwwroot can be retrieved by TELNET, for example GET /_vti_inf.html HTTP/1.1. I renamed _vti_inf.html, and of course it is not visible by the above command. Should I change the permissions of the folder wwwroot. Hints? – jss Oct 25 '12 at 08:34
  • You may want to take a more nuanced approach to ICMP - see this overview: http://security.stackexchange.com/questions/22711/is-it-a-bad-idea-for-a-firewall-to-block-icmp – Colin Pickard Jan 06 '15 at 16:28
1

I think for providing Web Application Security you should investigate Web Application Firewalls. ModSecurity is good opensource WAF and provides a good comprehensive Core Ruleset (CRS) which you tune for your application. It works as a plugin for apache but also work with IIS as a reverse proxy.

Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61
  • ModSecurity seems to be a good tool, but stay Beta on IIS. I am affraid to be in position to require rollback without knowing how. – jss Oct 26 '12 at 02:03
1

Partial answer
Issue 3 (IP exposure) was solved by these steps:

  1. Ensure Windows 2003 server SP2 is installed.
  2. C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set w3svc/1/UseHostName true
  3. Run the HotFix script at http://support.microsoft.com/default.aspx?scid=kb;EN-US;935469
  4. Verify/check that IP address are not exposed in the field Content-Location by
    Telnet [IP] 80
    GET / HTTP/1.0 (press enter twice and receive the following output)

HTTP/1.1 200 OK
Content-Length: 6645
Content-Type: text/html
Content-Location: (IP ADDRESS MUST NOT APPEAR HERE!!)
...

Detaled clarifications can be found in:
Link
http://support.microsoft.com/kb/218180
https://forums.iis.net/t/1182550.aspx

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
jss
  • 141
  • 4