12

As you can see from the tag, I know that security by obscurity is not true security.

So consider a server available to the Internet on port 443 (SSL) of a fixed IP address in the dialup range of a telecommunications provider only. When https'ed, it shows an IIS 8 welcome page. The server can be reached via IP address only, no DNS entry (except the usual ip-<ip>.customers.provider.com entry that is set for EVERY IP address in the provider's range). The IP address is stored in the mail accounts of Windows Phone, iOS and Android devices, and entered from browsers with Google, Bing, and Yahoo auto-search, thus technically known to Google, Apple, Yahoo and Microsoft, and possibly other third-party application vendors if these can access mail account settings from their applications.

Furthermore it is used for browsing the Internet and writing email, and is stored in many server logs, etc., etc., and especially on the sites where one has to log in, like Stack Exchange, you can see easily that it is a fixed IP address, since the IP address has always been tied to the same username for the last two years.

On that IIS server, OWA and ActiveSync are running. Both are required to access mail from everywhere. These are the applications that I would expect on an IIS server, and try first when I see an IIS welcome page.

Apart from doing Windows/Exchange updates regularly, using hard passwords, introducing all employees to the concepts of phishing and social engineering, and hoping that our email is not interesting enough to justify a fully fledged attack directed at us especially, could it make sense to "secure" the server by changing the page returned on a "naked" HTTPS request to a page indistinguishable (including all headers) from an "It works!" Apache page?

I could use some gooood arguments that a CEO, who came up with that idea in the first place, may understand.

EDIT: No, I don't need to get top management's support for security. The CEO seems to care for security already, or else he would not come up with such ideas for "improvement". I am not a security guy with certificates and all, just a concerned citizen, mainly developer, part-time server administrator. Our company does not have a real security guy; we are four people right now.

Since I do server administration part time, I was asked to change the server. But before I dig down deep for information on how to change the default headers in IIS, I would like to question the whole "project"...

Xander
  • 35,525
  • 27
  • 113
  • 141
Alexander
  • 2,143
  • 2
  • 16
  • 22
  • 3
    `nmap` the server and it will show other services. With fingerprinting it might detect OS. What's the CEO trying to do, hide the software that's running on the server? You do realize many network daemons have various signatures when you connect to them? – domen Jul 16 '15 at 08:24
  • possible duplicate of [How to get top management support for security projects?](http://security.stackexchange.com/questions/56530/how-to-get-top-management-support-for-security-projects) – RoraΖ Jul 16 '15 at 11:28
  • 13
    TL;DR CEO thinks that HTTP request spoofing an IIS webserver as an Apache server will make things more secure. What are some reasons I can use to convince him that it is a waste of time and won't make the server any more secure? The server runs OWA and ActiveSync. Pretty much everything else in the question is extraneous information. – Conor Jul 16 '15 at 17:22
  • In my experience spoofing the request headers doesn't solve the issue. We do a similar practice for our general hardening procedures. And we still get random blind attacks that do platform specific exploit attempts despite our headers telling them we run different. We still spoof because it still stops some attacks. But like stated freely available tools like nmap can guess a system pretty well. Overall security by obscurity should be used as a thin layer in your security practices at best. – Bacon Brad Jul 16 '15 at 18:46
  • 1
    What exactly is your question? You need some good arguments -- some good arguments for what? Your implicit premise seems to be that this is a bad idea. Why do you think this is a bad idea? This seems more like a workplace relationship management question than a technical question. Your CEO suggests doing something that probably won't offer any benefit but also won't do any harm, and that's easy to implement. What should you do? Tell your CEO answer "sure, I can do that", spend 5 minutes to implement it, and move on. Everyone walks away happy. – D.W. Jul 16 '15 at 20:11
  • You CEO has an idea for a (perhaps tiny) increment to security. It has no downsides. Let The Wookie Have This One. – bmargulies Jul 16 '15 at 21:29

4 Answers4

26

You don't need DNS names to be detectable.

The entire IPv4 can be scanned in less than a day. And it has been done. And it is still going on.

Therefore you must assume, that your IP address has been discovered.

-> Make this a nice demo. Download the 25 GB dump and show your CEO that your company's certificate is in there.

Further reading

Community
  • 1
StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
  • 5
    I believe the question was (in far too many words) whether the IIS default page should be changed to e.g. an empty page. This answer somehow doesn't fit that question. – AndreKR Jul 16 '15 at 14:47
  • @AndreKR That won't really help. IIS still sends the server header and the well-known M$ apps will still run at predictable paths that `nmap` can easily check. – billc.cn Jul 16 '15 at 16:00
  • @AndreKR: you're right. I got agitated when I heard unlisted/un-DNS-ed IPs and "Security" mentioned too close to one another. ;) – StackzOfZtuff Jul 17 '15 at 11:23
19

This might make very casual surfers move on, but anyone running any sort of scan on your server will discover the OS, web server version and running software.

For example the nmap http-enum NSE script should detect that Outlook Web Access is running should anyone care to run it against your server.

Yes, by all means replace the home page with something else. I would not go for anything "default" though, even that of another OS or web server platform, as default may say "we've just set this up and we don't know what we're doing security wise", so it may encourage script kiddies and the like to enumerate it.

There is little implementation cost in creating your own standard index page, and it would probably make a small proportion of web stumblers move on to something more interesting. However, most of your efforts in securing the server should revolve around hardening as you've described.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
8

I agree with you that security by obscurity should never be the primary defense, but I also agree that you should never make it easy for an attacker to detect the services you are running.

An attacker would probably first try to figure out the version of your web server by banner grabbing. So you should make sure that IIS is not giving away such information on that way.

And sure, it would make sense to hide, or replace the default welcome page. I would not call that securing the server, but jut making it harder for an attacker to detect the version/type of the service you are running.

By scanning for open ports, the attacker will be able to find and probably fingerprint other services you are running and by that also conclude that you must be running IIS, but you should not give away such information easily.

pineappleman
  • 2,279
  • 11
  • 21
  • 1
    "will be able to find and probably fingerprint other services". And other URLs. If you're going to spoof Apache for the welcome page, then you'll probably want to spoof Apache for the 404 page too, since the next thing the attacker will try is a phpmyadmin URL, so you might not want that to identify you as IIS either. And so it begins. Six months later you realise you've been inventing and implementing a whole series of "doesn't hurt and might help" ideas tinkering around with what's still a very small part of your attack surface. But it's fun :-) – Steve Jessop Jul 16 '15 at 21:46
2

At least your server wouldn't show up in a simple evil crawler that looks just for these welcome pages.

Or if you mask yourself as an Apache, following automatic attacks would hopefully fail.

So for a dedicated attack on your server, this makes it maybe just a tiny bit harder. But for automatic attacks this can make the difference.

flori
  • 381
  • 2
  • 8