RE: IIS 7 Header Block Module - Released

[Rafel Ivgi <rafelivgi () gmail com>]

Hi Everyone,

URLScan still works in IIS 7.5 with some basic settings, I just
blogged about it today :)
http://www.defensia.co.il/2011/05/12/hardening-iis-7-5-on-windows-2008-server-r2-sp1/


Rafel Ivgi,
Defensia


On Thu, May 12, 2011 at 3:52 PM, Context IS - Disclosure
<disclosure () contextis co uk> wrote:
> Context Information Security have released a module for IIS 7 to block information leakage from HTTP headers.  A 
> standard web application penetration test recommends the removal of any version number information.  Previously the 
> IIS urlscan tool could be used to block this information, however, for IIS 7 this is no longer possible, therefore 
> Context have released this module to block this information.
>
> HTTP headers are name/value sets of data that are transmitted between the client (web browser) and the web server. 
> HTTP headers are used to transmit key data such as HTTP cookies.
>
> Excessive HTTP headers can aid an attacker by either identifying particular technologies used within a web 
> application or presenting specific software version information. Whilst minimising the attack surface by preventing 
> information leakage is not a panacea it is a step towards improving security.
>
> With the introduction of new Microsoft frameworks such as ASP.Net and MVC it appears that the number of HTTP headers 
> returned by the IIS web server is increasing. An example of these headers is shown below:
>
> Server: Microsoft-IIS/7.5
> X-AspNetMvc-Version: 2.0
> X-AspNet-Version: 4.0.30319
> X-Powered-By: ASP.NET
>
> The commonly recommended method for removing HTTP headers within a Microsoft environment involves a combination of 
> URLScan, application web.config changes and changes via the IIS Manager application. However, this is not convenient 
> for large scale infrastructures and it should also be noted that the Server header cannot be removed by any of these 
> methods for IIS 7. With the increased popularity of the Microsoft IIS7 web server, it is important that specific 
> security recommendations can be applied to the latest web server technologies.
>
> HeaderBlock is a .Net module that presents an easy way to remove key HTTP headers before they are transmitted from 
> the web server to the client. The module will block the Server, X-AspNet-Version
> and X-AspNetMvc-Version headers.
>
> The module comes in both binary and source formats so the code can be modified by the user if required.
>
> Download from: http://www.contextis.co.uk/resources/tools/headerblock/
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------