IIS Hardening and ISA
- From: Alexandre Gauthier <gauthiera@xxxxxxxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 23 Feb 2006 09:19:02 -0500
Hello!
At first you'll be thinking "But that ain't got nothing to do with ISA!",
but bear with me for a moment.
I'm currently in the process of hardening a Windows Server 2003 based web
server and during my research, a few issues came up. The first one might be
obvious to fix, but I don't immediately see any solution.
1) IIS is rather chatty about its internal private RFC address. Not that is
really important, but it kind of annoys me, since it could probably help one
determined enough to map out the topology of the network. It's a tiny leak
of information that I'd rather tone down a bit because I'm paranoid. (But
shouldn't we all be?)
2) When IIS is configured to use NTLM authentication (as opposed to, say,
basic) I assume (I could be wrong) that this could open the door to brute
force attacks on a particular local or domain user... however there are
times where you must and will use NTLM.
So my question is this:
While I can configure IIS to return a FQDN instead of an IP address, that
will not prevent those leaks from occurring /entirely/. And while I can
disable NTLM and use, say basic authentication inside an SSL tunnel, there
are times where this is neither convenient nor practical...
Is there anything that can be done with ISA on the front, publishing the web
server to filter out or tone down those two minor security issues?
With apache I could use mod_rewrite, and I could plug the authentication in
PAM and specify wait times between retries to tarpit bruteforce attacks...
Thanks!
--
Alexandre Gauthier
Network Analyst/Analyste Réseau
Québec Loisirs
Other related posts:
