RE: IIS Hardening and ISA

• From: Alexandre Gauthier <gauthiera@xxxxxxxxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 23 Feb 2006 10:42:31 -0500

Thanks for the quick answer Jim!

As for the information disclosure it just annoyed me more than it really
posed a threat, and I was just wondering if there was a way to silent it :)
I mean, that could lead someone to think "Oh, right. It's behind a NAT
contraption of some sort, there might then be an IDS around, I'll be more
sneaky".

What annoys me with NTLM, is that anyone can send a request including the
Authorization: NTLM field for basically anything, and also I saw a case
where a request with the NTLMSSP_REQUEST_TARGET flag would trigger the
server to further leak information out, such as the machine name and the
domain, if you are twisted enough to have your web server on the domain if
you can avoid it... then again, this doesn't really help anyone.

I have other things to harden on this server before I take care of these
slight annoyances, but I was wondering if filtering it with ISA would be
something I could suggest to my employer in the end.

That last question answered it, thanks :)

-----Message d'origine-----
De : Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Envoyé : 23 février 2006 10:15
À : [ISAserver.org Discussion List]
Objet : [isalist] RE: IIS Hardening and ISA

http://www.ISAserver.org

A#1 - other than (slight) information disclosure, internal IPs in banners
don't really tell anyone much unless they get inside your network and then
they can sort that out for themselves pretty quickly anyway.  Is your system
so secure now that you have time to work on these super-fine points?

A#2 - NTLM is no more susceptible to password attack methodology than is any
other HTTP auth method.  In fact, NTLM *can* provide better security since
the password (in NTLMv2) is non-reversible "on the wire".  By default, Win2K
and later use NTLMv2 by default. 

A#3 - Look in the HTTP Filter settings (r-click the rule, select "configure
HTTP") under the "header" tab.  You can obfuscate the server and via (proxy)
headers.

-----Original Message-----
From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, February 23, 2006 6:19 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] IIS Hardening and ISA

http://www.ISAserver.org

Hello!

At first you'll be thinking "But that ain't got nothing to do with ISA!",
but bear with me for a moment.

I'm currently in the process of hardening a Windows Server 2003 based web
server and during my research, a few issues came up. The first one might be
obvious to fix, but I don't immediately see any solution.

1) IIS is rather chatty about its internal private RFC address. Not that is
really important, but it kind of annoys me, since it could probably help one
determined enough to map out the topology of the network. It's a tiny leak
of information that I'd rather tone down a bit because I'm paranoid. (But
shouldn't we all be?)

2) When IIS is configured to use NTLM authentication (as opposed to, say,
basic) I assume (I could be wrong) that this could open the door to brute
force attacks on a particular local or domain user... however there are
times where you must and will use NTLM.

So my question is this:

While I can configure IIS to return a FQDN instead of an IP address, that
will not prevent those leaks from occurring /entirely/. And while I can
disable NTLM and use, say basic authentication inside an SSL tunnel, there
are times where this is neither convenient nor practical...

Is there anything that can be done with ISA on the front, publishing the web
server to filter out or tone down those two minor security issues?

With apache I could use mod_rewrite, and I could plug the authentication in
PAM and specify wait times between retries to tarpit bruteforce attacks...

Thanks!

--
Alexandre Gauthier
Network Analyst/Analyste Réseau
Québec Loisirs

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gauthiera@xxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » IIS Hardening and ISA
• » RE: IIS Hardening and ISA
• » RE: IIS Hardening and ISA

1. Home
2. isalist
3. Archive
4. 02-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---