Thanks for the quick answer Jim! As for the information disclosure it just annoyed me more than it really posed a threat, and I was just wondering if there was a way to silent it :) I mean, that could lead someone to think "Oh, right. It's behind a NAT contraption of some sort, there might then be an IDS around, I'll be more sneaky". What annoys me with NTLM, is that anyone can send a request including the Authorization: NTLM field for basically anything, and also I saw a case where a request with the NTLMSSP_REQUEST_TARGET flag would trigger the server to further leak information out, such as the machine name and the domain, if you are twisted enough to have your web server on the domain if you can avoid it... then again, this doesn't really help anyone. I have other things to harden on this server before I take care of these slight annoyances, but I was wondering if filtering it with ISA would be something I could suggest to my employer in the end. That last question answered it, thanks :) -----Message d'origine----- De : Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Envoyé : 23 février 2006 10:15 À : [ISAserver.org Discussion List] Objet : [isalist] RE: IIS Hardening and ISA http://www.ISAserver.org A#1 - other than (slight) information disclosure, internal IPs in banners don't really tell anyone much unless they get inside your network and then they can sort that out for themselves pretty quickly anyway. Is your system so secure now that you have time to work on these super-fine points? A#2 - NTLM is no more susceptible to password attack methodology than is any other HTTP auth method. In fact, NTLM *can* provide better security since the password (in NTLMv2) is non-reversible "on the wire". By default, Win2K and later use NTLMv2 by default. A#3 - Look in the HTTP Filter settings (r-click the rule, select "configure HTTP") under the "header" tab. You can obfuscate the server and via (proxy) headers. -----Original Message----- From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] Sent: Thursday, February 23, 2006 6:19 AM To: [ISAserver.org Discussion List] Subject: [isalist] IIS Hardening and ISA http://www.ISAserver.org Hello! At first you'll be thinking "But that ain't got nothing to do with ISA!", but bear with me for a moment. I'm currently in the process of hardening a Windows Server 2003 based web server and during my research, a few issues came up. The first one might be obvious to fix, but I don't immediately see any solution. 1) IIS is rather chatty about its internal private RFC address. Not that is really important, but it kind of annoys me, since it could probably help one determined enough to map out the topology of the network. It's a tiny leak of information that I'd rather tone down a bit because I'm paranoid. (But shouldn't we all be?) 2) When IIS is configured to use NTLM authentication (as opposed to, say, basic) I assume (I could be wrong) that this could open the door to brute force attacks on a particular local or domain user... however there are times where you must and will use NTLM. So my question is this: While I can configure IIS to return a FQDN instead of an IP address, that will not prevent those leaks from occurring /entirely/. And while I can disable NTLM and use, say basic authentication inside an SSL tunnel, there are times where this is neither convenient nor practical... Is there anything that can be done with ISA on the front, publishing the web server to filter out or tone down those two minor security issues? With apache I could use mod_rewrite, and I could plug the authentication in PAM and specify wait times between retries to tarpit bruteforce attacks... Thanks! -- Alexandre Gauthier Network Analyst/Analyste Réseau Québec Loisirs ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gauthiera@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx