Thursday, August 4, 2011

IIS 7.5 and .NET Security: Part 1 - Security through Obscurity

There are several different security features that you are going to want to use to protect your web server. One of the techniques that you should use is security through obscurity. I want to be very clear, this is only ONE aspect of security.  It should definitely not be the only thing you do.  I further want to stress that this won't be very good defense against a targeted attack.  At best, you will be able to fool a large percentage of the script kiddies who are only looking for the easy scores.


The first step in any attack is recon. Anything we can do to misguide or delay this step pays dividends later on.  If you can make a tool think that your IIS server is an apache server, great.  It just means the results the attacker will get will be bogus.

Most recon involves both OS and webserver fingerprinting.  I will only focus on webserver fingerprinting. Most techniques focus on a few basic things.

1)  Extension of the page being served.  Example: .aspx
2)  Server headers.  By default IIS will claim that it is IIS
3)  Session tokens.  For example: jsessionid is almost always a java application, which helps narrow down the field of web servers.

There are lots of articles on the interwebs about (1), so I will skip it here.

2)  One of the easiest ways to change the server headers is to install webknights.  Among the many features that webknights has to offer, changing the server headers is one of them. 

Doing this is quite simple.  In the webknights configuration file there is a "Headers" section.  You can set the server header value to anything you want it to be.  A good one is something like "Apache/2.0.64".

3)  You need to change the cookie name used to store the session id.  By default it is something like ASP.NET_SessionId.  If that doesn't say hack me, I'm not sure what does.  The SessionState Element inside the webconfig allows for an optional parameter called cookieName that will allow you to change the name used.  I suggest you change it.  You can use something like Id, or ApplicationId, or WebsiteId, or something else really really generic.  If you want to continue trying to mimic an application running on apache, you can make your attackers salivate and change the name to phpsessionid. 

Once again, this is just a couple of tricks you can use to try and fool some script kiddies.  Most of this stuff will delay a targeted attack at best.

2 comments:

  1. Security Through Obscurity
    Security through obscurity is a concept that suggests that a system can be made secure by keeping its design, implementation, or architecture secret. The idea is that if the details of a system are hidden, potential attackers will find it harder to exploit vulnerabilities. Here’s an overview of the concept:

    Key Points:
    Basic Premise:

    The belief is that by not disclosing the inner workings of a system, its security is enhanced because attackers lack knowledge of how to breach it.
    Common Applications:

    Often applied in software development, network configurations, and system architectures where proprietary techniques or algorithms are not shared publicly.
    Limitations:

    Not a Substitute for Security: Relying solely on obscurity can lead to a false sense of security. Security measures should be robust regardless of whether the details are known.
    Vulnerability Exposure: If the obscured information is eventually discovered (e.g., through reverse engineering), it can lead to a significant security breach.
    Community Review: Open-source and peer-reviewed approaches generally lead to more secure systems because vulnerabilities can be identified and fixed collaboratively.
    Best Practices:

    While obscurity can be a part of a broader security strategy, it should not be the primary defense mechanism. Instead, use strong encryption, access controls, regular updates, and thorough testing.
    Real-World Example:

    Certain proprietary software systems may rely on obscured code or methods to prevent exploitation, but reputable security practices also involve transparency in security protocols and ongoing audits.

    cyber security projects for students

    ReplyDelete
  2. While not advocating for security through obscurity, it's essential to understand the basic security measures in IIS 7.5 and .NET to build a solid foundation:

    Network Security Projects For Final Year Students

    Information Security Projects For Final Year Students

    Directory Browsing: Disable directory browsing to prevent unauthorized access to file and directory listings.
    Default Documents: Configure default documents carefully to avoid exposing sensitive information.
    Error Handling: Customize error messages to prevent revealing sensitive information.
    Strong Passwords: Enforce strong password policies for user accounts and administrative credentials.
    Regular Updates: Keep IIS, .NET Framework, and operating system patched with the latest security updates.
    Web Application Firewalls (WAF): Consider using a WAF to protect against common web attacks.
    Intrusion Detection Systems (IDS): Monitor network traffic for suspicious activity.

    ReplyDelete