Tom said:
>Basically you're saying that it's an option now but the next
>worm may be able to circumvent this as well using
>simple reverse DNS lookup.
Yes and no. We can get away with it because we are using pure virtual
hosting. If someone does a reverse lookup of our primary server they get a
FQDN that isn't used to host pages. Something like "web1.fqdn.net". Even
if the attacker was smart enough to get that host name, using it as a Host
header wouldn't net them anything because they'd still get the "no web site
configured for this address".
Dave Watts said:
>your IIS server is still receiving the requests - it's just not logging
>those requests, since it doesn't have a virtual server which will accept
>the requests.
True, but how many exploits have we seen against core IIS versus how many
have we seen for document handlers? HTA, IDQ, ASP, just to name a few. If
you absolutely must leave those document handlers installed and configured,
it can't hurt to add an extra layer in front of them. That's all I'm
sayin'.
Having said that, of course, the next worm is going to exploit an unchecked
buffer in the Host header parser in IIS core, I just know it. ;)
>so it's not much of a security measure by itself - security through
obscurity.
Definitely not. :) That's why I described it as an "extra", not as a
solution. Any server admin who doesn't start bare-bones and build up (or at
least remove all the default stuff they never user use) is just asking for
trouble. MS hasn't made this easy for us, by helping us out and giving us
such a wonderfully diversely configured web server out of the box, but it's
still worth every second to go in there and rip the guts out.
Speaking of which, I note that the W2KResKit has some kind of IIS metabase
move utility. It's supposed to allow you to set up an IIS server and then
replicate the settings without having to go through it all manually all over
again. I haven't had any use for it in my current job (we don't have many
servers), but you farmer-types might want to check it out.
-R
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
