-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
At 02:00 AM 12/11/2001, Clement-Evans, Rhys wrote: >The third method is by installing the Microsoft IIS Lockdown utility and >setting the URLScan RemoveServerHeader variable to 1, and the >AlternateServerName to the text of your choice. This would be my preferred >option as you don't need to worry about service pack/patch file overwrites >of w3svc.dll. Further details of lockdown are available from >http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ >tools/locktool.asp - or for a quick look at the URLScan options - >http://www.iisfaq.com/Articles/384/ Not to be overly pedantic, but you need to have RemoveServerHeader set to 0, not 1. A setting of 1 removes it altogether, regardless of what the Alternate is set to. To cross post a bit, I think it interesting that a single "GET" on IIS 5 does not reflect an alternate setting- it will tell you the default, but not the alternate. IIS4 gives you both... a "GET / HTTP/1.x" does give it to you on both, but not just a "GET"... AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPBZa04hsmyD15h5gEQIe1gCg56uYC4oc2edWLdDEKK4+POvHCTcAoJpa Ik/wsdXb+uIjKQNTyWjXJCCw =PdfI -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
