Since its launch, Port80 Software has caught some serious gripes about ServerMask and the concept of server anonymization. “It's just security by obscurity.“ “Who cares, Jacko?“ “Anonymization? That ain't even a real word.“ “You guys couldn't secure a loan, much less a Web server.“
A recent critic put his concerns about why you should not worry about masking your server this way:
I believe this is the least important part of securing your webserver. The most important is to make sure you're up to date on security updates and have removed all unneeded services that could be used against you. Cloaking your OS and webserver will provide you with little or no security, especially if an attacker can determine the information in other ways (case sensitivity, backslash behaviour).
I've noticed most attackers use the shotgun approach to exploiting vulnerabilities -- fire everything they have at the server, and see if any of it takes. My apache webservers (which make no effort in hiding what they are) are hit with IIS vulnerability probes all the time. If I ran public IIS webservers, I imagine I'd notice the same for Apache probes.
The most important advise: Stay up to date, stay up to date, and limit your exposure!
Ouch.
It hurts, but he is right. There are many ways to ID a Web server, and it may be impossible to lock down every signature, to remove all prints from the room before the fingerprint kits show up, so to speak. However, our clients in the financial, government, and e-commerce industries find the additional layer of security, with a focus on defense-in-depth, makes sense given the sensitive and business-critical nature of their Web systems. You don't get a lot of quotes or case studies on this type of passive security enhancement, but admins and site stakeholders alike want to do everything they can to thwart attackers. So, they anonymize (and IDS and firewall and patch). The shotgun approach hacker may or may not rely on IIS signatures to initiate an attack, but any attack misdirected to failure is worth the effort (in our opinion).
Related, Port80's late night reading division came across this book excerpt (from Spies Among Us) highlighting cyber criminals using the reconnaissance technique to target IIS Web server fingerprints as attack vectors (with great success) as early as 2000:
There were several other break-ins that primarily focused on hosting companies that hosted Web merchants and Unix systems. Until January 2000, Alexey was pursuing these extortion attempts on his own, supplementing his income from the eBay and Amazon fraud endeavors. When Gorshkov and Alexey spun off tech.net.ru, Alexey introduced Gorshkov to his side job and convinced him that they should be doing more of this.
Given that Alexey previously focused on Unix systems, it is likely that Gorshkov was the one who suggested a more efficient way of finding victims. The pair started using the Yahoo search engine to find vulnerable sites. They searched for banks, online merchants, online casinos and other organizations that processed financial transactions; then they did a cross-search to look for signs that the sites used the Microsoft IIS Web server software. The IIS Web server has many known vulnerabilities that are likely to be present if the systems are not well maintained. Of course, they were very successful.
So, we end with our critics' finest recommendation, one we would all do well to follow:
Limit your exposure!
Curious for your feedback,
Jeremiah @ Port80