 | | 
Installation
Installing ServerMask is very simple. Once you have downloaded the installer executable from the Port80 Web site, double click on the file to begin the ServerMask setup program.
The ServerMask setup program will guide you through the steps necessary to complete the installation. You will be asked to accept the license agreement and to choose an installation destination. The default installation location is C:\Program Files\Port80\ServerMask.
ServerMask installs the following files in the following default locations:
In C:\%SystemRoot%\System32\inetsrv\
| | sm_isapi.dll | ServerMask ISAPI Filter DLL |
In C:\Program Files\Port80\ServerMask\
| | ServerMask Properties.exe | ServerMask Settings Manager | | | StripExt.exe | Port80 Software File Extension Stripper Utility | | | w3svcupd.exe | Installer utility for updating metabase | | | Documentation.htm | ServerMask HTML Documentation | | | ReleaseHistory.htm | ServerMask Release History | | | TechSupport.htm | Shortcut to online technical support | | | Setacl.exe | ACL Utility | | | Unwise.exe | Uninstaller | | | Install.log | Installation log file | | | Activation.txt | Activation Help |
In C:\Program Files\Port80\ServerMask\images\
| | Image files used by Shortcut to online technical support
|
In C:\Program Files\Port80\ServerMask\files\
| | Image files used by ServerMask HTML Documentation
|
Working with the Settings Manager
The Settings Manager can be launched from the Port80/ServerMask program group in the Start menu, or directly by running ServerMask Properties.exe. The Settings Manager controls ServerMask to remove or modify identifying information that would otherwise be exposed by the Web and related services on this computer.
To enable or disable ServerMask for every Web site, use the check box at the top of the Settings Manager. After making any changes on the ServerMask Settings Manager, you must press "Apply" or "OK" for the changes to take effect. These settings will be inherited by all Web sites hosted on this server.
To migrate all configuration settings from one server/computer to another, use the File/Export Settings menu option on the source machine to save out a .zeg file (Port80 Registration file) to disk. Next, copy this file to the target machine(s) that has ServerMask installed, and then use the File/Import Settings menu option to read the file and import the settings. All existing settings on the target machine will be erased.
The Settings Manager is organized into five tabbed sections, including "Server Header", "Cookies", "Remove Headers", "Advanced Masking", and "E-mail Banners":
Masking Server Headers
The Server header value in HTTP responses is the easiest way to identify a Web server and, by proxy, an operating system. Under "Server Header" tab are the configuration options for manipulating the HTTP Server header (this image is identical to the image above from the "Working with the Settings Manager" section):
To enable masking of the Server header for all sites, place a check in the box labeled "Enable Server header masking." on this tab. Once this control is enabled, you have four masking options, represented by four radio buttons:
- Select the first radio button to remove the HTTP Server header entirely.
- To replace the Server header value with the name of a non-IIS server, select the second radio button, and then select a server name from the drop-down list for masking.
- To have the Server header value replaced by a random rotation of non-IIS server names, select the third radio button. Once selected, a textbox will appear where you can adjust the interval of requests between the rotations from one non-IIS Server header name to another. The default interval for rotation of Server header names is every 1000 requests.
- To specify a custom name for the Server header name, select the fourth radio button and enter the desired alternate name in the textbox.
Once your changes have been entered into this tab, click "Apply" or "OK" to apply the changes to all site responses.
Masking Cookies
The names of session cookies used by server-side scripting technologies like ASP, ASP.NET, PHP, JSP, SiteServer, ColdFusion, PHP, or any application server can reveal the identity of the Web server, the scripting environment and, in some cases, allow correct inferences about the operating system. Under the "Cookies" tab are the configuration options for manipulating the HTTP Cookie header name:
To mask your session cookies for all sites, navigate to the "Cookies" tab and place a check in the box labeled "Mask all session cookies on list". Once this control is enabled, you will be able to manage cookie masking options:
- To edit one of the default cookie masks, select the cookie name from the "Cookie name(s) to mask" list. Supply an alternate name for the session cookie by typing it into the "Alternate name" textbox below the list. Click "Update" to save your changes.
- To add your own custom cookie masks, deselect any highlighted cookie names on the list, then enter a new cookie name to mask in the "Cookie name" textbox below the list and also a new cookie mask in the "Alternate name" textbox. Click "Add" to add your session cookie mask to the list.
- To remove a session cookie that is no longer needed, highlight it in the list and click "Remove."
- Once your changes have been entered into this tab, click "Apply" or "OK" to apply the changes to all site responses.
Removing Headers
Other headers are injected into HTTP responses and can be used to identify the Web server and/or related scripting environments. Many of these headers advertise certain technologies via the HTTP header but provide no real functional value for a site or application. Use ServerMask to remove well-known default headers related to IIS or Windows -- or remove any header that you like from an HTTP response. Under the "Remove Headers" tab are the configuration options for removing any HTTP header response on IIS:
To remove headers for all sites, navigate to the "Remove Headers" tab and place a check in the box labeled "Remove all HTTP headers on list". Once this control is enabled, you will be able to manage header removal options:
- To edit one of the default headers to remove from an HTTP response, select the header name from the "Header name(s) to remove" list. Supply an alternate name for the target header to remove by typing it into the "Header" textbox below the list. Click "Add" to save your changes.
- To add your own headers to remove, deselect any highlighted header names on the list, then enter a new header name to remove in the "Header" textbox below the list. Click "Add" to add your target header to remove to the list.
- To stop removing a header from HTTP responses that is on the list currently, highlight the header name on the list and click "Remove."
- Once your changes have been entered into this tab, click "Apply" or "OK" to apply the changes to all site responses.
Advanced Masking Options
There are many other ways to perform reconnaissance on an IIS Web server. Under the "Advanced Masking" tab are the configuration options for other powerful IIS anti-reconnaissance features, some of which require code or server set-up changes to fully leverage:
To manage advanced masking options, navigate to the "Advanced Masking" tab. Use this tab to enable and disable these options based on the level of anti-reconnaissance security you are looking to achieve:
Advanced HTTP Headers Anti-Reconnaissance
- Mask internal IP addresses with FQDN in Content-Location header: For requests to directories with mapped default pages or when content is served from computers on the network but not on the IIS server that is handling the initial request, the internal IP address location of that content is printed in the HTTP Content-Location header when IIS serves the response. When this option is checked and enabled, ServerMask will attempt to replace these internal, perhaps sensitive, IP addresses with the Fully Qualified Domain Name (FQDN) or the host name for the site for which IIS is delivering the response.
- Emulate common non-IIS server ETag format: ETags are HTTP headers that a client can consume and then feed back to a server in the If-None-Match request header; if the server resource has not changed, the server will respond with a 304, indicating that the client can use the file originally requested with the ETag, as it has not been modified since the original request. IIS can be fingerprinted via the format of the ETag header in the HTTP responses, but you can use this option in ServerMask to emulate two Apache Web server and one Sun (Netscape Web server) ETag formats for obfuscation. This feature does not break ETag functionality in any way.
- Emulate Apache Web server HTTP headers order: The order of the various headers in an HTTP response can be used to identify a Web server. This is one reason why URLScan is not a useful anti-reconnaissance tool, as it allows you to remove some headers that are IIS-specific but it actually creates a unique order in IIS header responses that can be fingerprinted. IIS itself also has a unique HTTP header order fingerprint. By using this ServerMask option, HTTP headers will appear in the order that they would in an Apache Web server HTTP response, providing another layer of misdirection.
- Emulate Apache (ALLOW) header format: When an ALLOW method request is made to IIS, the order and format of the HTTP response is a known signature. Use this option to respond as the Apache Web server would respond to this request in terms of header format and order to add further misdirection against potential hackers.
- Disable WebDAV to remove identifying headers: On Windows 2000 systems with Service Pack 3 or greater installed, you can disable WebDAV to prevent this service from responding to certain HTTP requests by sending headers that can be used to identify the operating system. To disable WebDAV, check this box. Note: This feature will be disabled on NT 4.0 systems. On Windows 2003 systems, WebDAV is disabled by default.
File Extension Anti-Reconnaissance
- Support URLs and HTTP requests without file extensions to mask extension signatures: It does little good to mask basic IIS response signatures if you leave ".aspx" or another file extension reference in your source code that indicates any file that is IIS-specific. Also, reliance on file extensions can cause issues with URL breaks in the future when you migrate from one technology to another (ASP to ASP.NET, etc.). Based on PageXchanger technology, this option in ServerMask allows you to remove your file extensions from all source code references and to serve files with no extensions in the source code or URL display. ServerMask will process the request and serve the file with the extension still available on the server side to the client. The browser or cache will receive the file and render or cache it with no issues, but the client will not know what the file type is by the file extension (http://[hostname]/foo.asp would become http://[hostname]/foo in your source code and URL display). Browsers and caches will still be able to render and cache the files based on MIME type. The only challenge to using this feature is to make sure that you do not have two files with the same name (example: foo.aspx and foo.html) in the same directory level (ServerMask will serve the first instance of a file it finds at the given directory level). Use this feature on source code with file extensions removed to avoid any serious performance or user experience issues. Removing File Extensions with the Port80 Software File Extension Stripper Utility Although you can prepare your source code for file extension anti-reconnaissance by using "find and replace" or the w3compiler, ServerMask ships with a free command line utility called the Port80 Software File Extension Stripper (StripExt.exe). This free tool based on w3compiler technology is designed to help you easily remove file extensions from the source code of Web sites and applications for use with security and content negotiation programs like ServerMask and PageXchanger. This tool does not ever overwrite your existing Web site files, but makes a copy of those source files into a new target directory, removing as many file extension references as possible from the code in the process. Once the file extensions have been removed, you can test advanced file-extensionless serving with ServerMask and PageXchanger. This program can be launched from the Start Menu (by default, Start Menu > All Programs > Port80 > ServerMask > Port80 File Extension Stripper) or from the command line (by default, C:\Program Files\Port80\ServerMask\StripExt.exe). Launch StripExt.exe. To safely remove file extensions, this utility will remove all file extensions in relative URL references that it scans. To identify possible absolute references to your own domain(s) that you might want to remove for a site (while making sure that remote, third party site links in the source code continue to function), you will first be asked to enter any possible domain(s) for the site that may have absolute URL references in your code (separate multiple domains with a comma). As an example, if your domain was http://www.port80software.com, enter "port80software.com"; if you have multiple domains that reside in the same site, enter them in a comma separated list like "port80software.com,servermask.com". The tool then asks for the source directory or file location to remove file extensions from (this directory or file must exist). After entering the source code location, you will be prompted to enter the target location to which the StripExt.exe will publish a new copy of your source code with as many file extension references removed as possible -- enter the path to an existing folder. If you do not specify a directory/folder that exists, the tool will create the new directory in the path you provide (if you just enter the name of a folder to create, the tool will publish the target directory to the desktop of your current user session). StripExt.exe will then ask you to confirm your source code and target locations (type "y" for yes to confirm the locations on the screen, or "n" to cancel the StripExt.exe session). After confirmation, StripExt.exe will parse your source code and publish a copy to the target directory, printing its progress on the screen). Once complete, you will receive a confirmation and a prompt to start a new session. Proceed to your target directory, and you should have files with no file extension references (and any characters that follow where the file extension was before removal -- variables and/or query strings -- should be unaffected and will be correctly negotiated by ServerMask). Once published to your Web server running ServerMask, you should have file extension anti-reconnaissance in place. Share this utility with your Web development team: Since it is a standalone utility, StripExt.exe can also be redistributed to Web developers and/or site managers for remote use. This utility is freeware (once you have purchased ServerMask) and requires no activation.
Response Code Anti-Reconnaissance
- Normalize and mask various response code messages and formats: The actual format and order of headers on IIS for various types of specific HTTP response conditions, notably some 200, 400, 403, 404, 405, and 501 responses, can be used as Web server signatures and should be normalized. With this option enabled, ServerMask will change the format and sometimes the basic descriptive content of these responses in the HTTP headers to remove these identifiable signatures, using the format and description from Apache and other Web servers for the same HTTP status code responses. These format and message changes will have no negative effect on browser rendering of these responses or in a proxy caches ability to manage the response. For more detailed information on this feature, please contact Port80 Software Support.
Once your feature selections and changes have been entered into this tab, click "Apply" or "OK" to apply the changes to all site responses.
Masking E-mail Banners
While best practice is to separate e-mail and HTTP services on different physical machines/OS instances, ServerMask provides limited features to mask default banners for e-mail services bundled with IIS in w3svc on Windows that hackers can use for reconnaissance purposes. Under the "E-mail Banners" tab are the configuration options to change these banner responses:
To mask the e-mail banners for the SMTP, POP, and IMAP connections and disconnections , navigate to the "E-mail Banners" tab to manage e-mail banner options:
- To modify one of the banners for an e-mail service that is enabled on the OS, click the available banners to edit on this tab with a check box and then type in the new e-mail banner mask name. Once your changes have been entered into this tab, click "Apply" or "OK" to apply the changes to all site responses.
- If a service is not enabled on the OS, these e-mail banners will appear grayed out on the tab. In the screenshot above, notice only the SMTP banner is editable, as this was the only e-mail-related service running on the test server where the screen shot was made.
System Requirements
ServerMask is compatible with the following:
- IIS 6.0 (Windows 2003)
- IIS 5.0 (Windows 2000)
- IIS 4.0 (Windows NT 4.0)
- IIS 5.1 (Windows XP Pro)*
ServerMask has been tested with the following Win32 scripting environments/server extensions:
- ASP.NET
- ASP (2.0 and 3.0)
- FrontPage Server Extensions (publishing)
- Outlook Web Access (For Exchange 2000 only)
- Cold Fusion Server (5.0, MX and MX 6.1)
- ActiveState Perl (5.6.1, ISAPI and CGI configurations)
- PHP (4.2.1, CGI configuration)
- JSP
ServerMask has also been tested for compatibility with Microsoft's IIS LockDown and URLScan security utilities.
Port80 Software Technical Support
support@port80software.com
www.port80software.com/support
888.4PORT80 (888.476.7880) toll free
858.268.7960 phone
858.268.7760 fax
| | |
