ServerMask is an ISAPI filter that allows site administrators to remove identifying data from HTTP responses. The fourth generation of ServerMask contains numerous improvements to its core security capabilities.
The fifth generation of ServerMask contains numerous security features for the prevention of data leakage from your IIS-based Web application stack, including:
- Application layer error suppression for PCI compliance
- Customizable HTTP error messages per site and directory
- One-to-many as well as one-to-one masking of session cookies
- Decoy session cookies with auto-generated decoys
- Enhanced emulation of non-IIS ETAG formats
- Ability to add arbitrary decoy HTTP headers
- Ability to remove, change or randomize the default IIS Server header
- Support for serving files without identifying file extensions (such as .aspx)
- Emulation of non-IIS HTTP header order
- Emulation of non-IIS Allow header format
- Ability to remove unnecessary HTTP headers
Along with these and other security capabilities, ServerMask provides significant configurability and platform compatibility improvements over previous versions such as:
- Full support for Server 2008 and Server 2008 R2
- Support for both 64-bit and 32-bit IIS Application Pools on 64-bit editions of Windows Server
- No dependency on IIS 6 APIs when running on IIS 7 and 7.5
- IP address white listing, including optional use of the HTTP X-Forwarded-For header
- Multiple default security profiles (Hide, Emulate, Randomize) to aid in configuration management
- The ability to customize any default profile for more granular control of configuration options
- The ability to apply different profiles to individual sites or groups of sites
- The abiltiy to easily export and import settings across multiple servers
Installation, Activation, and System Requirements
ServerMask uses a single installer for both 32-bit and 64-bit installations. The installer determines which type of operating system is in use before installing the appropriate files. In addition, the installer is capable of installing any runtime packages required by ServerMask.
Depending on the current configuration of your IIS server(s), there are runtime prerequisites that might be missing or out of date when ServerMask is installed. The two most common are:
- .Net Framework 2.0 (or better)
- Visual C++ 2005 SP1
When the ServerMask installer detects that a runtime prerequisite is missing or out of date, it asks the user if an outbound Internet connection is available. (As a security best practice many production Web servers are not permitted to initiate HTTP connections.) If a connection is available, then the required files will be downloaded automatically. If a connection is not available, then the installer will provide instructions for downloading the necessary files from another computer. If it proves necessary to interrupt the installation in order to download files manually, the installer can either be left open in the meantime or else cancelled and rerun once the files are available locally.
Trial and Activation
When first installed ServerMask will be in trial mode. During this trial period, which lasts for 30 days, ServerMask is fully functional. At the end of the trial period, ServerMask will cease functioning. Your IIS server will of course continue to function normally, just as if ServerMask were not installed.
ServerMask may be activated at any time during the trial period or after that period has ended. Activation always requires the prior purchase of a ServerMask license from store.port80software.com, or the purchase of an additional activation if you already own a ServerMask license and are seeking to activate an additional server.
After purchasing a license (or a new activation for an existing license) there are two options for completing the activation: If your IIS server can initiate outbound SSL (HTTPS) connections, you can activate online. If your server lacks an outbound secure connection, you can use the email-based activation alternative. Both activation options are available on the activation dialog that comes up whenever the ServerMask Settings Manager is launched in trial mode.
The System Requirements for ServerMask are as follows:
- A compatible version of IIS and Windows:
- IIS 7.5 / Server 2008 R2
- IIS 7 / Server 2008
- IIS 6 / Server 2003
- Compatible hardware:
- x86 (32-bit)
- x64 (64-bit)
- Required runtimes:
- .Net Framework 2.0 (or later)
- Visual C++ 2005 SP1 Runtime
When first installed, all ServerMask functionality is initially disabled. This is a precaution intended to prevent any unmonitored side-effects when installing in a production environment. To enable and configure ServerMask, use its graphical user interface, called the ServerMask Settings Manager.
Using the ServerMask Settings Manager
The ServerMask Settings Manager will launch automatically following a successful installation of ServerMask. It can also be launched at any time using either the shortcut in the Port80/ServerMask program group in the Windows Start Menu, or simply by double-clicking on the file ServerMask.exe in the ServerMask installation directory (by default C:\Program Files\Port80\ServerMask). Here is what the Settings Manager looks like when it first appears:
Turning ServerMask On and Off
From the Settings Manager you can quickly enable ServerMask protection for any site simply by highlighting the name of that site in the tree view and clicking the radio button labeled "On", followed by the Apply button. Notice that the status bar at the top of the right pane turns green (to indicate the "On" state) and that its status message ("Protection for Default Web Site is On") reports that the highlighted site is now being protected by ServerMask:
If after enabling ServerMask protection for a single site, you select any other site from the tree view, you will notice that the status bar's color and message will change to indicate that protection is still "Off" for these other sites. It is not necessary however to configure ServerMask on a site-by-site basis. To manage the settings of several sites simultaneously, or to customize settings, you can use ServerMask's profile feature.
Using ServerMask Profiles
ServerMask configuration settings are managed through the use of profiles. A profile is simply a particular combination of ServerMask configuration settings, which can be applied to one or more (or all) sites on a server. ServerMask has three default profiles: Hide, Emulate, and Randomize, each of which represents a different default combination of ServerMask settings. All three default profiles are designed to achieve ServerMask's anti-reconnaissance goals, but in slightly different ways:
- The Hide profile emphasizes the simple removal or suppression of identifying data.
- The Emulate profile uses false data to create the impression of an non-IIS server.
- The Randomize profile works much like Emulate, except that the false identifying information is constantly changed so that the server appears to be several different servers.
To see the detailed configuration settings for a particular profile, highlight the profile in the tree view and click through the four settings groups, each represented by a button on the graphical button bar in the right pane. As you will see, each settings group has a different set of tabs associated with it. The settings you will see on these tabs are explained in detail in the next four sections of this help file. Note that you cannot edit the settings for any of the default profiles.
ServerMask allows you to use a single profile for all sites (the default choice), or a combination of profiles for different sites. You can also use, in addition to the three default profiles, any number of customized profiles.
Using multiple profiles can be advantageous when attempting to mask multiple sites hosted on the same server (multiple profiles create the false impression of multiple physical servers). Customized profiles are useful when a particular feature or set of features needs to be enabled or disabled for a particular site or set of sites.
Determining Which Profile a Site is Using
The profile in use for a given site is always indicated in two ways:
- the site will be listed under the profile it is using in the tree view and, when the site is highlighted in the tree; and
- when the site is highlighted in the tree, the name of the profile it is using will be shown in the pull-down menu located in the right pane, immediately below the red/green status bar.
Controlling Multiple Sites Using a Single Profile
When ServerMask is first installed, all Web sites on the server will initially inherit their settings from the Hide profile. As with sites, ServerMask protection can be turned On and Off for individual profiles. Since profile-level settings always override site-level settings, you can quickly turn ServerMask on (or off) for all sites in a default installation by highlighting the Hide profile in the tree view and using the On/Off radio buttons on the status bar. Notice in the following screen shot that the Hide profile is selected in the tree view, and that the status bar message refers to the Hide profile itself. Notice also that all the Web sites under that profile have inherited the "On" setting, as indicated by the green spheres next to the site names:
Changing a Site's Profile
To change a Web site's profile (and therefore ServerMask settings for that site) right-click the site in the tree view and select the new profile from the context menu:
Alternatively, you can highlight the site in the tree view and select the name of the new profile from the pull-down profile menu.
Using a Custom Profile to Change Specific Settings
You can customize any site's settings by creating a custom profile. To do this, right-click the site in the tree view and select the Customize... menu option from the context menu:
Alternatively, you can highlight the site in the tree view and select the Customize... option from the pull-down profile menu in the right pane.
In either case, you will be asked to give the new profile a name. This name will be used in the tree view and in the right-click and pull-down menus that allow sites to be moved from one profile to another:
After you click OK on the New Profile dialog, the newly created profile will appear in the tree view and the site will now be associated with that profile.
All of the individual settings for this site can now be changed. Initially, the new profile (and thus the site you placed under it) will have the same settings that the site was inheriting previously. Whenever you make and save a change for this site's settings, that change will now be saved to the newly-created profile. (You can also make the changes to the profile directly, by highlighting it, rather than the site, in the tree view.)
Once a custom profile has been created using a single site, you can move additional sites to it in the same way you would move them to one of the default profiles (see Changing a Site's Profile, above). In this way, you can first test a custom profile using a single site and then, when you are satisfied with its behavior, have as many sites as you wish start using the new profile:
Once created, custom profiles (just like default profiles) need not have any sites associated with them. You can archive a custom profile for later use simply by moving all of its sites (including the site originally used to create the profile) to other profiles. If you do not think you will ever use a particular custom profile again, you can also permanently delete it by highlighting it in the tree view and clicking the "Remove" button that will appear in the profile bar:
Once you have created a custom profile, you are ready to customize ServerMask settings for one or more sites using that profile. ServerMask's settings are clustered in four "settings groups", each represented by a large button on the button strip in the right pane of the Settings Manager, under the status and profile bars. For detailed information about a particular settings group, see the correspondingly-named section of this help document: Headers, Cookies, Errors, or Advanced.
The Headers settings group is accessed by clicking on the Headers button in the button bar in the right pane of the Settings Manager. As with all settings groups, be sure to highlight the custom profile (or any site using the custom profile) whose settings you wish to change.
The Server Header Tab
The controls on this tab provide various strategies for masking the IIS Server header.
Use the checkbox at the top of the tab to enable or disable all Server header masking functions. Use the radio buttons to select which strategy ServerMask should use to mask the Server header. The options are:
- remove the Server header entirely
- replace it with the pre-configured alternate header you select from the pull-down menu
- replace it with a random pattern of pre-configured alternate headers, rotating the alternate headers using interval you enter in the "seconds" field
- replace it with whatever text you enter in the text box
The Add Headers Tab
The controls on this tab allow you to increase the uncertainty of any hostile reconnaissance effort by adding arbitrary HTTP headers to every IIS response.
Use the checkbox at the top of the tab to enable or disable the Add Header functionality.
To add a new HTTP header to every response, click the Add button. A new row, consisting of a default header name and a default value for that header, will be added to the list. When the new row is added to the list, click into each column of that row in turn, and type the desired text into the editable fields. The header names must be unique. Click Apply to save the changes.
You can use the editable fields to change the name and/or value of any header in the list at any time.
As long as the Add Header functionality is enabled, all HTTP headers in the list will be added to every IIS response. To delete a particular header, highlight it in the list and click Delete then Apply.
The Remove Headers Tab
The controls on this tab allow you to remove arbitrary HTTP headers from the IIS response, thereby suppressing identifying information beyond that of the Server header itself.
Use the checkbox at the top of the tab to enable or disable the Remove Header functionality.
To remove a new header from all IIS response, click the Add button. A new row, consisting of a default header name, will be added to the list. When the new row is added to the list, click into it and type the desired header name into the editable field. The header names must be unique. Click Apply to save the changes.
As long as the Remove Header functionality is enabled, all HTTP headers in the list will be removed from every IIS response. To delete a particular header from the list (and therefore stop removing it from IIS responses), highlight it in the list and click Delete then Apply.
The Cookies settings group is accessed by clicking on the Cookies button in the button bar in the right pane of the Settings Manager. As with all settings groups, be sure to highlight the custom profile (or any site using the custom profile) whose settings you wish to change.
The Cookie Masking Tab
The controls on this tab allow the masking of identifying cookies (such as application session cookies).
Use the checkbox at the top of the tab to enable or disable the Cookie Masking functionality.
The list of cookies to mask contains two columns. The left column corresponds to the "real" cookie name that will be masked in any IIS responses in which it would otherwise have appeared (i.e., in all Set-Cookie headers sent by the IIS server). The right column corresponds to the replacement name that will be given to that same cookie when it is first sent to the user's browser, and that will thereafter be accepted in place of the "real" cookie name when it is sent back to IIS.
To mask a new cookie, click the Add button. A new row, consisting of a default cookie name and a replacement name for that cookie, will be added to the list. When the new row is added to the list, click into each column of that row in turn, and type the desired text into the editable fields. Click Apply to save the changes.
As long as the Cookie Masking functionality is enabled, all cookies in the list will be masked (i.e., exchanged for their replacement cookies). To delete a particular cookie from the list (and therefore stop masking it), highlight its row in the list and click Delete then Apply.
One-to-Many Cookie Masking
While replacement cookie names (those in the right column) must be unique, the names of the cookies to be masked (those in the left column) can be repeated any number of times. This allows you to set up a one-to-many relationship between the "real" cookie and several replacement cookies. This variation can enhance the usefulness of cookie masking for anti-reconnaissance purposes.
When using multiple replacement cookies for a single "real" cookie, you can configure the interval after which ServerMask will being using the next available replacement cookie. To do this, change the value in the text box labeled "Change cookie mask every...seconds".
If you wish to use one-to-many cookie masking but do not want to create several replacement cookie names yourself, you can let ServerMask create them instead. Simply highlight the row for the cookie to be masked and click the Generate button. Five new rows will automatically be added to the list. Each one will have, in the left column, the same "real" cookie name as the row you previously selected, but each will have a unique, randomly-generated replacement name in the right column. Click Apply to save the changes.
The Cookie Decoys Tab
The controls on this tab allow you to increase the uncertainty of any hostile reconnaissance effort by adding decoy session cookies to the IIS response.
Use the checkbox at the top of the tab to enable or disable the Cookie Decoys functionality.
The decoy cookies in the list will be managed just as normal session cookies would be: Each user of the site will receive, on the first request of their browser session, one Set-Cookie header for each decoy in the list. Their browsers will then (in the normal case) add the decoy cookie(s) to each subsequent request to the site, while the user's session lasts. When ServerMask receives these in-bound decoys, it will not place them again, until the decoy cookies expire.
The only difference between this behavior and that of standard session cookies is that the ServerMask decoy cookies are not tied to any underlying application data, resources or functionality. There only purpose is to create the false impression of additional, but unknown application logic at work, thereby foiling an accurate fingerprint of the site's application layer software.
To add a new decoy cookie, click the Add button. A new row, consisting of a default cookie name, will be added to the list. When the new row is added to the list, click into it and type the desired decoy cookie name into the editable field. The cookie names must be unique. You can also have ServerMask add five randomly-named decoy cookies. To do this click the Generate button. Click Apply to save all changes.
To delete a particular decoy cookie, highlight it in the list and click Delete then Apply.
The Errors settings group is accessed by clicking on the Errors button in the button bar in the right pane of the Settings Manager. As with all settings groups, be sure to highlight the custom profile (or any site using the custom profile) whose settings you wish to change.
The General Tab
The controls on this tab allow you to enable and disable ServerMask's basic HTTP error handling functionality.
Use the checkbox at the top of this tab to enable or disable ServerMask's basic custom error functionality. This works in the following way: When an HTTP 404 error is generated, ServerMask will intercept it and look in a pre-configured error directory for a customized error page. (If no such customized error is found, ServerMask will allow the normal 404 error handling to continue.) For the details of how this feature is configured, please see the other tabs in the Errors group, below.
Once the custom error functionality has been enabled, you can also enable application layer error suppression for PCI compliance. To do this, put a check in the box labeled "Replace application layer errors (5xx) with non-IIS 404 responses". This feature enhances ServerMask's custom error functionality by also intercepting HTTP errors with response codes of 500 and higher. These internal server errors are often intentionally raised by would-be attackers conducting pre-attack reconnaissance, looking for leaks of valuable information from a site's application layer. When this feature is enabled, these 5xx errors are replaced with 404 errors. (Note: a custom error must be present in the named custom error directory; otherwise IIS's ordinary 5xx error handling will be invoked.)
The Error Directory Tab
The controls on this tab allow you to configure where ServerMask looks for customized HTTP error messages.
The text in the "Error Directory Name" field is the name of the custom errors directory in which ServerMask will look for the custom error page. You can change this to any arbitrary directory name. Click Apply to save the change.
The radio buttons labeled "Error Directory Search Mode" control how many levels of custom error directories you want ServerMask to support. By default, ServerMask will only search in the Web site's root directory for the named custom error directory. All custom errors will be served from this directory. If the "Check Requested Directory" radio button is selected however, then ServerMask will look first for the named custom error directory in the parent directory of the URL that generated the error. This allows you to have multiple custom error directories throughout a single Web site. This feature can be useful when a single site must support one or more sub-sites or micro-sites, each with its own look-and-feel, and therefore requiring its own custom error template. If this is not your scenario, we recommend not using this feature since there is a minor performance penalty associated with enabling it.
The Error Files Tab
The controls on this tab allow you to configure what types of custom error files ServerMask sends when handling HTTP error messages.
ServerMask can use multiple files and file types as custom errors. The only constraint is that all custom error files must be named "404" in order for ServerMask to use them to replace the default IIS 404 error. By default, ServerMask looks for static file types with that file name. However, the acceptable file extensions can be configured, allowing for custom error files of different types.
To configure the static custom error files ServerMask will accept, click on the Configure... button opposite the label "Static Error Page File Types". This opens the Static Error Extension List dialog. This is the search list of file extensions that ServerMask uses by default when looking for a custom 404 error message in the named custom error directory.
List order is important: ServerMask will search the directory for a file named "404", and having the first file extension on this list. If that custom error file is found it will be used immediately. If it is not found, ServerMask will then search the directory for a custom error ("404") file that has the next file extension in the list--and so on through the entire list. Using this dialog, you can configure the file extension search order, as well as add and remove extensions from the list:
To use dynamic files as custom error files, put a check in the box labeled "Enable Dynamic Pages for 404 Errors". Click on the Configure... button next to this checkbox to configure the file extension search order for dynamic custom error files. The "Dynamic 404 Extension List" dialog operates exactly the same as the static extension list dialog. When the dynamic 404 error pages are enabled, ServerMask will use this list first, when searching for error pages in the named custom error directory, resorting to the static file list only if an appropriately-named dynamic 404 page is not found:
Image files may also be used as custom errors. In this case, ServerMask not only can be configured to look for certain custom error file extensions in a certain order. In addition, it can be configured to use image-type 404 files only when the original request was itself for an image file.
To use image files as custom error files, put a check in the box labeled "Enable Image Files for 404 Image Errors". Click on the Configure... button next to this checkbox to configure the 404 image settings.
The "Edit 404 Image Settings" dialog has two tabs. The Extension List tab operates on exactly the same principle as the static and dynamic error page extension lists--namely, it allows you to configure which file extensions ServerMask will look for, and in what order, when it searches the custom error directory for a 404 file with which to replace the 404 error raised by a request to an image file:
The other tab in the "Edit 404 Image Settings" dialog is unique. This "Request Selectors" tab lists the originally-requested file extensions and/or URL paths that ServerMask will use to decide that a 404 error should be replaced by with one of the configured image-type 404 files, rather than with either a static or dynamic 404 page. This list consists of file extensions and URL paths that, typically, use the asterisk wildcard expression in order to match any number of request URLs:
The Advanced settings group is accessed by clicking on the Advanced button in the button bar in the right pane of the Settings Manager. As with all settings groups, be sure to highlight the custom profile (or any site using the custom profile) whose settings you wish to change.
The Emulation Tab
The controls on this tab allow detailed configuration of certain advanced HTTP masking features, specifically the emulation of responses from non-IIS servers.
There are three special emulation features that ServerMask can use to enhance its ability to mask your IIS server:
- ETag Format The format of the ETag (used in cache validation) can readily be used to identify Web servers. Use the checkbox labeled "Emulate common non-IIS server ETag formats" to enable or disable the ETag masking functionality. The ETag masking options are:
- select a particular non-IIS ETag format to emulate from the pull-down menu;
- have ServerMask randomly cycle through the available replacement ETag formats; and, if this feature is in use,
- vary the amount of time (in seconds) that each successive replacement ETag format will be used
- HTTP Header Order This feature allows you to alter the default order in which IIS sends all HTTP headers. This can be a useful supplement to header-by-header masking, since the order of HTTP headers is itself an identifying datum about the Web server. Use the checkbox labeled "Enable Apache Web server HTTP headers order" to enable or disable this feature.
- Allow Header Format The Allow header is used in responses to the HTTP Options request method, when that method is allowed. This type of request method is designed to give individual Web servers a way to inform clients about which type of HTTP methods they are configured to support. However the order of the allowed methods, as they appear in the Allow header, can itself be an identifying datum about the Web server. ServerMask can be configured to change this order. To enable or disable this feature, use the checkbox labeled "Emulate Apache (ALLOW) header format".
The File Extension Tab
The checkbox on this tab allows you to enable and disable ServerMask's file extension anti-reconnaissance feature.
This feature can be very useful when the file extensions in use on your site are themselves a source of information about the Web server and/or its application stack. In particular, dynamic file extensions such as .aspx, .asp, .php, .jsp and so on readily disclose the application layer software in use.
To hide application layer details, ServerMask supports request URLs without file extensions. When the file extension anti-reconnaissance feature is enabled, ServerMask will analyze all request URLs that do not have file extensions. If adding a file extension to the URL would cause it to retrieve a legitimate file from the Web server's root directory path, then that file will be served. For instance, if ServerMask sees a request for /foo/bar and if the Web site contains a file /foo/bar.aspx, then that file will be served. If there was no file named bar in the foo directory then a 404 will be generated.
The IP Exceptions Tab
The controls on this tab allow you to set up an IP address "white list"--i.e., to configure exceptions to all ServerMask actions for selected IP addresses.
Use the checkbox at the top of this dialog to enable or disable the IP address white list.
Use the second checkbox on the dialog to tell ServerMask whether to match the IP addresses in the white list against the IP address in the HTTP X-Forwarded-For header (when present). Proxies often use this header to convey the original client IP to the Web server.
Use the list control and the Add and Delete buttons to manage IP addresses in the white list. To create an exception for a single IP address, use it in both the "First IP in Range" and "Last IP in Range" columns.
The Diagnostics Tab
The control on this tab is for diagnostic purposes only and should not be enabled on production servers without prior consultation with Port80 Software technical support.