|
Home > Archive > IIS Server Security > May 2004 > How to Hide the IIS FTP Banner ?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How to Hide the IIS FTP Banner ?
|
|
| Paul Lynch 2004-05-18, 12:43 pm |
| Hello,
Apologies if this has already been flagged up here (I've been out of
the loop for a few weeks) but I just found this KB article when going
through my inbox.
FIX: You cannot suppress the default FTP banner for the FTP service
http://support.microsoft.com/?id=826270
I know that obscurity isn't security but I suppose it can be useful as
part of the overall picture.
Regards,
Paul Lynch
MCSE
| |
| Karl Levinson [x y] mvp 2004-05-18, 7:36 pm |
| Interesting... I have no idea why this was not already included in Windows
Server 2003. Anyone in this newsgroup could have told you this has been a
common request for years.
"Paul Lynch" <paul.lynch@nospam.com> wrote in message
news:eq4ka0p0jlfna6ne99omurcqphhqfv5oep@
4ax.com...
> Hello,
>
> Apologies if this has already been flagged up here (I've been out of
> the loop for a few weeks) but I just found this KB article when going
> through my inbox.
>
> FIX: You cannot suppress the default FTP banner for the FTP service
> http://support.microsoft.com/?id=826270
>
> I know that obscurity isn't security but I suppose it can be useful as
> part of the overall picture.
>
>
> Regards,
>
> Paul Lynch
> MCSE
| |
| Paul Lynch 2004-05-19, 5:39 am |
| On Tue, 18 May 2004 19:03:32 -0400, "Karl Levinson [x y] mvp"
<levinson_k@despammed.com> wrote:
>Interesting... I have no idea why this was not already included in Windows
>Server 2003. Anyone in this newsgroup could have told you this has been a
>common request for years.
Yeah, I know. My standard reply to any such question was always to
refer people to this KB :
PRB: FTP Banner Displayed on Command Line Cannot Be Removed
http://support.microsoft.com/?id=316998
Well, at least it shows they *are* listening :-)
Regards,
Paul Lynch
MCSE
| |
| Alun Jones [MS MVP - Security] 2004-05-19, 5:41 pm |
| In article <#RVWetSPEHA.1392@TK2MSFTNGP09.phx.gbl>, "Karl Levinson [x y]
mvp" <levinson_k@despammed.com> wrote:
>Interesting... I have no idea why this was not already included in Windows
>Server 2003. Anyone in this newsgroup could have told you this has been a
>common request for years.
Go look in microsoft.public.inetserver.iis.ftp, where Paul also posted this
(Paul, have you heard about crossposting?) - we're currently discussing
whether it's of any security benefit whatsoever. Essentially, it's more of
use as a "vanity" feature than a security measure. Even then, some FTP
clients key off that greeting to determine what features an FTP server might
have, so that they can improve the user experience. So, my advice is not to
change the banner - it doesn't improve security, and it may reduce
usability.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place | alun@texis.com.
Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
| |
| Paul Lynch 2004-05-19, 5:41 pm |
| On Wed, 19 May 2004 14:23:41 GMT, alun@texis.invalid (Alun Jones [MS
MVP - Security]) wrote:
>In article <#RVWetSPEHA.1392@TK2MSFTNGP09.phx.gbl>, "Karl Levinson [x y]
>mvp" <levinson_k@despammed.com> wrote:
>
>Go look in microsoft.public.inetserver.iis.ftp, where Paul also posted this
>(Paul, have you heard about crossposting?) - we're currently discussing
Yes I have actually. Posting it here was an afterthought. Why are you
making an issue of this Alun ?
>whether it's of any security benefit whatsoever. Essentially, it's more of
>use as a "vanity" feature than a security measure. Even then, some FTP
>clients key off that greeting to determine what features an FTP server might
>have, so that they can improve the user experience. So, my advice is not to
>change the banner - it doesn't improve security, and it may reduce
>usability.
What features specifically are you referring to ? I asked you for
examples of what functionality this would break in the other thread
and you suggested that I speak to the authors of client software
because "it's not something that has greatly interested me"
Hardly a very convincing argument.
>Alun.
>~~~~
Regards,
Paul Lynch
MCSE
| |
| Alun Jones [MS MVP - Security] 2004-05-19, 5:41 pm |
| In article <vetma0plriiit7hdf2o35i7lil38u2mabp@4ax.com>, Paul Lynch
<paul.lynch@nospam.com> wrote:
>On Wed, 19 May 2004 14:23:41 GMT, alun@texis.invalid (Alun Jones [MS
>MVP - Security]) wrote:
>Yes I have actually. Posting it here was an afterthought. Why are you
>making an issue of this Alun ?
Because we've now got two discussions going in parallel on the same topic.
It makes it a little tricky to figure out which one has heard which
argument.
>What features specifically are you referring to ? I asked you for
>examples of what functionality this would break in the other thread
>and you suggested that I speak to the authors of client software
>because "it's not something that has greatly interested me"
>
>Hardly a very convincing argument.
It's not intended to be. It's intended to note that there _is_ a
deleterious effect on usability (otherwise all these FTP clients would not
have a list box for you to choose what type of FTP server you're connecting
to, if the automatic detection fails because the banner is gone).
Couple that with the lack of any improvement to security, and there's really
no good reason to go changing the banner. If your server is vulnerable
enough that a hacker can break into it using the information from the
unchanged banner, then your server will be broken into with a custom banner.
This is particularly true of a server such as the Microsoft one, which is
going to be the target of most scattershot attacks. If the server isn't
secure against attack, then changing the banner will not reduce the number
of attacks.
For instance, try putting an FTP server - any FTP server - online for a week
or two, without announcing it. You'll find that many of the attacks you
receive bear no resemblance to any known attacks for your server, if any at
all do. The crackers are going to try any attack they know. If you've
slowed the targeted attacker down by changing the banner, you've gained
what, a second or two, while he might be trying attacks for a wrong server?
Can you do anything in that time?
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place | alun@texis.com.
Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
|
|
|
|
|