How to hide 'OS details' from hackers

[phillydog]

Using 'nmap', I was able to see the following, which I think is compromising information:

Running: Microsoft Windows 2003/.NET
OS details: Microsoft Windows .NET Enterprise Server (build 3604-3790)

I am posting this here in the OS thread since I am trying to find a way on my WIN/2003 server to remove this information from being seen by hackers. Is it simply a variable, and if so, where can I remove it?

Thanks.

 

[n0cmonkey]

Obfuscation is not security.

Anyhow, change the settings for your TCP/IP stack. The responses give you away. It's fairly easy to screw up though, so make sure you understand everything you mess with.

 

[phillydog]

Originally posted by: n0cmonkey
Obfuscation is not security.

Anyhow, change the settings for your TCP/IP stack. The responses give you away. It's fairly easy to screw up though, so make sure you understand everything you mess with.

Know of any doc on the web that can guide me on what/how to change the TCP/IP stack?

 

[n0cmonkey]

I'd start with a thorough understanding of TCP/IP. The TCP/IP Illustrated books should be a decent start.

 

[spyordie007]

Honestly I would focus your security concerns elsewhere. Most services (i.e. IIS) are going to respond with their version anyways which will let anyone know what OS the server is running so obscuring the stack wont hide it very well or for very long.

While I can understand the principal of taking this step I find that most configurations have much lower hanging fruit. Your security efforts should always focus on your lowest hanging fruit (your weakest or most valuable assets) and I find that too many admins focus on the issues that are easy or they know rather than focusing on the ones that are most likely to be attacked.

In reality right now the fact that it states 2003 Server would probably be to your advantage, most any "hacker" would simply leave looking for easier prey (i.e. NT4 or unpatched 2000).

 

[Nothinman]

Know of any doc on the web that can guide me on what/how to change the TCP/IP stack?

Most likely you can't since MS doesn't distribute the source to their TCP/IP stack.

Most services (i.e. IIS) are going to respond with their version anyways which will let anyone know what OS the server is running so obscuring the stack wont hide it very well or for very long.

Every webserver lets you change the server string it replies with and changing that won't hide a lot but it will make a lot of automated scripts pass over you or atleast have to run all of their tests instead of being able to focus on a specific subset for your particular software.

 

[phillydog]

I have hidden the strings on my IIS and FTP, and the only things left from nmap are:

HTTP SSL
OS fingerprinting

I do need to change my error messages from IIS, however, that is a different thread in trying to find already made pages (since I'm lazy).

I am running a program called ServerMask, which for the most part, does block out that it is IIS. There are tools to get around that, but for now, that is the best that can be done.

 

[Nothinman]

I am running a program called ServerMask, which for the most part, does block out that it is IIS.

Why not just use URLScan? It's from MS so is probably better supported and does more than just removing the IIS banner.

The only thing you can do to stop OS fingerprinting via things like nmap is to put the box behind a router, which will cause the router to be fingerprinted and not the server or change the TCP/IP stack on the box which is virtually impossible to do since Windows is closed source.

 

[phillydog]

I was under the impression that since WIN/2003 is locked down, that it already had the IIS Lockdown tool (including URLscan) already loaded..

 

[Nothinman]

Could be, I really don't know. If it's already there, why bother installing ServerMask?

 

[phillydog]

My apologies to Nothinman... IIS 6 (WIN/2003) does have most of the features of URLScan built in, however, not the ability to hide headers which URLScan does have. After installing it, it does hide the webserver headers for HTTP, but not the HTTP SSL or FTP services. Atleast it is free and does the job well.