What about a cracker who performs detailed reconnaissance... only to fail in the attack when subterfuge holds?
Misdirection is an advantage if it foils a major exploit from the outset.
ServerMask is one choice in a comprehensive IIS security strategy, and Web server anonymization is practical, after you have all the bases covered -- for Apache, Netscape, Zeus... systems in general.
ServerMask in its current form removes the most obvious signs that you are running IIS. This is no substitute for a good firewall, IDS, IPS and a really locked down box. But, as all programmers would I am sure agree, and as good ol Kevin Mitnick has pointed out, "any information a cracker can obtain about your system is too much information."
Here is an article that will walk you through what ServerMask does and does not do:
Companies are going to anonymize their systems in future. ServerMask 2.1 is a step towards IIS anonymization, but by no means the last word. Check out ServerMask 3.0 in development for next year...
Thanks for the kind words. We usually don't get too many e-mails from "the other side of the fence" without a few expletive-deleteds... Hard core technologists are open source because there are fewer layers of abstraction, more direct control of the technology -- if you know what your doing.
I understand and appreciate the MS/Open divide -- it keeps us all on our toes.
From our point of view, the list and the focus is vital to any good Web server survey. Netcraft's list is wide, and their highlighted conclusions are not qualified by their own methdology. Netcraft highlights the Apache/IIS divide and usually their uncorrected figures because that will help them sell more Web site data -- to corporate customers.
Port80 is in the business of making tools for IIS. True. And Port80's survey does highlight an area that MS is winning in: corporate Web servers of the Fortune 1000. I would hazard to guess that MS and IIS are also winning in another area of interest: the corporate extranet and intranet market. But there are many surveys out there:
Each one makes different assumptions and has a different slant. The perfect Web server survey has yet to be attained, and the important point I think is that we are here, having this debate. Port80 plans to expland its surveys to different lists: more international lists, lists of qualified high traffic sites, and more. We will keep putting up the data and insighting debate.
As for Port80 Software and the Microsoft connection, remember that we are old open source advocates from way back. Port80's best ideas for improving the IIS Web server evolve from what has been accomplished with Apache and the mods culture of continuous tinkering, improvement and exploration.
Try going to Iraq in an orange jumpsuit, and you will quickly discover the benefits of camo.
All the same, ServerMask is not the ultimate solution for server anonymization on IIS. The application needs some work to mask TCP/IP settings and also arbitrary HTTP responses. This article covers the important elements of a server anonymization strategy -- some addressed in ServerMask for IIS, some by tips for Apache/mods tuning, but all important if you want to mask your Web server:
Thanks for catching a bug in Port80's real-time header check tool. We will look into the tool's SQL error on the URL www.isthatdamngood.com.
That's not too damn good...
Our online tools are not perfect, but they do work for most Apache sites. For instance, here is another version of the tool and a report for apache.org:
The actual Web server survey (www.port80software.com/surveys/top1000webservers) is conducted by another offline tool developed in Python by Port80's folks. Our published results have been verified independently on this thread today for the Fortune 1000 sites -- in terms of the current and ongoing Web server market share among the main corporate sites of Fortune 1000 companies.
Slashdot Mirror
What about a cracker who performs detailed reconnaissance... only to fail in the attack when subterfuge holds?
Misdirection is an advantage if it foils a major exploit from the outset.
ServerMask is one choice in a comprehensive IIS security strategy, and Web server anonymization is practical, after you have all the bases covered -- for Apache, Netscape, Zeus... systems in general.
Why surrender any advantage in a battle?
Chris @ Port80
Thanks for the image mistake catch. Will be fixed ASAP.
OK, enough fun for today, folks. It really is turkey time.
Best,
Chris @ Port80
We are an MS partner but not owned by MS.
Port80's survey is our own work, not an M$ "secret project".
Hey, I like the X-Files as well, but let's not get carried away here.
Happy Turkey Day,
Chris @ Port80
Chris from Port80 here.
I was misquoted or rather never asked directly about the subject in the theage.com.au article, so here's what I have to say about IIS security:
http://www.owasp.org/columns/jlima/joelima1
There is work to be done, but IIS is moving in the right direction.
Enjoy the tryptophan effects,
Chris @ Port80
ServerMask in its current form removes the most obvious signs that you are running IIS. This is no substitute for a good firewall, IDS, IPS and a really locked down box. But, as all programmers would I am sure agree, and as good ol Kevin Mitnick has pointed out, "any information a cracker can obtain about your system is too much information."
s kyourwebserver
Here is an article that will walk you through what ServerMask does and does not do:
http://www.port80software.com/support/articles/ma
Companies are going to anonymize their systems in future. ServerMask 2.1 is a step towards IIS anonymization, but by no means the last word. Check out ServerMask 3.0 in development for next year...
Off to talk turkey,
Chris @ Port80
Thanks for the kind words. We usually don't get too many e-mails from "the other side of the fence" without a few expletive-deleteds... Hard core technologists are open source because there are fewer layers of abstraction, more direct control of the technology -- if you know what your doing.
I understand and appreciate the MS/Open divide -- it keeps us all on our toes.
Can't we all just get along?
: )
Best,
Chris @ Port80 [mailto]
Forgot this one:
Everything is debatable. Here is Port80's more detailed article on Netcraft and both of our Web server surveys:
Which Web Server Is Winning?
Gooble gooble (or is it Google, google these daze?),
Chris @ Port80 [mailto]
From our point of view, the list and the focus is vital to any good Web server survey. Netcraft's list is wide, and their highlighted conclusions are not qualified by their own methdology. Netcraft highlights the Apache/IIS divide and usually their uncorrected figures because that will help them sell more Web site data -- to corporate customers.
/ index.html
Port80 is in the business of making tools for IIS. True. And Port80's survey does highlight an area that MS is winning in: corporate Web servers of the Fortune 1000. I would hazard to guess that MS and IIS are also winning in another area of interest: the corporate extranet and intranet market. But there are many surveys out there:
http://www.securityspace.com/s_survey/data/200310
http://www.alexa.com/site/ds/top_500
Each one makes different assumptions and has a different slant. The perfect Web server survey has yet to be attained, and the important point I think is that we are here, having this debate. Port80 plans to expland its surveys to different lists: more international lists, lists of qualified high traffic sites, and more. We will keep putting up the data and insighting debate.
As for Port80 Software and the Microsoft connection, remember that we are old open source advocates from way back. Port80's best ideas for improving the IIS Web server evolve from what has been accomplished with Apache and the mods culture of continuous tinkering, improvement and exploration.
Happy Turkey Day,
Chris @ Port80
You're right, Fry.
s kyourwebserver
Try going to Iraq in an orange jumpsuit, and you will quickly discover the benefits of camo.
All the same, ServerMask is not the ultimate solution for server anonymization on IIS. The application needs some work to mask TCP/IP settings and also arbitrary HTTP responses. This article covers the important elements of a server anonymization strategy -- some addressed in ServerMask for IIS, some by tips for Apache/mods tuning, but all important if you want to mask your Web server:
http://www.port80software.com/support/articles/ma
Happy Turkey Day,
Chris @ Port80
Thanks for catching a bug in Port80's real-time header check tool. We will look into the tool's SQL error on the URL www.isthatdamngood.com.
m presscheck?url=www.apache.org
) is conducted by another offline tool developed in Python by Port80's folks. Our published results have been verified independently on this thread today for the Fortune 1000 sites -- in terms of the current and ongoing Web server market share among the main corporate sites of Fortune 1000 companies.
s ervers/methodology), and the results from our November survey can be accessed online in our archive reports:
e rvers/#checkacompanyout
That's not too damn good...
Our online tools are not perfect, but they do work for most Apache sites. For instance, here is another version of the tool and a report for apache.org:
http://www.port80software.com/products/httpzip/co
The actual Web server survey (www.port80software.com/surveys/top1000webservers
Here's the methodology we followed (http://www.port80software.com/surveys/top1000web
http://www.port80software.com/surveys/top1000webs
Happy Turkey Day,
Chris @ Port80