Hosting Provided By

host header names as security devices

From: Chris Davis <chris.davis(at)computerjobs.com>
Date: Mon Mar 03 2003 - 11:23:42 EST

The IIS "host header name" setting provides virtual naming capability for a single IP/port assignment. I am curious if the use of a host header name adds any security against IP address range port 80 scanners that attempt to exploit target hosts.

In the event of an HTTP request sent to the IP address (rather than to the hostname) of an IIS server running a web site configured with an IIS host header name, in absence of a default site, the IIS server will return "No web site is configured at this address" because the HTTP request did not match a configured host header name and there was no default site to return.

Does IIS short circuit all the ISAPI filtering and such in this case where the request does not match a configured host header name and no default site exists? If so, then are unpatched/unknown vulnerabilities not exploitable when a request is made by IP address rather than host name since the request may not make it to the ISAPI filters that have buffer overflows (or encoding%20issues or other vulnerabilities)?

If IIS does short circuit the ISAPI filtering of the request, it seems that use of host header names (while disabling the default site) can act as an impediment to automated scanners that scan IP ranges trying exploits without knowing hostnames.

(The IIS lockdown tool will filter requests with cmd.exe and root.exe and *.dll and *.ida and such, which you would still want to use to prevent attacks that do use your configured host header name. In addition to the IIS lockdown tool's features, the possible host header name ISAPI short-circuit might add a security layer that excludes all IP block scanner requests that attempt exploits from the possibility of success.)

Does anybody have inside knowledge of how far an HTTP request to an IIS server without a default site will be processed before "No web site is configured at this address" is returned when the HTTP request does not match a configured host header name? Is there a true security gain in implementing this concept?

Thanks
Chris Davis, Senior CS Major
Computer Science
Southern Polytechnic State University
http://www.WinSnmpWalk.org Received on Mon Mar 3 11:41:25 2003

This message: [ Message body ]
Next message: Sandy Ryan: "code red---- on system that is already (and has been) patched"
Previous message: Fred.Langston(at)guardent.com: "RE: One Time Passwords"
Reply: Chris Davis: "experiment supports concept of using host header names as securit y layer"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:27 EDT

Do you need help?