How to prevent MS IIS Content Location Internal IP Address Leak

With reference to http://support.microsoft.com/kb/834141, we would want to fix the issue of IP address being revealed in the content-location field in the TCP header on MS IIS 6.0.

Confirmation that you are affected
- telnet to the web service
- perform "GET / HTTP/1.0"
- press twice.

If you see "Content-Location: http:///Default.htm", you are affected.


To rectify this issue,
- right click on the Website, click on Properties button for logging.
- take note of the Site ID inside Log file name in this "Extended Logging Properties" window. i.e. W3SVC39\exyymmdd.log means your Site ID is 39
- Set the web server to use Host name instead of Host IP. Fire up the command prompt and navigate to C:\Inetpub\AdminScripts\, run the command "csript adsutil.vbs set w3svc//UserHostName true"
- run command "we".

You can then verify by using the telnet test again. Good luck!

How to disable browsable web directory

There is increasingly more cons than pros in allowing browsing access to the web servers' web directories. The black hats could use this to crawl for information or even use this as the gateway to launch an attack.

Here's how to disable web directory browsing on MS IIS. Tested on IIS 6.

- Open up IIS
- select the web site, right click on it and select properties.
- uncheck "Directory Browsing".
- restart web service.

And you are done with configuration. :)

How to enable or require SMB signing for Windows Server

Recently, discovered that some servers are having SMB vulnerabilities, in this case, file sharing on SMB not requiring signing or signing is not enabled.

How do we secure the communications? Here's how.

If you are on Windows NT4.0, Windows 2K and Windows 2k3, go to registry at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
- For SMB signing Required, set Registry key RequireSecuritySignature=1
- For SMB signing Enabled (if server agrees), set Registry key EnableSecuritySignature=1 and RequireSecuritySignature=0
- For SMB signing Disabled (if server agrees), set Registry key EnableSecuritySignature=0 and RequireSecuritySignature=0

If you on Windows 98, go to registry at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\Parameters
- For SMB signing Required, set Registry key RequireSecuritySignature=1
- For SMB signing Enabled (if client agrees), set Registry key EnableSecuritySignature=1 and RequireSecuritySignature=0
- For SMB signing Disabled (if client agrees), set Registry key EnableSecuritySignature=0 and RequireSecuritySignature=0

Do note that all registry keys should be of type DWORD.

If you want to set through GPO, set through Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

If you are on Windows 2K8 and 2K12, you should be on SMB2. Configuration is slightly easier. you can go to registry at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
- For SMB2 signing Required, set Registry key RequireSecuritySignature=1
- For SMB2 signing Not required, set Registry key RequireSecuritySignature=0

If you are on Windows Vista and XP or 7, you should be on SMB2. Configuration is slightly easier. you can go to registry at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\Parameters
- For SMB2 signing Required, set Registry key RequireSecuritySignature=1
- For SMB2 signing Not required, set Registry key RequireSecuritySignature=0

Replacing SSL certificate for HPSMH

This is for replacing the SSL certificate used in HP SMH aka "System Management Homepage", especially after a few round of SSL issues coming from openssl to SSLv3.

The steps are as follows

Step 1
- Logon to HPSMH
- Click from the menu, "Settings" -> "Security" -> "Local Server Certificate"
- Fill up the necessary fields. (Alternative Names should be FQDN)

Step 2
- Logon to the server
- copy the content in req_cr.pem file. (should be in C:\hp\sslshare by default i think)

Step 3
- Register the CSR with your CA to obtain the final X509 certificate (Base 64 encoded in PEM format)

Step 4
- Replace the new certificate over the existing cert.pem (if any).
- Restart HPSMH service.


reference: http://www.admin-enclave.com/en/solutions/windows/47-replace-the-ssl-certificate-for-hp-system-management-homepage-with-a-ca-generated-one.html