Hi All,
Need clarifications on following points raised by customer for sharepoint 2010 Intranet portal.We are using native sharepoint authentication. Please give solutions how to solve the following issues:-
1)We observed that web server type and version is disclosed from the HTTP responses.
In this application, IIS 7.5 and Share point 14.0.0.4762 is revealed from the HTTP responses.
In this application, IIS 7.5 and Share point 14.0.0.4762 is revealed from the HTTP responses.
2)We observed that authentication cookies are used in an insecure manner by the web application.
In particular, the “HttpOnly” attribute is not set for the cookies. The HTTPOnly is an addition flag in cookie response header which helps in restricting scripts accessing restricted cookies. Path is also set to the root directory "/” , thus the application can be vulnerable to less secure applications on the same server.
In particular, the “HttpOnly” attribute is not set for the cookies. The HTTPOnly is an addition flag in cookie response header which helps in restricting scripts accessing restricted cookies. Path is also set to the root directory "/” , thus the application can be vulnerable to less secure applications on the same server.
solution 1:
Hi,
1) We observed that web server type and version is disclosed from the HTTP responses.
In this application, IIS 7.5 and Share point 14.0.0.4762 is revealed from the HTTP responses.
In this application, IIS 7.5 and Share point 14.0.0.4762 is revealed from the HTTP responses.
· To remove Web Server type:
Please download this tool (URLScan) and install in your server. Go to this location in your server C:\Windows\System32\inetsrv\urlscan and open UrlScan.ini file in a notepad and set RemoveServerHeader property to 1.Default value is 0.
You can also add custom Web Server Type in your HTTP Responses: Custom Web Server Type
· To remove the SharePoint Version:
Go to IIS Manager and select your site. Click on HTTP Response Headers. Right click the Http Header you want to remove and click remove.
Note: This is not recommended as it might cause problems for SharePoint Search and while using office documents with SharePoint (like updating of documents through office online, export to excel from list etc.).
This might interest you: http://www.wictorwilen.se/sharepoint-mythbusting-the-response-header-contains-the-current-sharepoint-version
Additionally if you want to remove the Asp.net Version number: Add the following property in Web.config, under <System. Web>.
Eg:
<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>
You can check your Http responses in https://asafaweb.com/ or download fiddler.
2) We observed that authentication cookies are used in an insecure manner by the web application.
In particular, the “HttpOnly” attribute is not set for the cookies. The HTTPOnly is an addition flag in cookie response header which helps in restricting scripts accessing restricted cookies. Path is also set to the root directory "/” , thus the application can be vulnerable to less secure applications on the same server.
In particular, the “HttpOnly” attribute is not set for the cookies. The HTTPOnly is an addition flag in cookie response header which helps in restricting scripts accessing restricted cookies. Path is also set to the root directory "/” , thus the application can be vulnerable to less secure applications on the same server.
If you need to set HTTPOnly attribute to all cookies generated by IIS. Please download URLRewrite module.
Please see this article:
-Santhosh
Hello, my name is Monikandan. I'm a 40 year old self-employed ML Group from the Nagercoil.
DreamHost is ultimately one of the best web-hosting company for any hosting services you might need.
ReplyDelete