Home | Advertising Info40 USERS CURRENTLY ONLINE   
   Site Search Contact Us Thursday, June 30, 2022  

How to Disguise Your Web Server and Scripting Language

Recently I was given the task of building a picture hosting website for a client. The site was built using Classic ASP because the client wanted to be able to work on the site after the initial design phase and that is what the client was familiar with. Now, despite what some people will tell you a high end web site can still be built using Classic ASP and run just as well if not better than a site built using ASP.NET. That is not to say that a site running ASP.NET wouldn't run better than a site using Classic ASP, but it really all depends on the techniques used and the programmer. However, that is not the focus of this article. The reason for this article is to go over two techniques we used to Disguise the type of Web server being used and the scripting language the application was written in. We wanted to do this to make it that much more difficult for a potential hacker to cause a problem.

The 1st step in Disguising the Web Site was at the server level. We went with a product called ServerMask from Port80 Software. ServerMask gets installed on the server and allows you to
remove identifying details that intruders could use to detect your OS and Web server vendor. You can also make it appear as if you are running a Different Web server and OS than you really are or even randomize what information is reported. This is the 1st step in protecting your web site because potential crackers usually start by attacking a server with known exploits. If they do truly not know what you are running then the chances of them being successful are greatly diminished. I won't go into the details of installing or configuring ServerMask because it's honestly a piece of cake. As a matter of fact my grandmother could probably do it.

The 2nd step in Disguising the Web Site is also at the server level and involves your page extensions. If someone sees ".asp" pages they are going to assume you're running IIS Server. Granted you could be using Chilisoft or SunOne on a Unix/Linux Server to serve the ".asp" pages, but the use of those products never really became popular so that is unlikely. Either way, we do not want them making educated guesses. In order to really throw people off we went into IIS and configured ".htm" pages to run as ".asp". This is done in the Application Configuration area in IIS for your Web Site. Basically you set up ".htm" as an extension that is processed by the "asp.dll". You could actually throw off potential crackers by using any page extension. (".php", ".cgi", ".whatever"). Here is an article that mentions the process.

All in all these are just additional safeguards that will hopefully help to keep the site running smoothly. Both of these things are relatively easy to do if you are running your own Web Server. If you are not you will not be able to do these things. Also, the site we applied these techniques to was not mentioned in this article because it would not make sense to mention it. After all why bother protecting it if you are going to tell people what you did and the URL of the site. The bottom line is that these are techniques any security conscience Web Server operator should be consider looking into.

   Active Server Pages Rule The World
Contact Us  
All artwork, design & content contained in this site are Copyright 1998 - 2022 PowerASP.com and Christopher J. Williams
Banner ads ,other site logos, etc are copyright of their respective companies.
STATS Unless otherwise noted - All Rights Reserved.

Active Server Pages ASP control controls class classes module script Scripts applet CJWSoft ASPProtect ASPBanner ASPClassifieds www.aspclassifieds.com, www.powerasp.com,www.cjwsoft.com,www.aspphotogallery.com,www.codewanker.com,www.aspprotect.com,www.aspbanner.com