Security Risk? Microsoft-HTTPAPI/2.0

iisSecurityssrs

Whilst security vetting our machines, I found that one host was exposing a Microsoft-HTTPAPI/2.0 service over port 80 to the internet.

I'm not familiar with this, but after googling around, I found that SQL Server 2008 publishes SQL Server Reporting Services on port 80 by default and identifies itself as HTTPAPI/2.0. The host is also running IIS7.

I'm guessing this is probably not something that should be exposed to the world. Can anyone offer me any information or advice on the security risk of exposing this service?

Response Headers - http://#.#.#.#/
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 10 Aug 2009 10:44:25 GMT
Connection: close
Content-Length: 315

404 Not Found

Best Answer

If the response's Server header returns "Microsoft-HttpApi/2.0", it means that the HTTP.sys is being called instead of IIS. Exploits and port scans use this as a means of fingerprinting an IIS server (even one that is otherwise hiding the Server header).

You can test this by throwing an error using CURL:

curl -v http://www.yourdomain.com/ -H "Range: bytes=00-18446744073709551615"

You will see something like this if your server is sending the header:

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339

You can add a registry value so HTTP.sys doesn't include the header.

Open Regedit
Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.
Reboot the server OR restart the HTTP service by calling "net stop http" then "net start http"

Reference: WS/WCF: Remove Server Header

After you add the registry key, the response looks like this:

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339

Posting here so people who need this can find it. (Thanks, Oram!)

Related Solutions

Security risk of enabling MSDTC

I don't know of any security issues with enabling MS DTC. If you require distributed transactions, then you'll need MS DTC, no way around it even if there were.

Ssh port forwarding / security risk

I think this is a pretty secure setup, I use it myself. You will need to add '-L' to your command:

ssh -N -L 8888:targethost:80

As long as you don't use the '-g' option, only your client machine can access the port forward.

What I would recommend also is to make sshd on the bastion host listen on a non-standard port. If you are listening on a standard port, the attack traffic sometimes can eat up considerable amounts of CPU.

Also choose a good passphrase for your ssh key, and enter it only on trusted machines. Preferably Linux, it is less trivial to install keyloggers on Linux.

Best Answer

Related Solutions

Security risk of enabling MSDTC

Ssh port forwarding / security risk

Related Topic