10

I’m currently trying to improve the security at our work. This sounds very broad, but, for example, I’m penetrating our systems and checking whether servers are vulnerable to certain exploits.

As an example, SMTP gave me this telnet result:

220 [redacted] Microsoft ESMTP MAIL Service, Version: 7.5.7601.17514 ready at Mon, 10 Mar 2014 14:15:30 +0100

After a few hours of searching for a solution, I’ve found a way to hide the details about this server, resulting in this result:

220 [redacted] Ouch, sorry.. 404 - version not found.. Mon, 10 Mar 2014 14:15:57 +0100

This seems a lot more secure, as it does not display the version number any more. My question is, did this increase the security of my server? Or doesn’t it actually make much of a difference and should I ignore version numbers as a security vulnerability?

Is there a security benefit in hiding the IIS version number?

TRiG
  • 610
  • 5
  • 14
Rob
  • 381
  • 3
  • 12
  • This has nothing to do with an errorpage or apache. Thank you. – Rob Mar 10 '14 at 14:06
  • 2
    @Robuust While it has nothing to do with error pages, this is essentially the same question. You're wondering about revealing version numbers and identifying information about the software running on your server. Yes, this is indeed a duplicate question of the question linked. – Adi Mar 10 '14 at 14:21
  • Would an attacker (quite probably automated) run ... `if (version ABC) {tryAttackXYZ()}` or would they simply `tryAttackXYZ()`? I _think_ the later would be more likely. – MrWhite Mar 10 '14 at 15:37

3 Answers3

16

If that's your only security measure, this is what is known as security by obscurity.

Security by obscurity is bad if it is the only thing you rely on. Your first priority should always be ensuring that the software isn't exploitable in the first place. This means patching frequently. That said, there isn't any point in shouting out the exact version of the software you are using. If hiding the version numbers make an attackers life harder, by all means do it. Just make sure you don't get a false sense of security and that it isn't the only thing you do.

  • Would it help me to display a "wrong" version number instead of a customized text? Thus it looks like version 6.3 for example, but it is 7.5? – Rob Mar 10 '14 at 15:30
  • @Robuust That's just another layer of obscurity. Terry's full answer would still be applicable. – Anthony Mar 10 '14 at 17:53
6

Any version numbers present are an instant flag to an attacker. If they have the version number, they can research vulnerabilities that that version has. If an attacker doesn't instantly find the version number, then they sometimes have other methods such as fingerprinting to discover the version. In your position, I would say you have increased your security by at least slowing them down. For a less experienced attacker, maybe they would stop trying at that point, saving you from an attack.

Jason Higgins
  • 647
  • 4
  • 8
  • That was the only point I could think of indeed, I could've put that myself in the question maybe. – Rob Mar 10 '14 at 13:30
1

As a mail-system admin, I think it's prudent show the major version number; a number of times I've solved deliverability issues to other sites just by researching common problems with the major version, which eliminates the need to do extensive troubleshooting with the remote site's Postmaster(s).

In practical terms, the security benefit here is minimal (security through obscurity, as mentioned). Good patching, appropriate system isolation, well-configured firewalls and a host of other Best Practices that can be implemented would make your server considerably more secure and would render any benefit (real or perceived) of this change moot.

Garandy
  • 111
  • 1