Informant: Locating and Disabling Unauthorized IIS Servers

I have a large network with many IIS servers installed on various systems. How can I locate and disable unauthorized IIS servers on the network systems?

Locating IIS servers on your network is fairly straightforward, and several tools are available for accomplishing this task. All these tools involve scanning your IP address range to see whether a server responds to port 80—the default port for Web services. If you can't connect to port 80, some server application is listening on that port. In many companies, that server application is one of Microsoft's Web servers, such as a Windows 98 machine running Personal Web Server (PWS) or a beta version of Windows .NET Server (formerly code-named Whistler) running IIS 6.0.

You can go a step further than simply scanning your IP address range and obtain one of the hacker tools that not only scans for port 80 but records the server's response. The premier port-scanning tool is Insecure.Org's Network Mapper (nmap.exe) utility. Insecure.Org also has UNIX-based versions of the tool. eEye Digital Security has ported Nmap to a Windows version called Nmapnt.

In addition, the Network Security Hotfix Checker (hfnetchk.exe) tool, which is a free download from Microsoft's Web site, will scan a subnet and report on which hotfixes you've applied to a computer, as Figure 1 shows. Any system with IIS will include a list of required hotfixes. You can use a standard redirection at a command prompt, such as

hfnetchk>scanresults.txt

to capture this output to a text file.

Another useful tool is Rain.Forest.Puppy's Whisker. Whisker is a Web server vulnerability scanner at heart and serves well in detecting IIS servers.