From: Dooza on
Hi there,
I have a Windows 2003 Server with IIS6 running multiple websites via
host headers. Only one of the sites has an SSL certificate, which works
just fine.

I am in the middle of sorting out PCI DSS compliance and am using
www.hackerguardian.com to do the quarterly scans.

For some reason some of the sites seem to be responding on port 443 with
200 OK status, so I am having to report lots of false positives on these
sites.

I don't understand why this is happening and how to prevent it. I have
checked IIS and only one site has port 443 enabled. Is there something I
can do in IIS to stop this from happening?

Cheers,

Dooza
From: Dan on

"Dooza" <steveNO(a)SPAM.dooza.tv> wrote in message
news:OKDHRZO8KHA.1560(a)TK2MSFTNGP02.phx.gbl...
> Hi there,
> I have a Windows 2003 Server with IIS6 running multiple websites via host
> headers. Only one of the sites has an SSL certificate, which works just
> fine.
>
> I am in the middle of sorting out PCI DSS compliance and am using
> www.hackerguardian.com to do the quarterly scans.
>
> For some reason some of the sites seem to be responding on port 443 with
> 200 OK status, so I am having to report lots of false positives on these
> sites.
>
> I don't understand why this is happening and how to prevent it. I have
> checked IIS and only one site has port 443 enabled. Is there something I
> can do in IIS to stop this from happening?
>
> Cheers,
>
> Dooza

If they are all sharing a single IP, then there's nothing you can do to stop
this - the site host headers are not checked until after the initial SSL
handshake has completed, so there's no way to block the sites that shouldn't
be responding on port 443 if they are sharing an IP with one that does.

--
Dan

From: Dooza on
On 13/05/2010 11:55, Dan wrote:
>
> "Dooza" <steveNO(a)SPAM.dooza.tv> wrote in message
> news:OKDHRZO8KHA.1560(a)TK2MSFTNGP02.phx.gbl...
>> Hi there,
>> I have a Windows 2003 Server with IIS6 running multiple websites via
>> host headers. Only one of the sites has an SSL certificate, which
>> works just fine.
>>
>> I am in the middle of sorting out PCI DSS compliance and am using
>> www.hackerguardian.com to do the quarterly scans.
>>
>> For some reason some of the sites seem to be responding on port 443
>> with 200 OK status, so I am having to report lots of false positives
>> on these sites.
>>
>> I don't understand why this is happening and how to prevent it. I have
>> checked IIS and only one site has port 443 enabled. Is there something
>> I can do in IIS to stop this from happening?
>>
>> Cheers,
>>
>> Dooza
>
> If they are all sharing a single IP, then there's nothing you can do to
> stop this - the site host headers are not checked until after the
> initial SSL handshake has completed, so there's no way to block the
> sites that shouldn't be responding on port 443 if they are sharing an IP
> with one that does.

You are correct, I did a test last night by changing one of the sites to
another IP and now it works as expected. I am going to change all other
sites over to the non SSL IP, then all will be well.

Thanks for confirming this for me.

Kind regards,

Dooza
From: Dan on

"Dooza" <steveNO(a)SPAM.dooza.tv> wrote in message
news:eeT2Icp8KHA.1892(a)TK2MSFTNGP05.phx.gbl...
> On 13/05/2010 11:55, Dan wrote:
>>
>> "Dooza" <steveNO(a)SPAM.dooza.tv> wrote in message
>> news:OKDHRZO8KHA.1560(a)TK2MSFTNGP02.phx.gbl...
>>> Hi there,
>>> I have a Windows 2003 Server with IIS6 running multiple websites via
>>> host headers. Only one of the sites has an SSL certificate, which
>>> works just fine.
>>>
>>> I am in the middle of sorting out PCI DSS compliance and am using
>>> www.hackerguardian.com to do the quarterly scans.
>>>
>>> For some reason some of the sites seem to be responding on port 443
>>> with 200 OK status, so I am having to report lots of false positives
>>> on these sites.
>>>
>>> I don't understand why this is happening and how to prevent it. I have
>>> checked IIS and only one site has port 443 enabled. Is there something
>>> I can do in IIS to stop this from happening?
>>>
>>> Cheers,
>>>
>>> Dooza
>>
>> If they are all sharing a single IP, then there's nothing you can do to
>> stop this - the site host headers are not checked until after the
>> initial SSL handshake has completed, so there's no way to block the
>> sites that shouldn't be responding on port 443 if they are sharing an IP
>> with one that does.
>
> You are correct, I did a test last night by changing one of the sites to
> another IP and now it works as expected. I am going to change all other
> sites over to the non SSL IP, then all will be well.
>
> Thanks for confirming this for me.
>
> Kind regards,
>
> Dooza

I think it's possible to get it working the way you originally had it under
IIS7, but on the browser side will also require the SNI extension to TLS
(IE7 on Vista, and IE8 on Vista/W7/W2008 has this, for instance), as this
allows the browser to send the Host header in the initial request before SSL
is negotiated and allow IIS to determine if the requested site has SSL
enabled or not. For a publicly accessible server where you have no control
over the browsers being used this just isn't possible even with IIS7, and
certainly not with IIS6 anyway as it does not support SNI.

--
Dan

From: Dooza on
On 13/05/2010 13:33, Dan wrote:
>
> "Dooza" <steveNO(a)SPAM.dooza.tv> wrote in message
> news:eeT2Icp8KHA.1892(a)TK2MSFTNGP05.phx.gbl...
>> On 13/05/2010 11:55, Dan wrote:
>>>
>>> "Dooza" <steveNO(a)SPAM.dooza.tv> wrote in message
>>> news:OKDHRZO8KHA.1560(a)TK2MSFTNGP02.phx.gbl...
>>>> Hi there,
>>>> I have a Windows 2003 Server with IIS6 running multiple websites via
>>>> host headers. Only one of the sites has an SSL certificate, which
>>>> works just fine.
>>>>
>>>> I am in the middle of sorting out PCI DSS compliance and am using
>>>> www.hackerguardian.com to do the quarterly scans.
>>>>
>>>> For some reason some of the sites seem to be responding on port 443
>>>> with 200 OK status, so I am having to report lots of false positives
>>>> on these sites.
>>>>
>>>> I don't understand why this is happening and how to prevent it. I have
>>>> checked IIS and only one site has port 443 enabled. Is there something
>>>> I can do in IIS to stop this from happening?
>>>>
>>>> Cheers,
>>>>
>>>> Dooza
>>>
>>> If they are all sharing a single IP, then there's nothing you can do to
>>> stop this - the site host headers are not checked until after the
>>> initial SSL handshake has completed, so there's no way to block the
>>> sites that shouldn't be responding on port 443 if they are sharing an IP
>>> with one that does.
>>
>> You are correct, I did a test last night by changing one of the sites
>> to another IP and now it works as expected. I am going to change all
>> other sites over to the non SSL IP, then all will be well.
>>
>> Thanks for confirming this for me.
>>
>> Kind regards,
>>
>> Dooza
>
> I think it's possible to get it working the way you originally had it
> under IIS7, but on the browser side will also require the SNI extension
> to TLS (IE7 on Vista, and IE8 on Vista/W7/W2008 has this, for instance),
> as this allows the browser to send the Host header in the initial
> request before SSL is negotiated and allow IIS to determine if the
> requested site has SSL enabled or not. For a publicly accessible server
> where you have no control over the browsers being used this just isn't
> possible even with IIS7, and certainly not with IIS6 anyway as it does
> not support SNI.

I had seen some information about this, but like you, deemed it not a
solution when you have no control over your visitors browsers.

Cheers,

Dooza