I guess for auditors as well it is an indicator that you are doing something to reduce the attack profile of the system. If you have changed the server headers, then you probably have cleaned up other things like removing unneeded cgi-bins, etc.
I reckon at least half of the CIOs out there would probably probably give the game away with a simple seemingly innocuous phone-call - "I'm from XYZ Magazine, and we are doing 10 second poll on what platform people are using for their external facing webservers. Are you using Windows or Linux. If Linux are you using SuSE, Redhat or something else? Thank you for your time .... click" (Of course the other half of the CIOs probably don't know what an operating system is :-)
As a general answer in my opinion, security by obscurity usually doesn't work out to be much safer in the long run.
Regards, Martin
On 7/31/06,
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
G'day
my customer has said:
---------------------------------------------------------------------------
When you have a minute can you please configure our apache server error
pages to not list the webserver build and operating system as it is a
security risk.
For example if I go to www.edc.com.au/fred I get the following information
Apache/2.0.53 (Linux/SUSE)
---------------------------------------------------------------------------
I can conceive if being a slight risk, in that 'don't bother with all the
winders files.
Am I naive, is there a risk letting the world know WHAT os and web server you
run?
Thanks
James
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
--
Regards, Martin
Martin Visser
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
