Networking / Beginners

Finding Rogue Web Servers

For a network administrator, the only thing worse than having a Web server and knowing that it is not 100 percent secure even after locking it down, is having a Web server on the network that they are not aware exists. These are sometimes called rogue Web servers, and they can come about in two ways. It is possible that a user on the network has intentionally configured Web services on their machine. While this used to require a user to be technologically savvy in the past,Windows OSes provide Internet Information Services (IISes) as a component that is relatively easy to set up and configure on a machine that's not properly locked down. More often, however, rogue Web servers are deployed unintentionally. If administrators are not careful, when they install Windows (especially a member of the Server family) on a network computer, they can create a new Web server without even realizing it. When a Web server is present on a network without the knowledge of network administrators, the precautions necessary to secure that system are not taken, thus making the system (and through it, the entire network) vulnerable to every out-of-the-box exploit and attack for that Web server.

Hunting Down Rogue Web Servers

To check a system very quickly to determine if a local Web server is running without your knowledge, you can use a Web browser to access http://localhost/. This is called the loopback URL. If no Web server is running, you should see an error stating that you are unable to access the Web server. If you see any other message or a Web page (including a message advising that the page is under construction or coming soon), that computer is running a Web server locally. Once you discover the existence of such a server, you must either secure, remove, or disable it. Otherwise, the system will remain insecure. Other ways to discover the existence of a Web server is by checking services and running processes (for example, inetinfo.exe), but the quickest way to check on any platform is to quickly look at the loopback URL.

To check for rogue Web servers across a network, you should use Nmap to scan for port 80 traffic. This is done by opening the command prompt by typing NMAP -p80 <IP address>. For example, if you were searching for a range of IP addresses on your network from 198.100.10.2-198.100.10.200, you would enter NMAP -p80 198.100.10.2-200, and then look for any application banners grabbed so you can compare them to a listing of known Web servers on your network. One of the benefits of using this method is that NMAP can be used with scripts, which you can run on a routine basis to check for rogue Web servers on your network.

Finding and Disabling Rogue Web Servers

  1. At any workstation or server type http://localhost. This is the loopback address found in your HOSTS file that maps to 127.0.0.1 (the loopback Internet Protocol (IP) address). After entering this URL, you should see a default Web page. This indicates you have a Web server running.
  2. Another way to find out if IIS is installed and running is to go to the Task Manager utility (found in the Taskbar properties), and look for the Inetinfo.exe process running. This is an indicator that IIS is running on your system. One way to disable the Web server is to open the Internet Information Services MMC found in the Administrative tools folder in the Control Panel and find the running Web site. You can then right-click on it and choose to stop the service from the context menu.
  3. In Windows, go to the Services MMC within the Administrative tools folder in your Control Panel. If you find the World Wide Web (WWW) Publishing service running and it is either set to Automatic or Manual, then it is installed and able to run. If the Status is set to "Started" then you are currently running a Web server. By viewing the properties of this service, you'll find that the path to the executable points to the inetinfo.exe process. You can change the Startup type from Automatic (or Manual) to Disabled. This will disable the service without removing it altogether (in case you should want to run a Web server on this machine in the future).
  4. Another quick way to see if you are running a rogue Web server is to go to a command prompt and type netstat -na. On the second line you can see that you have TCP port 80 LISTENING. This means that you are using the HTTP service on your machine, which again, indicates that you have a Web server running. You'll also notice that the Web server is listening on port 443, meaning that it was either intentional (as a certificate had to be installed to turn on Hypertext Transfer Protocol Secure sockets [HTTPS]) or someone configured the server to listen on that port in addition to port 80. Because HTTPS is being used, it is possible that the user might be testing an application using HTTPS, or it is a server not in the current list of Web servers on your network.
    Port 80 is the default port on which a Web server listens for requests from Web clients. However, Web servers can also be configured to listen on a different port, so the fact that this port is not listed does not guarantee that there is no Web server running.
  5. Another way to check for a Web server is to go to the Control Panel and open the Add/Remove Programs applet. If you navigate to Add/Remove Windows Components, you can check to see if you have IIS checked off, which would also indicate that the Web server software is installed. You can see that IIS is checked so that it is installed. To completely remove the Web server, make sure it is not checked at all; this means it will not be installed (or will be uninstalled if it has already been installed).
[Previous] [Contents] [Next]