Discussion on:

Workarounds for hiding your Web server's identity from hackers

You can only make a server so hack-proof, and it seems deterrence is a better answer than prevention. Can law enforcement really do anything to discourage hackers from attacking you beforehand?

.. to just not use Microsoft Crapware in the first place?

because the development tools for Linux are crap and using "crapware" allows us to quickly and cost-effectively roll out and customize services for our customers, which keeps them our customers. But then again we use Great Plains, SQL, etc. so we're kindof married to 'em anyway. Works for us!

The problem is, even if you "disguise" your IIS(it is sh*t) box it will still answer when the trojans and hackers come-a-callin'! I run a realaudio server on a linux box, (a p200/64mb of ram), and the logs are full of requests from sql/iis/win exploits. Granted no software is completely bugproof, but come on, as much as you are going to pay for win2k/iis or win2k3/iis6 it should damn well be secure AND USABLE, in my experience once a windows box is secure it is pretty much unusable... 2?

You secured it wrong. IME, the real problem with MS products are admins like you who have no idea what they're doing being put in charge of 'em. IIS, like most products, ship from MS unsecure, everyone knows that, yet people like you continue to plug 'em into the net without securing them first, and then blaming MS for the failing.

Try using the "Securing IIS Checklist" at MS' site. You'll find that about 90-95% of all the IIS hacks that have come out in the last 2-3 years would be avoided by just following that checklist. AND, the server would still be able to do everything you'd need it to.

Conversely, Apache is relatively secure out of the box, however, due to poor documentation, it's almost impossible to secure it further without spending weeks going through every option.

You can also remap the file extensions that end users see.

html = aspx
htm = asp

and so on