My environment setup:
Http Request > IIS ARR > IIS hosting UI > Backend Services.
PEN test from external source hitting public facing site hosted on ARR - PEN test is finding the following and I want to know if anyone has some ideas on how to remediate. Can I filter or remove the response similar to removing ASP version header information?, Reduce the scope of the NTLM response to a domain or subnet, etc. Use ARR outbound rule etc.
Host information can be enumerated using NTLM over HTTP in a manner similar to NTLM authentication over SMB, in which remote host information can be enumerated by sending anonymous credentials. By sending a NTLM authentication request with null domain and user credentials (passed in the ‘Authorization’ header), the remote web server will respond with a NTLMSSP message (encoded within the ‘WWW-Authenticate’ header) and disclose information including NetBIOS, DNS, and OS build version.
Thanks!