Overview
Microsoft IIS loves to tell the world that a website runs on IIS. It does so with the Serverheader in the HTTP response, as shown below. In this post I’ll show you how to remove response server headers in IIS. You don’t want to give hackers too much information about your servers, heh? 😉
Affected versions
IIS 7.0
IIS 7.5
IIS 8.0
IIS 8.5
Solution
- Install the latest version of URLScan 3.1. Select the correct version as per your OS (64-bit or 32-bit)
- Enable ‘ISAPI Filters’ for your webserver. This is necessary for URLScan to be able to modify the sever parameters.
- Open the IIS Manger (inetmgr) module.
- We select our ‘website’ from the left hand menu. A new option should be available called ‘ISAPI Filters’
- In the ISAPI Filters module, we need to add a new filter. We define the filter name(e.g. DisableIISHeader). The executable to be selected is the URLScan DLL – available in usual location – C:\Windows\System32\inetsrv\urlscan\urlscan.dll
- The filter is now active.
- We will need to modify the URLScan parameter file (urlscan.ini). Default location is C:\Windows\System32\inetsrv\urlscan
- Change the value of the ‘RemoveServerHeader’ parameter to 1
- If all the steps went smoothly, we should be able to verify that the issue has been closed
- You can verify the issue with the following commands:
How to Verify
At the command prompt, type the following
$>telnet<ip_address><port> $>HEAD / HTTP/1.0 (enter) (enter)
Cheers
Follow me on Linkedin My Profile Follow DevopsJunction onFacebook orTwitter For more practical videos and tutorials. Subscribe to our channel
Signup for Exclusive "Subscriber-only" Content
