• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 854
  • Last Modified:

Hidden IIS header information

My currnet IIS server (hosting a web site wrote by ASP.NET) was tested by one of the security consultant. My server were  identifies as IIS/5.0 and also identifies that NTLM authentication is in use.

Is there anyway to block this information from searching by external ?

  • 2
  • 2
1 Solution
Irwin SantosComputer Integration SpecialistCommented:
No ...by W3 consortium specs...this is incorporated
Irwin SantosComputer Integration SpecialistCommented:
those are server variables

visit the link below for more info on the W3c specifications
you have 2 options
1)download urlscan from microsoft http://www.microsoft.com/technet/security/tools/urlscan.mspx
install it and change in urlscan.ini the key from 0 to 1
RemoveServerHeader=1           ; If 1, remove the 'Server' header from response.

2)http://www.snapfiles.com/get/iisbanner.html (a freeware that patch W3SVC.DLL)
I prefer the microsoft solution than the binary patch, urlscan is a nice tool to protect IIS
 also remove the custom header X-Powered-By: ASP.NET

for NTLM challenge response disable it
 (select your web site ->properties->directory security->authentication and access control edit -> uncheck integrated windows authentication)

how to mask IIS

remember other services (smtp, ftp)<are exposing the identity of yuor server

AXISHKAuthor Commented:
#1 couldn't work on my IIS (5.0) and I could still see detail in the http header. #2 seem work fine but afterwards, I find that my ASP applicaton (written by a external company) couldn't work anymore and I need to fallback to my orginial status.

Any possible for this ? Does it mean the application need to use the HTTP header to transfer some information (eg. session, cookies ) and the solution will also disable this transfer.

I verified urlscan on IIS 5.0 and was  ok, the server header disappeared or  
 you can change (not remove it) the server header too.
Try again urlscan is a microsoft product is supported and this security tool helps prevent potentially harmful requests from reaching the server.

CHANGE SERVER HEADER. modify  urlscan.ini and then from command prompt run iisreset:

RemoveServerHeader=0           ; If 1, remove the 'Server' header from response.
; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header

you can't remove all header, yes are used to transfer information (session, mime filetype,  compressed html ...etc)
probably is better change banner header (masking your iis to be  an apache server) than remove it...

this is a comunication between my iis with header modified, and u can see some not foundamental header
 X-Powered-By: ASP.NET

GET / HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: it
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: localhost
Connection: Keep-Alive

HTTP/1.1 200 Ok
Date: Tue, 06 Jun 2006 21:02:46 GMT
X-Powered-By: ASP.NET
Content-Type: text/html
Server: GasWWWserver
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now