Hidden IIS header information

Posted on 2006-06-05
Last Modified: 2008-05-29

My currnet IIS server (hosting a web site wrote by ASP.NET) was tested by one of the security consultant. My server were  identifies as IIS/5.0 and also identifies that NTLM authentication is in use.

Is there anyway to block this information from searching by external ?

Question by:AXISHK
    LVL 30

    Expert Comment

    No W3 consortium specs...this is incorporated
    LVL 30

    Expert Comment

    those are server variables

    visit the link below for more info on the W3c specifications
    LVL 14

    Accepted Solution

    you have 2 options
    1)download urlscan from microsoft
    install it and change in urlscan.ini the key from 0 to 1
    RemoveServerHeader=1           ; If 1, remove the 'Server' header from response.

    2) (a freeware that patch W3SVC.DLL)
    I prefer the microsoft solution than the binary patch, urlscan is a nice tool to protect IIS
     also remove the custom header X-Powered-By: ASP.NET

    for NTLM challenge response disable it
     (select your web site ->properties->directory security->authentication and access control edit -> uncheck integrated windows authentication)

    how to mask IIS

    remember other services (smtp, ftp)<are exposing the identity of yuor server


    Author Comment

    #1 couldn't work on my IIS (5.0) and I could still see detail in the http header. #2 seem work fine but afterwards, I find that my ASP applicaton (written by a external company) couldn't work anymore and I need to fallback to my orginial status.

    Any possible for this ? Does it mean the application need to use the HTTP header to transfer some information (eg. session, cookies ) and the solution will also disable this transfer.

    LVL 14

    Expert Comment

    I verified urlscan on IIS 5.0 and was  ok, the server header disappeared or  
     you can change (not remove it) the server header too.
    Try again urlscan is a microsoft product is supported and this security tool helps prevent potentially harmful requests from reaching the server.

    CHANGE SERVER HEADER. modify  urlscan.ini and then from command prompt run iisreset:

    RemoveServerHeader=0           ; If 1, remove the 'Server' header from response.
    ; If RemoveServerHeader is 0, then AlternateServerName can be
    ; used to specify a replacement for IIS's built in 'Server' header

    you can't remove all header, yes are used to transfer information (session, mime filetype,  compressed html ...etc)
    probably is better change banner header (masking your iis to be  an apache server) than remove it...

    this is a comunication between my iis with header modified, and u can see some not foundamental header
     X-Powered-By: ASP.NET

    GET / HTTP/1.0
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
    Accept-Language: it
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
    Host: localhost
    Connection: Keep-Alive
    Cookie: WEBTRENDS_ID=

    HTTP/1.1 200 Ok
    Date: Tue, 06 Jun 2006 21:02:46 GMT
    X-Powered-By: ASP.NET
    Content-Type: text/html
    Server: GasWWWserver

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    As the title indicates, I have done this before. It chills me everytime I update the OS on my phone, ( because one time I did this and I essentially had a bricked …
    Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now