Dan
asked on
removing hte server signature in IIS 7.5
How do I remove the Server Signature "On, Microsoft-IIS/7.5 ASP.NET 4.0.30319" in IIS 7.5?
There's this SEO report that shows that our web server lists this info and I want to remove it.
There's this SEO report that shows that our web server lists this info and I want to remove it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
urlscan is run on the iis server
ASKER
ve3ofa, I'm not sure what you mean by that.
You download and install the latest version of url scan
Once URLScan is installed, please open and modify the UrlScan.ini file in this location: %windir%\system32\inetsrv\ urlscan\Ur lScan.ini
Near the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section. Add an additional “aspxerrorpath=” entry immediately below it and then save the file:
[DenyQueryStringSequences]
aspxerrorpath=
In addition, tilde characters can be added to [DenyUrlSequences] to deny it in the urls.
[DenyUrlSequences]
~
The above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return a HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.
Lastly, set the AlternateServerName= variable to:
AlternateServerName=Apache
After saving this change, run “iisreset” from a command prompt (elevated as admin) for the above changes to take effect. Alternatively, reboot your server.
Note: For more information about URLScan please visit: http://www.iis.net/learn/extensions/working-with-urlscan
Once URLScan is installed, please open and modify the UrlScan.ini file in this location: %windir%\system32\inetsrv\
Near the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences]
[DenyQueryStringSequences]
aspxerrorpath=
In addition, tilde characters can be added to [DenyUrlSequences] to deny it in the urls.
[DenyUrlSequences]
~
The above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return a HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.
Lastly, set the AlternateServerName= variable to:
AlternateServerName=Apache
After saving this change, run “iisreset” from a command prompt (elevated as admin) for the above changes to take effect. Alternatively, reboot your server.
Note: For more information about URLScan please visit: http://www.iis.net/learn/extensions/working-with-urlscan
ASKER
THanks for your help, I had my web developer create the script and I think it's now working.
ASKER
The third link looks like it might, but I have to write code to just remove the server signature, is it not an option setting somewhere in IIS?