Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How can I mask IIS7 server information without using ServerMask

Posted on 2014-12-23
4
182 Views
Last Modified: 2014-12-24
I have a windows 2008 server running IIS7. I would like to mask the server information from hackers and I am familiair with a tool called ServerMask: http://www.port80software.com/products/servermask/

I would like to know if server masking can be achieved natively by just using IIS7.
0
Comment
Question by:mike99c
  • 2
4 Comments
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40515932
I use this in my default web.config
<system.webServer>
    <httpProtocol>
        <customHeaders>
            <remove name="X-Powered-By" />
        </customHeaders>
    </httpProtocol>
</system.webServer>
0
 
LVL 33

Expert Comment

by:shalomc
ID: 40516056
I can fully understand when someone does not want to install additional software on sensitive servers, because of regulations, security or compliance.

In those cases I use a reverse proxy in front of the web server. There are commercial solutions like aiscaler, and open source solutions like Varnish, and CDN services like Fastly or Akamai.
A CDN service like those mentioned has the additional benefit of accelerating your entire application, but it is relevant only if the web site is public.
0
 

Author Comment

by:mike99c
ID: 40516113
Thanks Aaron.

When I analyse my header information I also found the following which would give away the fact that I have a windows server:

Server      Microsoft-IIS/7.5      This web server is running Microsoft-IIS/7.5

Set-Cookie      ASPSESSIONIDQCRQBTQA=AKGLKIHACFFCKPBFFEBFLOOE; path=/      The web site is trying to set a cookie (per RFC2109), with the following information: ASPSESSIONIDQCRQBTQA=AKGLKIHACFFCKPBFFEBFLOOE; path=/

I tried modifying web.config as follows:

            <customHeaders>
                <remove name="X-Powered-By" />
                <remove name="Server" />
                <remove name="Set-Cookie" />
            </customHeaders>

Unfortunately it did not remove Server and Set-Cookie.
0
 
LVL 39

Accepted Solution

by:
Aaron Tomosky earned 500 total points
ID: 40516661
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question