Solved

How to remove http header information using IIS7 and Request Filtering

Posted on 2014-12-24
9
387 Views
Last Modified: 2015-01-28
I have a Windows 2008 server running IIS7.

I would like to enhance the server security by ensuring all hosted websites remove the following http header information:

Server
Set-Cookie
X-Powered-By

I would also like to remove any ASP.NET version information.

Are there any issues with removing these fields?
0
Comment
Question by:mike99c
  • 5
  • 4
9 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40516962
If you remove Set-Cookie in the response headers, sessions and login methods will stop working.  A lot of software depends on Set-Cookie.
0
 

Author Comment

by:mike99c
ID: 40517094
Ok thanks Dave, I didn't know that this actually removed the session cookies feature. I thought it was only information.

However the problem I have is that the header returns the following for Set-Cookie:

ASPSESSIONIDSARTCSQB=GDOLOIDBDBFMNBPGMEHFACPN; path=/

And this obviously gives away the fact that the server uses ASP and is therefore likely to be a Windows server with IIS.

Is there a way to mask the ASP part of the string but still make it work?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40517133
Not that I know of.  If you are running any pages with 'asp' or 'aspx' file extensions, that gives it away too since it Has to be a Windows Server with IIS to run those pages.  Removing Set-Cookie blocks ALL cookies from your server and applications which would upset most of your users since most web sites use cookies for something.

The things you are talking about, Server, Set-Cookie, X-Powered-By, are very minor in terms of security.  Other things like the file extensions give all that info away already.  I can usually look at the source code for a page and tell you that too.

I simply wouldn't bother.  Users and the way applications are written are much more serious in terms of security.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:mike99c
ID: 40517412
Just to confirm, our website links do not reveal the file name extension at all, even if you view source.

I simply want the http header to remove any indication that it is a windows server as it would assist hack bots in fine tuning their exploit scripts.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40517415
If it's a public site, give me a link.
0
 

Author Comment

by:mike99c
ID: 40517418
I'd rather not reveal the link here as I have already revealed we use Windows server.

However here is the header information for one of the websites:

Cache-Control	private
Content-Length	52676
Content-Type	text/html
Server	Microsoft-IIS/7.5
Set-Cookie	ASPSESSIONIDQQTDAQSC=FBCPFJFBJOHJMJJMECBAKNLP; path=/
X-Powered-By	ASP.NET
Date	Wed, 24 Dec 2014 22:06:23 GMT

Open in new window


So the purpose of this post is about using Request Filtering to remove "Server" and "X-powered-By" and to somehow change "Set-Cookie" so it does not expose the fact it is using ASP.

Whether or not the website itself may reveal it is using ASP is another matter. I am looking into a first line of defence by making sure the automated hack bots do not target our server based on the fact it knows what operating system is being used.
0
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 40517433
'Server' and 'X-Powered-By' can be removed without any problems.  Changing the 'name' for the session cookie in 'Set-Cookie' is probably possible.  See here:  http://msdn.microsoft.com/en-us/library/system.web.configuration.sessionstatesection.cookiename%28v=vs.110%29.aspx  I found a couple of other suggestions but when I went to the Microsoft page, it was 404.

You can do all this but it is not the "first line of defence".  Hackers look for forms with usernames and passwords and possible access to databases thru SQL injection.  Also FTP usernames and passwords so they can upload files that replace the ones that are on your server with files that do what they want.  These things are not unique to Windows IIS... or Apache or nginx on any operating system.
0
 

Author Comment

by:mike99c
ID: 40517480
Thanks for the feedback Dave. I am aware of the other security issues which I have dealt with separately. This post is purely about filtering the http header so as to hide the fact it uses IIS and ASP. This will cover the majority of automated hack bots.

Regarding the main question of this post. Are you aware of how to achieve all this using Request Filtering? This is already pre-installed with IIS7 and supersedes URLScan.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40517481
No.  It looked like you had a good link in your previous question.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SBS 2007 remove AD ? 10 61
IIS 8 works fine locally but not over the network 2 17
Active Directory uninstall Windows 2008 R2 6 80
Locating a GPO setting 3 26
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question