Solved

How to remove http header information using IIS7 and Request Filtering

Posted on 2014-12-24
9
487 Views
Last Modified: 2015-01-28
I have a Windows 2008 server running IIS7.

I would like to enhance the server security by ensuring all hosted websites remove the following http header information:

Server
Set-Cookie
X-Powered-By

I would also like to remove any ASP.NET version information.

Are there any issues with removing these fields?
0
Comment
Question by:mike99c
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40516962
If you remove Set-Cookie in the response headers, sessions and login methods will stop working.  A lot of software depends on Set-Cookie.
0
 

Author Comment

by:mike99c
ID: 40517094
Ok thanks Dave, I didn't know that this actually removed the session cookies feature. I thought it was only information.

However the problem I have is that the header returns the following for Set-Cookie:

ASPSESSIONIDSARTCSQB=GDOLOIDBDBFMNBPGMEHFACPN; path=/

And this obviously gives away the fact that the server uses ASP and is therefore likely to be a Windows server with IIS.

Is there a way to mask the ASP part of the string but still make it work?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40517133
Not that I know of.  If you are running any pages with 'asp' or 'aspx' file extensions, that gives it away too since it Has to be a Windows Server with IIS to run those pages.  Removing Set-Cookie blocks ALL cookies from your server and applications which would upset most of your users since most web sites use cookies for something.

The things you are talking about, Server, Set-Cookie, X-Powered-By, are very minor in terms of security.  Other things like the file extensions give all that info away already.  I can usually look at the source code for a page and tell you that too.

I simply wouldn't bother.  Users and the way applications are written are much more serious in terms of security.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:mike99c
ID: 40517412
Just to confirm, our website links do not reveal the file name extension at all, even if you view source.

I simply want the http header to remove any indication that it is a windows server as it would assist hack bots in fine tuning their exploit scripts.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40517415
If it's a public site, give me a link.
0
 

Author Comment

by:mike99c
ID: 40517418
I'd rather not reveal the link here as I have already revealed we use Windows server.

However here is the header information for one of the websites:

Cache-Control	private
Content-Length	52676
Content-Type	text/html
Server	Microsoft-IIS/7.5
Set-Cookie	ASPSESSIONIDQQTDAQSC=FBCPFJFBJOHJMJJMECBAKNLP; path=/
X-Powered-By	ASP.NET
Date	Wed, 24 Dec 2014 22:06:23 GMT

Open in new window


So the purpose of this post is about using Request Filtering to remove "Server" and "X-powered-By" and to somehow change "Set-Cookie" so it does not expose the fact it is using ASP.

Whether or not the website itself may reveal it is using ASP is another matter. I am looking into a first line of defence by making sure the automated hack bots do not target our server based on the fact it knows what operating system is being used.
0
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 40517433
'Server' and 'X-Powered-By' can be removed without any problems.  Changing the 'name' for the session cookie in 'Set-Cookie' is probably possible.  See here:  http://msdn.microsoft.com/en-us/library/system.web.configuration.sessionstatesection.cookiename%28v=vs.110%29.aspx  I found a couple of other suggestions but when I went to the Microsoft page, it was 404.

You can do all this but it is not the "first line of defence".  Hackers look for forms with usernames and passwords and possible access to databases thru SQL injection.  Also FTP usernames and passwords so they can upload files that replace the ones that are on your server with files that do what they want.  These things are not unique to Windows IIS... or Apache or nginx on any operating system.
0
 

Author Comment

by:mike99c
ID: 40517480
Thanks for the feedback Dave. I am aware of the other security issues which I have dealt with separately. This post is purely about filtering the http header so as to hide the fact it uses IIS and ASP. This will cover the majority of automated hack bots.

Regarding the main question of this post. Are you aware of how to achieve all this using Request Filtering? This is already pre-installed with IIS7 and supersedes URLScan.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40517481
No.  It looked like you had a good link in your previous question.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question