Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How to remove http header information using IIS7 and Request Filtering

Posted on 2014-12-24
9
Medium Priority
?
564 Views
Last Modified: 2015-01-28
I have a Windows 2008 server running IIS7.

I would like to enhance the server security by ensuring all hosted websites remove the following http header information:

Server
Set-Cookie
X-Powered-By

I would also like to remove any ASP.NET version information.

Are there any issues with removing these fields?
0
Comment
Question by:mike99c
  • 5
  • 4
9 Comments
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40516962
If you remove Set-Cookie in the response headers, sessions and login methods will stop working.  A lot of software depends on Set-Cookie.
0
 

Author Comment

by:mike99c
ID: 40517094
Ok thanks Dave, I didn't know that this actually removed the session cookies feature. I thought it was only information.

However the problem I have is that the header returns the following for Set-Cookie:

ASPSESSIONIDSARTCSQB=GDOLOIDBDBFMNBPGMEHFACPN; path=/

And this obviously gives away the fact that the server uses ASP and is therefore likely to be a Windows server with IIS.

Is there a way to mask the ASP part of the string but still make it work?
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40517133
Not that I know of.  If you are running any pages with 'asp' or 'aspx' file extensions, that gives it away too since it Has to be a Windows Server with IIS to run those pages.  Removing Set-Cookie blocks ALL cookies from your server and applications which would upset most of your users since most web sites use cookies for something.

The things you are talking about, Server, Set-Cookie, X-Powered-By, are very minor in terms of security.  Other things like the file extensions give all that info away already.  I can usually look at the source code for a page and tell you that too.

I simply wouldn't bother.  Users and the way applications are written are much more serious in terms of security.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 

Author Comment

by:mike99c
ID: 40517412
Just to confirm, our website links do not reveal the file name extension at all, even if you view source.

I simply want the http header to remove any indication that it is a windows server as it would assist hack bots in fine tuning their exploit scripts.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40517415
If it's a public site, give me a link.
0
 

Author Comment

by:mike99c
ID: 40517418
I'd rather not reveal the link here as I have already revealed we use Windows server.

However here is the header information for one of the websites:

Cache-Control	private
Content-Length	52676
Content-Type	text/html
Server	Microsoft-IIS/7.5
Set-Cookie	ASPSESSIONIDQQTDAQSC=FBCPFJFBJOHJMJJMECBAKNLP; path=/
X-Powered-By	ASP.NET
Date	Wed, 24 Dec 2014 22:06:23 GMT

Open in new window


So the purpose of this post is about using Request Filtering to remove "Server" and "X-powered-By" and to somehow change "Set-Cookie" so it does not expose the fact it is using ASP.

Whether or not the website itself may reveal it is using ASP is another matter. I am looking into a first line of defence by making sure the automated hack bots do not target our server based on the fact it knows what operating system is being used.
0
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 1500 total points
ID: 40517433
'Server' and 'X-Powered-By' can be removed without any problems.  Changing the 'name' for the session cookie in 'Set-Cookie' is probably possible.  See here:  http://msdn.microsoft.com/en-us/library/system.web.configuration.sessionstatesection.cookiename%28v=vs.110%29.aspx  I found a couple of other suggestions but when I went to the Microsoft page, it was 404.

You can do all this but it is not the "first line of defence".  Hackers look for forms with usernames and passwords and possible access to databases thru SQL injection.  Also FTP usernames and passwords so they can upload files that replace the ones that are on your server with files that do what they want.  These things are not unique to Windows IIS... or Apache or nginx on any operating system.
0
 

Author Comment

by:mike99c
ID: 40517480
Thanks for the feedback Dave. I am aware of the other security issues which I have dealt with separately. This post is purely about filtering the http header so as to hide the fact it uses IIS and ASP. This will cover the majority of automated hack bots.

Regarding the main question of this post. Are you aware of how to achieve all this using Request Filtering? This is already pre-installed with IIS7 and supersedes URLScan.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40517481
No.  It looked like you had a good link in your previous question.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question