?
Solved

How to remove http header information using IIS7 and Request Filtering

Posted on 2014-12-24
9
Medium Priority
?
645 Views
Last Modified: 2015-01-28
I have a Windows 2008 server running IIS7.

I would like to enhance the server security by ensuring all hosted websites remove the following http header information:

Server
Set-Cookie
X-Powered-By

I would also like to remove any ASP.NET version information.

Are there any issues with removing these fields?
0
Comment
Question by:mike99c
  • 5
  • 4
9 Comments
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40516962
If you remove Set-Cookie in the response headers, sessions and login methods will stop working.  A lot of software depends on Set-Cookie.
0
 

Author Comment

by:mike99c
ID: 40517094
Ok thanks Dave, I didn't know that this actually removed the session cookies feature. I thought it was only information.

However the problem I have is that the header returns the following for Set-Cookie:

ASPSESSIONIDSARTCSQB=GDOLOIDBDBFMNBPGMEHFACPN; path=/

And this obviously gives away the fact that the server uses ASP and is therefore likely to be a Windows server with IIS.

Is there a way to mask the ASP part of the string but still make it work?
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40517133
Not that I know of.  If you are running any pages with 'asp' or 'aspx' file extensions, that gives it away too since it Has to be a Windows Server with IIS to run those pages.  Removing Set-Cookie blocks ALL cookies from your server and applications which would upset most of your users since most web sites use cookies for something.

The things you are talking about, Server, Set-Cookie, X-Powered-By, are very minor in terms of security.  Other things like the file extensions give all that info away already.  I can usually look at the source code for a page and tell you that too.

I simply wouldn't bother.  Users and the way applications are written are much more serious in terms of security.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:mike99c
ID: 40517412
Just to confirm, our website links do not reveal the file name extension at all, even if you view source.

I simply want the http header to remove any indication that it is a windows server as it would assist hack bots in fine tuning their exploit scripts.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40517415
If it's a public site, give me a link.
0
 

Author Comment

by:mike99c
ID: 40517418
I'd rather not reveal the link here as I have already revealed we use Windows server.

However here is the header information for one of the websites:

Cache-Control	private
Content-Length	52676
Content-Type	text/html
Server	Microsoft-IIS/7.5
Set-Cookie	ASPSESSIONIDQQTDAQSC=FBCPFJFBJOHJMJJMECBAKNLP; path=/
X-Powered-By	ASP.NET
Date	Wed, 24 Dec 2014 22:06:23 GMT

Open in new window


So the purpose of this post is about using Request Filtering to remove "Server" and "X-powered-By" and to somehow change "Set-Cookie" so it does not expose the fact it is using ASP.

Whether or not the website itself may reveal it is using ASP is another matter. I am looking into a first line of defence by making sure the automated hack bots do not target our server based on the fact it knows what operating system is being used.
0
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 1500 total points
ID: 40517433
'Server' and 'X-Powered-By' can be removed without any problems.  Changing the 'name' for the session cookie in 'Set-Cookie' is probably possible.  See here:  http://msdn.microsoft.com/en-us/library/system.web.configuration.sessionstatesection.cookiename%28v=vs.110%29.aspx  I found a couple of other suggestions but when I went to the Microsoft page, it was 404.

You can do all this but it is not the "first line of defence".  Hackers look for forms with usernames and passwords and possible access to databases thru SQL injection.  Also FTP usernames and passwords so they can upload files that replace the ones that are on your server with files that do what they want.  These things are not unique to Windows IIS... or Apache or nginx on any operating system.
0
 

Author Comment

by:mike99c
ID: 40517480
Thanks for the feedback Dave. I am aware of the other security issues which I have dealt with separately. This post is purely about filtering the http header so as to hide the fact it uses IIS and ASP. This will cover the majority of automated hack bots.

Regarding the main question of this post. Are you aware of how to achieve all this using Request Filtering? This is already pre-installed with IIS7 and supersedes URLScan.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40517481
No.  It looked like you had a good link in your previous question.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

A procedure for exporting installed hotfix details of remote computers using powershell
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

568 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question