Solved

How to remove http header information using IIS7 and Request Filtering

Posted on 2014-12-24
9
367 Views
Last Modified: 2015-01-28
I have a Windows 2008 server running IIS7.

I would like to enhance the server security by ensuring all hosted websites remove the following http header information:

Server
Set-Cookie
X-Powered-By

I would also like to remove any ASP.NET version information.

Are there any issues with removing these fields?
0
Comment
Question by:mike99c
  • 5
  • 4
9 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
If you remove Set-Cookie in the response headers, sessions and login methods will stop working.  A lot of software depends on Set-Cookie.
0
 

Author Comment

by:mike99c
Comment Utility
Ok thanks Dave, I didn't know that this actually removed the session cookies feature. I thought it was only information.

However the problem I have is that the header returns the following for Set-Cookie:

ASPSESSIONIDSARTCSQB=GDOLOIDBDBFMNBPGMEHFACPN; path=/

And this obviously gives away the fact that the server uses ASP and is therefore likely to be a Windows server with IIS.

Is there a way to mask the ASP part of the string but still make it work?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
Not that I know of.  If you are running any pages with 'asp' or 'aspx' file extensions, that gives it away too since it Has to be a Windows Server with IIS to run those pages.  Removing Set-Cookie blocks ALL cookies from your server and applications which would upset most of your users since most web sites use cookies for something.

The things you are talking about, Server, Set-Cookie, X-Powered-By, are very minor in terms of security.  Other things like the file extensions give all that info away already.  I can usually look at the source code for a page and tell you that too.

I simply wouldn't bother.  Users and the way applications are written are much more serious in terms of security.
0
 

Author Comment

by:mike99c
Comment Utility
Just to confirm, our website links do not reveal the file name extension at all, even if you view source.

I simply want the http header to remove any indication that it is a windows server as it would assist hack bots in fine tuning their exploit scripts.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
If it's a public site, give me a link.
0
 

Author Comment

by:mike99c
Comment Utility
I'd rather not reveal the link here as I have already revealed we use Windows server.

However here is the header information for one of the websites:

Cache-Control	private
Content-Length	52676
Content-Type	text/html
Server	Microsoft-IIS/7.5
Set-Cookie	ASPSESSIONIDQQTDAQSC=FBCPFJFBJOHJMJJMECBAKNLP; path=/
X-Powered-By	ASP.NET
Date	Wed, 24 Dec 2014 22:06:23 GMT

Open in new window


So the purpose of this post is about using Request Filtering to remove "Server" and "X-powered-By" and to somehow change "Set-Cookie" so it does not expose the fact it is using ASP.

Whether or not the website itself may reveal it is using ASP is another matter. I am looking into a first line of defence by making sure the automated hack bots do not target our server based on the fact it knows what operating system is being used.
0
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 500 total points
Comment Utility
'Server' and 'X-Powered-By' can be removed without any problems.  Changing the 'name' for the session cookie in 'Set-Cookie' is probably possible.  See here:  http://msdn.microsoft.com/en-us/library/system.web.configuration.sessionstatesection.cookiename%28v=vs.110%29.aspx  I found a couple of other suggestions but when I went to the Microsoft page, it was 404.

You can do all this but it is not the "first line of defence".  Hackers look for forms with usernames and passwords and possible access to databases thru SQL injection.  Also FTP usernames and passwords so they can upload files that replace the ones that are on your server with files that do what they want.  These things are not unique to Windows IIS... or Apache or nginx on any operating system.
0
 

Author Comment

by:mike99c
Comment Utility
Thanks for the feedback Dave. I am aware of the other security issues which I have dealt with separately. This post is purely about filtering the http header so as to hide the fact it uses IIS and ASP. This will cover the majority of automated hack bots.

Regarding the main question of this post. Are you aware of how to achieve all this using Request Filtering? This is already pre-installed with IIS7 and supersedes URLScan.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
No.  It looked like you had a good link in your previous question.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now