User:
Password:

Increase Security by Removing IIS/ASP.NET HTTP Headers

This article is condensed from various sources including this excellent article: Securing Your Web Server from Prying Eyes by Wayne Berry.

Introduction

IIS emits HTTP response headers similar to this with each and every HTTP response:

Server: Microsoft-IIS/6.0
Date: Wed, 13 Sep 2006 01:34:55 GMT
X-Powered-By: ASP.NET
Content-Length: 64703
Content-Type: text/html
Cache-Control: private

200 OK

You can see what HTTP Response Headers your web server generates using the tool at http://web-sniffer.net/.

In addition to wasting a few bytes with each request, these headers advertise to all the platform and web server you are running. An attacker would likely look first at these headers in order to know which exploits might be useful against your system. Removing this headers is easy, so why not do it?

Removing the Server Header

The server header Server: Microsoft-IIS/6.0 is an obvious advertisement that you are running Windows 2003. A real clever person might want to emit a misleading server header (i.e. Server: Apache) to confuse attackers. But even simply removing this header is not so simple, it turns out.

XMask ISAPI Filter

Probably the best way to remove the server header is with an ISAPI Filter. ISAPI Filters are programs that install on your server and filter all web traffic. A freely available ISAPI Filter called XPath specifically removes the server header and requires very little memory.

Registry Edit

Another method (for IIS versions prior to 6.0) to remove the server header is to set the following key in the registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
"DisableServerHeader"=DWORD:00000001

X-Powered-By: ASP.NET Header

This header is also a dead-giveaway that you are running a Windows server. Removing this header for one or all web sites on a server is simple. Simply open up the IIS management console and select the "Web Sites" node for all sites or select a single site. Choose "Properties" and the "HTTP Headers" tab:

IIS 6.0 HTTP Headers

In the Custom HTTP headers section, choose "X-Powered-By: ASP.NET" and remove it!

Additional Security Considerations

In addition to HTTP Headers, attackers will recognize you are running a Windows server with ASP.NET via several other methods:

  • Distinct ".aspx" file extensions
  • ASP.NET Cookies
  • ASP.NET Viewstate fields
  • ASP Session Object
Got IPv6?
 Valid XHTML 1.0 Transitional! Valid CSS! Made with Cascading Style Sheets