locked
Removing IIS 7.5 unwanted headers from HTTP response. RRS feed

  • Question

  • User1765278760 posted

    Hello everybody,

    I installed Windows server 2008 R2 (x64) web edition with IIS 7.5. For each web site I created custom module to remove unwanted headers.

    Module code:

     using System;
    using System.Web;

    /// <summary>
    ///
    /// Using this module in your website requires that you add the following
    /// syntax into your web.config file:
    ///
    ///     <system.webServer>
    ///          <modules>
    ///            <add name="HttpResponseServerName" type="HttpResponseServerName"/>
    ///          </modules>
    ///     </system.webServer>
    ///     
    /// </summary>
    public class HttpResponseServerName : IHttpModule
    {
        public void Init(HttpApplication context)
        { context.PreSendRequestHeaders += OnPreSendRequestHeaders; }

        public void Dispose()
        { }

        void OnPreSendRequestHeaders(object sender, EventArgs e)
        {
            // Modify Http Response Header "Server"
            //HttpContext.Current.Response.Headers.Set("Server", "DSCODUC's Web Server");
            
            // Remove Http Response Header "Server"
            HttpContext.Current.Response.Headers.Remove("Server");
           HttpContext.Current.Response.Headers.Remove("Etag");
           HttpContext.Current.Response.Headers.Remove("X-Powered-By");
           HttpContext.Current.Response.Headers.Remove("P3P");
        }
    }

     So, the module working fine if all HTTP requests are correct. But if I send not correct request to the server I receive:

    telnet 10.5.20.61 80
    Trying 10.5.20.61...
    Connected to 10.5.20.61.
    Escape character is '^]'.
    dadasd
    HTTP/1.1 400 Bad Request
    Content-Type: text/html; charset=us-ascii
    Server: Microsoft-HTTPAPI/2.0
    Date: Tue, 28 Sep 2010 09:56:12 GMT
    Connection: close
    Content-Length: 326

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
    <HTML><HEAD><TITLE>Bad Request</TITLE>
    <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
    <BODY><h2>Bad Request - Invalid Verb</h2>
    <hr><p>HTTP Error 400. The request verb is invalid.</p>
    </BODY></HTML>
    Connection closed by foreign host.

    As you see I receive header:  Server: Microsoft-HTTPAPI/2.0.

    I need help to remove this header  - Server: Microsoft-HTTPAPI/2.0

     

    Thanks,

    Yanko

     

    Tuesday, September 28, 2010 6:15 AM

Answers

  • User989702501 posted
    What's the reason behind removing the header? You can try this key - HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader Haven't tested it, or you can try urlscan to do so.
    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Tuesday, September 28, 2010 9:32 AM

All replies

  • User989702501 posted
    What's the reason behind removing the header? You can try this key - HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader Haven't tested it, or you can try urlscan to do so.
    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Tuesday, September 28, 2010 9:32 AM
  • User1765278760 posted

    What's the reason behind removing the header? You can try this key - HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader Haven't tested it, or you can try urlscan to do so.
     

    Than you very much. I changed the registry key and this solution is working for me.

    I want to remove web server fingerprinting for security reason. For Win 2003 with IIS6 I use port80 software ServerMask, but unfortunately it does not support IIS 7.5 on win 2008 r2 server.

    Regards,

    Yanko

     

     

    Wednesday, September 29, 2010 4:50 AM
  • User-2064283741 posted

    I love these threads what "security reasons" are you referring too?

    When do you think the http.sys header will be displayed?

    Wednesday, September 29, 2010 6:07 AM
  • User1765278760 posted

    Hi Rovastar,

    I do not want anybody to know what server I use to servicing web sites and applications. Why? You can think about.

    I should change also and default error response :

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
    <HTML><HEAD><TITLE>Bad Request</TITLE>
    <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
    <BODY><h2>Bad Request - Invalid Verb</h2>
    <hr><p>HTTP Error 400. The request verb is invalid.</p>
    </BODY></HTML>

    Any idea?

    Cheers,

    Yanko

     

    Thursday, September 30, 2010 3:57 AM
  • User-2064283741 posted

    I do not want anybody to know what server I use to servicing web sites and applications. Why? You can think about.

     

    I did, the only thing that comes to mind is paranoia.....

    There are many way of finding out what type of server you are running. I doubt you will stop them all. If you want to start changing TCP packet sizes do so at your own risk......

     

    Thursday, September 30, 2010 5:38 AM
  • User1765278760 posted

    If I can stop 50% of them will be good :)

    Can you help me to change default error 400 response?

     

    Thursday, September 30, 2010 6:05 AM
  • User-2064283741 posted

     I am not sure if you can do anything about the http.sys stuff. There is very little configuration for that.

    Thursday, September 30, 2010 10:09 AM
  • User989702501 posted
    Hiding the server headers won't protect you from anything IMHO. As the attackers will just run all sort of scripts against the host, it doesn't care which product/vendor, it just hope to break in. For 400 error, doubt you can change that response.
    Friday, October 8, 2010 9:22 PM
  • User-522351107 posted

     Yanko,

    You are 100% right!!!  You should hide these headers in your response, this should not be the end of your efforts to secure your system, but it's a great start. 

    Some of the advice being given on the web with regards to this today is complete nonsense.  Imagine if you applied this to physical security at your house, well why put a lock on the front door when the attacker can simply break through a window?  Why have an alarm system when many attackers know exactly how to bypass these systems, yet we do all of these things, why, because they make us harder targets.  There is no such thing as a "secure" system, that doesn't mean  we shouldn't try to make our systems more secure. 

    Friday, January 7, 2011 1:33 PM
  • User989702501 posted

    Ooooo.... your point is?

    Sunday, January 9, 2011 9:16 PM
  • User1073881637 posted

    He has a good point of trying to make your systems more secure.  It's better to error on the side of caution.  The ONLY true secure system is the one not plugged to a network.  :)   Other than that, security is a journey....not a destination.

    Sunday, January 9, 2011 10:47 PM
  • User989702501 posted
    heehe... yes/no. to the point of masking, hiding can be part of security in some domains, but in IP level? errrr... I'm not just not buying it :)
    Tuesday, January 11, 2011 2:25 AM
  • User110325929 posted

    I know this is an old post, but masking is a first step to security.

    If the HTTP headers show server versions, framework versions, then it's easier for hackers to find specific exploits and vulnerabilities for the specific versions in use. That makes it that much easier for them and also as new vulnerabilities are identified.

    In any case, I have put another new post with all possible ways to remediate this.

    1) URLScan

    2) Registry settings

    3) Custom HTTP handlers

    are there any other options to remediate this?

    Wednesday, August 21, 2013 11:25 AM
  • User-2064283741 posted

    I don't think I will ever change my mind about this. The benefits of keeping it (knowing from a support/audit point of view instantly what technology you are using - I always run Header Spy in my Browser and view the Server Header by default - over the years it has saved me a ton of time) outway the additional minimum level of security it gives.

    Wednesday, August 21, 2013 11:32 AM
  • User-83962003 posted

    ModSecurity will allow you to modify response headers, response content, and will do all sorts of other cool stuff.

    Thursday, August 22, 2013 11:02 AM