Removing IIS headers
Posted by Certain_Square743@reddit | sysadmin | View on Reddit | 11 comments
I know this has been asked all over the net but I am now stuck. A recent pen test has shown some low value results because headers are been exposed, yes I know many people say this don't matter, but it does to us so please help.
So at first the response when scanning our test machine was "443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)" we did the reg key change (https://learn.microsoft.com/en-gb/archive/blogs/dsnotes/wswcf-remove-server-header) and the scan now shows "443/tcp open ssl/upnp Microsoft IIS httpd". I have tried everything I can find online about how to remove this header info but nothing works. I have put URLrewrite on the test machine and created the rules as per Microsoft documentation (https://learn.microsoft.com/en-gb/archive/blogs/varunm/remove-unwanted-http-response-headers) but that has made no difference either the header still shows as Microsoft IIS httpd how can I get rid of this any ideas ?
ersentenza@reddit
That's old information, since IIS 10 there is a removeServerHeader instruction, see:
https://github.com/abpframework/abp/issues/19589
Certain_Square743@reddit (OP)
Thanks, I tried this, restarted and it still shows "443/tcp open ssl/upnp Microsoft IIS httpd"
Past-Signature-2379@reddit
If you are this worried about it, why not front it with a proxy.
SevaraB@reddit
Per the article, URLrewrite doesn't remove the headers, just blanks them. And you have to do the URLrewrite for all three headers to completely remove references to IIS:
Also, what tool are you using to scan? A smarter tool is going to see "X-AspNet-Version" and say "this might not tell me what version of IIS it is, but if it's running any version of ASP.net, it has to be an IIS server."
Long story short, it isn't possible to completely hide the IIS server because it's speaking a language no other web server platform does.
Ahimsa--@reddit
IIS allows you to remove these headers from within the web config.
What happens if you load the page in Chrome/Edge with Developer tools open?
Are you sure NMAP isn’t automatically fingerprinting based on the results and is assuming it’s IIS?
Try checking what headers are returned in Dev Tools
Certain_Square743@reddit (OP)
Hello, im just using nmap to scan and it comes back with
443/tcp open ssl/upnp Microsoft IIS httpd
Trying everything to remove this info without luck.
SevaraB@reddit
You’re not going to trick nmap that easily. It’s a heuristics engine; HTTP headers are one small piece of how it fingerprints a web server OS.
Certain_Square743@reddit (OP)
I agree, and all our public servers are behind firewalls. This was one minor point on a testing report, and because we have lots of servers it would be nice if we could tick this off the list. Some users online seem to say that some of the suggested points above have resolved the issue for them, but we dont know the full story, what tools they are using etc.
pdp10@reddit
We usually push back on requests for "security by obscurity", because they're security by obscurity. These things have been included in infosec assessments forever, but there's no chance they'll ever go away because they're a finding, and findings are the stock in trade of assessors.
Viperonious@reddit
Is this server directly exposed to the internet?
siedenburg2@reddit
Here you can find the general settings for header hardening and where to set it
https://scotthelme.co.uk/hardening-your-http-response-headers/