Removing Chatty IIS Headers

IIS is, by default, a bit too damn chatty, which isn’t what you want if you’re trying to harden your server:

Capture

You can check this with a site like SecurityHeaders.io, which will review all your HTTP Headers for you. It’s very good, I recommend it.

Why would I need to tell the world what ASP version, webserver, etc. that I’m using? Isn’t this just helping potential attackers? Well, yes. How do you remove these headers, though?

Server: Microsoft-IIS…

I can’t think of a legitimate reason to send details of what webserver you’re using to a client, but IIS does seem particularly determined to do so.

To remove the server tag is actually the fiddliest of these tags. The very best way is using the IIS URL Rewrite module. This isn’t a standard install – but it is very commonly used, and it’s reliable. Most of our customers use it.

Essentially, what you do is configure an outbound rule that matches the Server HTTP Header, and replaces it with empty text. Full description by Scott Helme here. He does it manually through IIS, or you can do this with a web.config modification:

<system.webServer>
<rewrite>
<outboundRules>
<rule name="Remove Server Response Header">
<match serverVariable="RESPONSE_SERVER" pattern=".*" />
<action type="Rewrite" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>

Otherwise, you’re looking at installing URLScan, or trying a Registry edit that may or may not work. See: http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx

What were they thinking? Why is this so hard?

X-Powered-By: …

This is configured as a header for the entire of IIS, and I can’t see a good reason to leak this information (other than bragging). Go to your IIS instance, HTTP Response Headers and remove it:

Capture2

That should zap it for the whole webserver. You can do this on a per-site basis, but that’s not as fun.

It can also be done in your Web.config:

<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>

X-AspNet-Version: …

Another Change to web.config:

<system.web>
<httpRuntime enableVersionHeader="false" />
</system.web>

X-AspNetMvc-Version: …

In Global.asax.cs add:

protected void Application_Start()
{
MvcHandler.DisableMvcResponseHeader = true;
}

That apparently does it. And I love that it’s inconsistent with all the others.

 

Advertisements
Removing Chatty IIS Headers

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s