Pete Freitag Pete Freitag

Remove the Server Header in any IIS Version

Published on December 05, 2023
By Pete Freitag
web

Removing the Server Header as of IIS 10 (the version of IIS installed by default on Windows Server 2016, 2019 or 2022) is now much easier than it had been with prior versions of IIS. By default IIS will return a HTTP response header like this:

Server: Microsoft-IIS/10.0

This tells everyone that your server is running IIS, and more specifically version 10 of IIS, and for that reason it is a good idea to remove it. The Request Filtering module in IIS now has an option to remove the server header. You can either do it at the site level or server wide level.

Remove Server Header at IIS Site Level in IIS 10

To remove the server header from IIS at the site level, you can add the removeServerHeader="true" attribute to the requestFiltering tag in your web.config file:

<system.webServer>
  <security>
    <requestFiltering removeServerHeader="true">
      <!-- other request filtering stuff -->
    </requestFiltering>
  </security>
</system.webServer>

If you don't prefer to edit the web.config file manually, then you can use the technique below for removing it server wide.

Remove the IIS Server Header Server Wide in IIS 10

To remove the IIS server header globally (for all sites on the server) open on the root node in the IIS Management Console tree, this is usually labeled with the machine or computer name. Then double click on the Configuration Editor, and paste the following into the section dropdown:

system.webServer/security/requestFiltering

On the request filtering configuration editor you will find a setting named removeServerHeader, set that to True, and click Apply to safe the configuration. You won't need to restart IIS, the server header will be removed right away for all subsequent requests to the server.

Removing the Microsoft-HTTPAPI Server Header

On occasion you may find the IIS will return a server header that looks like this:

Server: Microsoft-HTTPAPI/2.0

This is the response that Microsoft's http.sys module returns. In my experience I find that this typically only happens when there is a bad request, eg something that typically returns a HTTP 400 status code.

A few scenarios where you might see the Microsoft-HTTPAPI/2.0 server header are:

  • Request URI contains characters that are not allowed
  • The Host name header value in the request, is not mapped to a web site binding in IIS

To remove this header, you have to set a registry key: DisableServerHeader to 1 under HKLM\ SYSTEM\CurrentControlSet\Services\HTTP\Parameters

Unfortunately the new request filtering removeServerHeader setting won't prevent the Microsoft-HTTPAPI/2.0 server header from being returned.

Removing the Server Header on Older Versions of IIS

If you are running a version of IIS earlier than version 10, you might get an error like this:

500.19 Unrecognized attributes removeServerHeader

Now if you are running an older version of IIS that means you are probably running Windows 2012 or earlier. Windows Server 2012 has reached end of life (EOL) as of October 2023, so Microsoft no longer provides security patches for it. So it might be well past time to update the server. If you are trying to remove the server header for security purposes, then keep in mind running an EOL software is a much larger security risk than the disclosing the server header.

There have been many different ways to remove the server header over the years, and for various versions of IIS. I had blogged several of them over time, but I'll try to summarize them here.

Rewrite Server Header on IIS 8 or Above

On IIS 8 you can use the Microsoft URL Rewrite Module to create an outbound rule to rewrite the Server header to a value of your choosing.

Precondition: <None>
Matching scope: Server Variable
Variable name: RESPONSE_Server
Variable value: Matches the Pattern
Using: Regular Expressions
Pattern: .*
Action type: Rewrite
Value: Whatever you want your server header to be.

This technique doesn't remove the header, but it can rewrite it with whatever value you'd like.

Remove Server Header on IIS 7 and Below

Another option for IIS 7-8.5 is the StripHeaders IIS module. You can find the source code here, and binaries here.

For even older versions of IIS you can use Microsoft's URLScan tool, the latest version of this tool only supports up to IIS 7 (though it may still work on later versions, it is basically abandonware at this point). The link to this tool no longer works. Again though if you are on such an old version of Windows or IIS, you should really begin to have some larger questions about why you are still on an EOL version, rather than just hiding the server header.



iis request filtering security

Remove the Server Header in any IIS Version was first published on December 05, 2023.

If you like reading about iis, request filtering, or security then you might also like:

Weekly Security Advisories Email

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).

Comments

Pete, this SO response states to set "DisableServerHeader" to 2. This registry setting apparently ensures that "self host WCF services no longer sends the SERVER header and thus ensure we are security compliant."
https://stackoverflow.com/a/48619803/693068
by James Moberg on 12/08/2023 at 8:09:01 PM UTC
The registry key that we set to "2" is located at "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" and then restart the server, OR the HTTP service by calling "net stop http" then "net start http".

We've test for the IIS "Microsoft-HTTPAPI/2.0" HTTP response header by using the following CURL with invalid param:

curl -v http://mywebsite.local/ -H "Range: bytes=00-18446744073709551615"
by James Moberg on 12/08/2023 at 8:14:54 PM UTC

Post a Comment