Howto Disable the Server Header in IIS

Updated on October 11, 2021
By Pete Freitag

Steven Erat just pointed me to a technote (http://www.macromedia.com/devnet/coldfusion/articles/cf7_security.html) from ~~Macromedia~~ Adobe called: Configuring ColdFusion MX 7 Server Security in the comments of my securing apache config article. In the technote I found that you can disable the Server header on IIS by setting the HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader registry entry to 1.

Why is this a good idea? It makes you less of a target for attackers who scan IP ranges for particular servers. It won't actually make your server any more secure.

While you are securing your server, make sure you disable SSLv2 and other weak protocols and ciphers on IIS.

iis security windows

Howto Disable the Server Header in IIS was first published on December 06, 2005.

If you like reading about iis, security, or windows then you might also like:

Weekly Security Advisories Email

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).

Comments

I should point out that this method only works on IIS6+ Windows 2003 I believe.

by Pete Freitag on 12/06/2005 at 1:09:20 PM UTC

ServerMask for IIS takes this concept a bit further for full IIS security masking:

http://www.servermask.com

by Chris @ Port80 on 04/20/2006 at 2:02:45 PM UTC

This hasn't worked for me on Server 2003 R2 / IIS 6.0.

by Matt on 11/09/2006 at 4:52:42 AM UTC

how can i remove my server banner from IIS 5 windows 2000 using the regedit??

by rally on 12/17/2008 at 6:14:07 AM UTC