Howto Disable the Server Header in IIS

December 06, 2005
web

Steven Erat just pointed me to a technote from Macromedia Adobe called: Configuring ColdFusion MX 7 Server Security in the comments of my securing apache config article. In the technote I found that you can disable the Server header on IIS by setting the HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader registry entry to 1.

Why is this a good idea? It makes you less of a target for attackers who scan IP ranges for particular servers. It won't actually make your server any more secure.

While you are securing your server, make sure you disable SSLv2 and other weak protocols and ciphers on IIS.


cfobjective pre-conf training
| Add Comment | add to del.icio.us | Tags: , ,

Related Entries

14 people found this page useful, what do you think?

WAF for CF

Trackbacks

Trackback Address: 506/68312FF34C26A2F02EB44BAACC58E5BA

Comments

On 12/06/2005 at 1:09:20 PM EST Pete Freitag wrote:
1
I should point out that this method only works on IIS6+ Windows 2003 I believe.

On 04/20/2006 at 2:02:45 PM EDT Chris @ Port80 wrote:
2
ServerMask for IIS takes this concept a bit further for full IIS security masking:

http://www.servermask.com

On 11/09/2006 at 4:52:42 AM EST Matt wrote:
3
This hasn't worked for me on Server 2003 R2 / IIS 6.0.

On 02/26/2008 at 4:35:08 AM EST Seb wrote:
4
Doesnt work on my Web edition Windows Server 2003. Anyone have a solution for this OS?

On 12/17/2008 at 6:14:07 AM EST rally wrote:
5
how can i remove my server banner from IIS 5 windows 2000 using the regedit??

On 12/02/2009 at 6:26:56 AM EST Caio Ribeiro Cesar wrote:
6
Install urlscan, edit urlscan.ini (add the value "1" on the line RemoveServerHead).

Restart IIS.

Post a Comment




  



Spell Checker by Foundeo

Recent Entries





Basecamp
pfreitag on twitter


Archives:
2010 2009 2008 2007 2006 2005 2004 2003 2002