Pete Freitag Pete Freitag

Howto Disable the Server Header in IIS

web

Steven Erat just pointed me to a technote from Macromedia Adobe called: Configuring ColdFusion MX 7 Server Security in the comments of my securing apache config article. In the technote I found that you can disable the Server header on IIS by setting the HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader registry entry to 1.

Why is this a good idea? It makes you less of a target for attackers who scan IP ranges for particular servers. It won't actually make your server any more secure.

While you are securing your server, make sure you disable SSLv2 and other weak protocols and ciphers on IIS.


Like this? Follow me ↯

Howto Disable the Server Header in IIS was first published on December 06, 2005.

If you like reading about iis, security, or windows then you might also like:

Comments

I should point out that this method only works on IIS6+ Windows 2003 I believe.
by Pete Freitag on 12/06/2005 at 1:09:20 PM UTC
ServerMask for IIS takes this concept a bit further for full IIS security masking:

http://www.servermask.com
by Chris @ Port80 on 04/20/2006 at 2:02:45 PM UTC
This hasn't worked for me on Server 2003 R2 / IIS 6.0.
by Matt on 11/09/2006 at 4:52:42 AM UTC
how can i remove my server banner from IIS 5 windows 2000 using the regedit??
by rally on 12/17/2008 at 6:14:07 AM UTC