Howto Disable the Server Header in IIS

December 06, 2005

Steven Erat just pointed me to a technote from Macromedia Adobe called: Configuring ColdFusion MX 7 Server Security in the comments of my securing apache config article. In the technote I found that you can disable the Server header on IIS by setting the HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader registry entry to 1.

Why is this a good idea? It makes you less of a target for attackers who scan IP ranges for particular servers. It won't actually make your server any more secure.

While you are securing your server, make sure you disable SSLv2 and other weak protocols and ciphers on IIS.

Related Entries

14 people found this page useful, what do you think?


I should point out that this method only works on IIS6+ Windows 2003 I believe.
ServerMask for IIS takes this concept a bit further for full IIS security masking:
This hasn't worked for me on Server 2003 R2 / IIS 6.0.
Doesnt work on my Web edition Windows Server 2003. Anyone have a solution for this OS?
how can i remove my server banner from IIS 5 windows 2000 using the regedit??
Install urlscan, edit urlscan.ini (add the value "1" on the line RemoveServerHead).

Restart IIS.

Post a Comment


Spell Checker by Foundeo

Recent Entries


did you hack my cf?