Howto Disable the Server Header in IIS

December 06, 2005

Steven Erat just pointed me to a technote from Macromedia Adobe called: Configuring ColdFusion MX 7 Server Security in the comments of my securing apache config article. In the technote I found that you can disable the Server header on IIS by setting the HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader registry entry to 1.

Why is this a good idea? It makes you less of a target for attackers who scan IP ranges for particular servers. It won't actually make your server any more secure.

While you are securing your server, make sure you disable SSLv2 and other weak protocols and ciphers on IIS.

Like this? Follow me ↯

You might also like:

14 people found this page useful, what do you think?


I should point out that this method only works on IIS6+ Windows 2003 I believe.
ServerMask for IIS takes this concept a bit further for full IIS security masking:
This hasn't worked for me on Server 2003 R2 / IIS 6.0.
how can i remove my server banner from IIS 5 windows 2000 using the regedit??

Foundeo Inc.