Disable IIS Server Headers

 Posted on December 27, 2018  |  3 minutes  |  446 words  |  Mario

For security reasons some administrators want to hide what web server they are using. Personally I am not convinced that it would stop hackers to attack your server. But is is good practice to expose as little information as possible and security audits also require not to expose these pieces of information in the response headers.

In this post I will show you how to disable some common and not so common headers in Windows Server 2016 and higher. In the examples I disable the headers on the server level. It is however possible to disable some headers on site level.

Response headers that get returned by IIS

Fig1: Response headers that get returned by IIS

In the image above you can see that 2 headers can be interesting for attackers. The headers ‘Server’ and ‘X-Powered-By’.

To stop IIS returning the header ‘Server’ you can use the following command.

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'
  -filter "system.webServer/security/requestFiltering"
  -name "removeServerHeader"
  -value "True"
The header Server is now disabled

Fig2: The header 'Server' is now disabled

Disabling the header ‘X-Powered-By’ can be done in two ways. You can do it from a prompt or from the GUI. From the prompt you use the following command.

Remove-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'
  -filter "system.webServer/httpProtocol/customHeaders"
  -name "." -AtElement @{name='X-Powered-By'}

To turn it off in the GUI you open the Internet Information Services Manager, select the server and go to HTTP Response Headers. There you can remove the header.

Remove the X-Powered-By header in the GUI

Fig3: Remove the X-Powered-By header in the GUI

After you have removed the header it will no longer show in the response. However it can come back when you install for example Application and Request Routing. But with a different value.

No more Server and X-Powered-By headers

Fig4: No more 'Server' and 'X-Powered-By' headers

When using Asp.net another header will be returned. The ‘X-AspNet-Version’ header. This header can also be disabled. You do that with the following command.

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT'
  -filter "system.web/httpRuntime"
  -name "enableVersionHeader"
  -value "False"

Earlier I mentioned that the ‘X-Powered-By’ header can come back when you install Application and Request Routing. You can see that in the image below. Notice the same name but different value.

Notice the reappearance of the X-Powered-By header

Fig5: Notice the reappearance of the 'X-Powered-By' header

To turn this off you need the use the next commands.

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'
  -filter "system.webServer/proxy"
  -name "arrResponseHeader"
  -value "False"

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST'
  -filter "webFarms/webFarm[@name='test']/applicationRequestRouting/protocol"
  -name "arrResponseHeader"
  -value "False"

Iisreset

You will have to restart IIS after these commands. Otherwise the headers will keep showing up. The first command is to disable the header at the proxy level. The second command is to disable the header at the webfarm level. In my example the name of the webfarm is called test. You need to replace that with the name of your webfarm.

Now the server will return clean response headers.

security