Remove header information from IIS [RESOLVED]

You will often need to do the following to ensure your website is secure as possible, and stop the IIS version from been displayed when doing a scan on the server.

  1. Open “Internet Information Services (IIS) Manager“.
  2. If you want to apply the settings globally, click on your main server node: select IIS node
  3. Open the “Configuration Editor” 
  4. To remove ‘x-aspnet-version‘ response header, go to system.web >> httpRuntime >> enableVersionHeader and set it to ‘false‘ 
  5. To remove the IIS ‘server’ response header, go to system.webServer >> security >> requestFiltering >> removeServerHeader and set it to ‘true‘ 

For setting the values per site, just click on the site you want to apply the changes, and select the Configuration Editor from there.

For example before you make the above changes a nmap scan may show

http-server-header:

Microsoft-HTTPAPI/2.0

|Microsoft-IIS/10.0

Following the above changes a nmap scan would show

http-server-header:

Microsoft-HTTPAPI/2.0

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: