Hide IIS7 Response Headers | Force 5
  • Left Brains.

  • Right Brains.

  • Brand Soul.

Hide IIS7 Response Headers

What are Response Headers?

Response headers is data that gets sent from the server to the browser. The data can include date & time, content type (ex: text/html, text/javascript), and server information (ex: Microsoft-IIS/7.0).

Why is it important to hide them?

Security. At the most basic level it will not broadcast what operating system the web server is and which version it is whether it is a Microsoft IIS web server or an Apache PHP web server. Here is an example of what information is passed back to the browser:

Notes: This was complete on a Windows 2008 web server with IIS 7. One prerequisite we noticed is that you may need to install the IIS 6 Metabase Compatibility tool.

Steps to hide Response Headers in IIS:

  1. Download & Install UrlScan
  2. Configure UrlScan.ini settings
    • Open UrlScan.ini with Notepad (run as administrator).
      • C:\%OS-Directory%\System32\inetsrv\urlscan\UrlScan.ini
    • Change RemoveServerHeader value
      • RemoveServerHeader=1

  1. Editing Machine.Config settings file
    • This next edit you will need to make on each ASP.NET Framework version that you currently run. For example, Force 5 has applications that run ASP.NET version 2.0 & 4.0.
    • You will need to add this configuration setting to each Machine.Config file inside the <system.web> section.
      <system.web>
           <httpRuntime enableVersionHeader="false" />
            .....
      </system.web>

    • An important note, if you do not access to the Machine.Config files you can make this same change to your Web.Config file inside your individual website. The only difference is that you will need to include this setting in each website. Whereas the Machine.Config file will make this change global across the web server.
    • You can find your .NET Framework versions and Machine.Config files in either of these two directories:
      • C:\%OS-Directory%\Microsoft.NET\Framework
      • C:\%OS-Directory%\Microsoft.NET\Framework64
  2. Editing php.ini configuration settings (skip this step if you do not have PHP installed)
    1. Locate and open up your php.ini file
    2. Scroll down until you locate "expose_php"
    3. Set expose_php = Off

  1. Restart IIS.
    • After restarting IIS and reviewing the changes you will notice all of the Server Response Headers no longer show.

Just a quick recap of what we just did:

  • Steps 1 & 2, only removes the "Server: Microsoft- IIS/{version}"  response header.
  • Steps 3 & 4, removes the actual ASP.NET & PHP version response header (example: X-AspNet-Version: 2.0.50727) from being displayed.

If you have any questions please feel free to leave a comment below or to contact us.

Comments

There is a new URLScan 3.1 that is compatible with IIS 7.5 and above.

I have followed you steps above on W2008R2 IIS7 and when i request a response header i still get a response from asp and iis/7.5 can you let me know if i should look at anything else?  Thanks

Unfortunetelly UrlScan is not compatible with IIS 7.5