It is important to suppress as much information as possible from any potentially harmful user. The server contains information identifying the technology being used and version numbers. This is not desirable because it increases the attack surface and could allow a malicious user to perform a spearheaded attack.
In order to stop the server from handing out information regarding the technology it is utilizing, we need to disable the “Server” header. This could be achieved in a number of ways. Instances running IIS could utilize “URLScan” or “Custom HTTP Rules”. However, this is not a universal solution and in the case of URLScan, it is required to install an add-on to IIS. As a result, the following method will only target the HTTP service which works on any version of Windows.
First, open up “regedit.exe” (Run as Administrator) and navigate to:
Once there, a DWORD entry needs to be created. This can be done by right clicking on the whitespace:
Creating a DWORD entry for “DisableServerHeader”Setting the value of DisableServerHeader to 2
- DWORD (32-bit) Value
- Rename the new entry to “DisableServerHeader”
- Set its value to 2
- Hit “OK”.
In order for this to take effect, it is required to reset the “http” service. This can be done by running the following commands in a command prompt or PowerShell.Warning: This will make your web services relying on HTTP unresponsive.
Open CMD (or PS) as administrator and run the following:
- net stop http
- net start http
If the above method fails, reboot the system.
Once the service has been restarted successfully, the response header from the server should now look similar to this. No Server Header in the HTTP response