Discussion:
Removing "Server" header doesn't work!!
(too old to reply)
Felipex
2008-03-19 22:37:01 UTC
Permalink
Hi, somebody can help me, I have been trying to disable the "server" header
from my IIS 6.0 Server, I was searching in the web and it refers that we can
disabling the "Server" header changing the registry key: HKLM\SYSTEM
\CurrentControlSet\ Services\HTTP\ Parameters\ DisableServerHeader to 1, i
just did that, and nothing happend, i found another option to disable the
header, it refers to Install URL Scan, but I'm afraid to do that because it
can take unspected problems with the applications installed in that server,
somebody knows how can I do.

I was surprised, that I can't find information about this problem in the
web. It´s this so hard to do?

Thanks in advance
Ken Schaefer
2008-03-20 00:40:35 UTC
Permalink
Why do you need to disable the Server: header?

As mentioned you can do this using URLScan.

Cheers
Ken
Post by Felipex
Hi, somebody can help me, I have been trying to disable the "server" header
from my IIS 6.0 Server, I was searching in the web and it refers that we can
disabling the "Server" header changing the registry key: HKLM\SYSTEM
\CurrentControlSet\ Services\HTTP\ Parameters\ DisableServerHeader to 1, i
just did that, and nothing happend, i found another option to disable the
header, it refers to Install URL Scan, but I'm afraid to do that because it
can take unspected problems with the applications installed in that server,
somebody knows how can I do.
I was surprised, that I can't find information about this problem in the
web. It´s this so hard to do?
Thanks in advance
David Wang
2008-03-21 10:28:21 UTC
Permalink
Post by Ken Schaefer
Why do you need to disable the Server: header?
As mentioned you can do this using URLScan.
Cheers
Ken
Post by Felipex
Hi, somebody can help me, I have been trying to disable the "server" header
from my IIS 6.0 Server, I was searching in the web and it refers that we can
disabling the "Server" header changing the registry key: HKLM\SYSTEM
\CurrentControlSet\ Services\HTTP\ Parameters\ DisableServerHeader to 1, i
just did that, and nothing happend, i found another option to disable the
header, it refers to Install URL Scan, but I'm afraid to do that because it
can take unspected problems with the applications installed in that server,
somebody knows how can I do.
I was surprised, that I can't find information about this problem in the
web. It´s this so hard to do?
Thanks in advance- Hide quoted text -
- Show quoted text -
DisableServerHeader only applies to the Server header added by
HTTP.SYS IFF an HTTP API application does not set the Server header.
IIS intentionally sets and removes the Server header, so that registry
key has no relevance on IIS6.

Most people ask about removing the Server header because they ran some
security scanner that complains about it, or they read somewhere that
removing Server header "improves" security, so they want to do it.
However, since removing the Server header does neither, IIS team does
not consider the Server header a problem and its remove a solution, so
there is no built-in feature anywhere. You will have to search for the
add-on modules to remove the header but that may have other side
effects.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Loading...