Disabling IIS Web Banner And Other IIS Headers

Argomenti vari di carattere sistemistico
Post Reply
daniele
Posts: 327
Joined: 04 Mar 2009, 13:59

Disabling IIS Web Banner And Other IIS Headers

Post by daniele »

1) How to remove x-powered-by: ASP.NE
The HTTP header "X-Powered-By" reveals the version of IIS being used on the server. This can be disabled by:
1. Open the IIS Manager
2. Select the website that Secret Server is running under.
3. Select "HTTP Response Headers"
4. Select the "X-Powered-By" HTTP Header and select "Remove"


2) Remove/Modify IIS 10 Server Header which discloses IIS version server: Microsoft-IIS/10.0

From PowerShell type the following command which applies to the whole server:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/security/requestFiltering" -name "removeServerHeader" -value "True"

If you just need to hide the information for a specific site:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/Default Web Site' -filter "system.webServer/security/requestFiltering" -name "removeServerHeader" -value "True"


This seems to work fine for me, no reboot or restart of IIS is required.

It doesn't affect the http.sys server header in the rare case that it responses to a request.

3) Hide X-POWERED-BY: PHP
Edit the PHP.INI related to the PHP version you're using (multiple versione can be active on the same server) to add the following:
expose_php = Off

More info here:
https://serverfault.com/questions/99104 ... 39de8d3756

https://www.ibm.com/support/pages/disab ... is-headers


4) Enable HTTP Strict Transport Security (HSTS) on Server 2016 1607
Usually, If you are running Windows Server 2016, open the Internet Information Services (IIS) Manager and click on the website. Double click HTTP Response Headers and add in a new header named "Strict-Transport-Security" The recommend value is "max-age=31536000; includeSubDomains" however, you can customize it as needed.



5) Enable HTTP to HTTPS redirection on single sites or whole webserver IIS
1. Download and install URL REWRITE module, if not already installed
2. Select the website you want to apply redirection to (or maybe the whole webserver), then double-click URL Rewrite
3. Click Add Rule(s)…
4. Select Blank rule in the Inbound rules section, then click the OK button.
5. Give your redirect an easy-to-remember name. (es. Redirect to HTTPS)
6. In the Matched URL section:
  • Set Requested URL: to Matches the Pattern.
  • Set Using to Regular Expressions.
  • Enter (.*) as the Pattern.
  • Check Ignore case.
7. Scroll down to Conditions and expand the section if necessary. Select Match All for Logical grouping, then click the Add… button.
8. A dialog box will open:
  • Type {HTTPS} in the Condition input field.
  • Set Check if input string to Matches the Pattern.
  • Type ^OFF$ in the Pattern field.
  • Check Ignore case.
  • Click the OK button.
9. You should now see your condition in the list.
10. Scroll down to the Action section and enter these settings:
  • Select Redirect as the Action type.
  • Type https://{HTTP_HOST}{REQUEST_URI} in the Rewrite URL field.
    (or type https://{HTTP_HOST}/{REQUEST_URI} if you want a trailing slash at the end)
  • Uncheck Append query string.
  • Set Redirect type to Permanent (301).

11. Click Apply in the right-hand Actions menu.
12. You can now check your redirect in a web browser. If there are any problems, you can check the site’s web.config file to make sure it contains the correct information. In IIS Manager, right-click your site and choose Explore from the menu.
13. Confirm that the file web.config exists, then open it in a text editor.
14. Verify that web.config contains the following text. If necessary you can create and/or modify this file:

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTPS Redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="^OFF$" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>
Post Reply