A question we have often seen in the past is to have a method to prevent IIS from sending the server identification header to a client which allows a client to identify which type of http server it is talking too. Usually this request comes from security concerns as knowing the server would allow a hacker to more easily be able to break into the system.
Although the above assumption from customers is very doubtable we still need to be able to provide a solution for this.
Out of the box all our IIS servers respond with a server header similar to the following (sample is for IIS 6.0):
For IIS 5 and IIS 6 customers often used UrlScan which allows to remove the server header from the response.
On IIS 7 this tool cannot be installed - but due to the very modular structure of IIS 7 it is possible to remove or even replace the Server header in a much more convenient way: using a custom Module which is injected into the IIS 7 Pipeline. Such a module can be developed as well using managed or unmanaged code.
Here is a sample .Net module which replaces the server http header with a custom header:
That's it! When generating this module ensure to strong name it as it needs to be placed into the global assembly cache in order to allow IIS 7 to use it. To add the module to IIS 7 use the "Modules" configuration option on the server, choose "Add managed module" and select the module from the list of available modules.
I know, but I want to eliminate the cookie from the response altogether as passing it to the client would mean a security issue.
I don't know if this is possible.
Thanks for the great post. One thing I noticed is that the latest URLScan (its current version is 3.1) is actually working on both IIS 7.0 and IIS 7.5. So we can simply add RemoveServerHeader=1 in URLScan.ini configuration file, if our goal is just to strip the server information from the header completely.
If you're using IIS7 / Azure then have a look at this:
It shows the best way to disable these headers without using HttpModules.