Blog: How-Tos

How to remove IIS server response header banners

Roger Jefferiss 29 Oct 2013

This snappy guide shows how to set-up a module to remove the server response header from IIS7 / IIS7.5 banners.

Doing this reduces the available information to an attacker.
It means there is less for them to fingerprint if they are scoping out your web services for vulnerabilities.

You can often find webserver information in public lookups, try out a few URLs for yourself here, other tools are available.

The first step is to create the code module that will broadcast a custom server response header of your choosing.
Create a new visual studio class Library project called CustomServerHeaderModule, then insert the following example code:

using System;
using System.Text;
using System.Web;namespace CustomServerHeaderModule
{
public class CustomServerHeaderModule : IHttpModule
{
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += OnPreSendRequestHeaders;
}
public void Dispose()
{ }
void OnPreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Set(“Server”, “EXAMPLE SERVER“);
}
}
}

To change the Server name just modify the red text.

Once you have added that example code, and that DLL is compiled the second step is to install it on the IIS server.

Copy the DLL to the bin directory in the root of the web server and then add the following to the web.config file:

<configuration>
<system.webServer>
<modules>
<add name=”CustomServerHeader” type=”CustomServerHeaderModule.CustomServerHeaderModule” />
</modules>

</system.webServer>
</configuration>

You’ll need to make sure that if you have sections already in the configuration file you just need to add the red text.

In IIS 10 there is a new attribute was added to allow for control in removing the server headers, you will need to added the following to the web.config file:

<system.webServer>
<!-- Removed the Server header -->
<security>
<requestFiltering removeServerHeader="true" />
</security>
<system.webServer/>

Also just a word of warning I have found that asp.net applications installed on older version of IIS below 8.5, and with the  ‘removeServerHeader’ attribute set , will break the web application.

Done. Now recheck those banners.