3.12 Ensure Server Header is removed - Default

Information

The server header headers specify the underlying technology used by the application.

Rationale:

While this is not the only way to fingerprint a site through the response headers, it makes it harder and prevents some potential attackers. The server header removal directive is a new feature in IIS 10 that can assist in mitigating this risk.

Impact:

This will remove the server header.

Solution

Enter the following command to use AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/requestFiltering /removeServerHeader:'True' /commit:apphost

OR

Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/' -filter 'system.webServer/security/requestFiltering' -name 'removeServerHeader' -value 'True'

Default Value:

Microsoft-IIS/10.0

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7

Plugin: Windows

Control ID: a8c7164657e6480b05c7da89596941e2a5909228cab0e4d577f355a07e7b3e3f