3.11 Ensure X-Powered-By Header is removed - Default

Information

The x-powered-by headers specify the underlying technology used by the webserver.

Rationale:

Attackers are able to conduct reconnaissance on a website using these response headers. This header could be used to target attacks for specific known vulnerabilities associated with the underlying technology. Removing this header will prevent targeting of your application for specific exploits by non-determined attackers.

While this is not the only way to fingerprint a site through the response headers, it makes it harder and prevents some potential attackers.

Impact:

X-powered-by headers will not be available on the webserver.

Solution

Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpProtocol /-'customHeaders.[name='X-Powered-By']' /commit:apphost

OR

Enter the following command in PowerShell to configure:

Remove-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webserver/httpProtocol/customHeaders' -name '.' -AtElement @{name='X-Powered-By'}

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7

Plugin: Windows

Control ID: 73020d09c78642871e6ccbdea8ee8969104a520f2d17f21d62dce7b7f8b66a54