3.11 Ensure Server Header is removed - Applications

Information

The server header may specify the underlying technology used by an application. Attackers are able to conduct reconnaissance on a website using these response headers. This header could be used to target attacks for specific known vulnerabilities associated with the underlying technology. Removing this header will prevent targeting of your application for specific exploits by non-determined attackers.

Rationale:
While this is not the only way to fingerprint a site through the response headers, it makes it harder and prevents some potential attackers. The server header removal directive is a new feature in IIS 10 that can assist in mitigating this risk.

Solution

Enter the following command to use AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/requestFiltering /removeServerHeader:'True' /commit:apphost

OR

Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/' -filter 'system.webServer/security/requestFiltering' -name 'removeServerHeader' -value 'True'

Impact:
This will remove the server header.

Default Value:
Microsoft-IIS/10.0

See Also

https://workbench.cisecurity.org/files/2220

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-30, CSCv7|5.1

Plugin: Windows

Control ID: 4560e9db8e950ff89fa5db2dc5c19e4f830fb61f94bf11153180830c686eb398