Remove IIS server version worked for HTTP, but not HTTPS!

Question

Hello,
I used the HTTP Response headers and changed IIS to the Apache, but Nmap tool could detect IIS on port 443. How can I change it on port 443 too?

Thank you.

Answer 1

My understanding of the specifics might be wrong but in essence, all routing gets handle by the HTTP Application class. In my case we used Global.asax, a class derived from HttpApplication. This is what handles GLOBAL raised events and calls.

In my code, manipulating web.config or IIS Manager did not resolve issue. In the last leg of the journey from server to client, server was being added (thus overriding removal of it in web.config or IIS Manager). I had to target this last step in Global.asax such as:
protected void Applicatoin_PreSendRequestHeaders()
{
Response.Headers.Remove("Server")
// can add field for server as such; optional
Response.AddHeader("Server", "nah nah nah nah nahh")
}

https://stackoverflow.com/questions/22401219/remove-server-response-header-iis-8-0-8-5

Answer 2

Should I remove it completely?

I would, I don't see any value in adding a header that says that you are running Apache.

Are you sure no one can hide the IIS version from the scanners like Nmap?

No, I am not sure. If your organization is extremely concerned with your public facing web site, then it might be a good idea to hire a security firm who specializes in penetration testing and web security analysis and have them probe your sites and see what they recommend. The company that I used to work for did that, but it was 6 years ago. I don't remember who did that for us.

You should be able to use the configuration editor and remove the header. Start at the server level and set it to false.

system.webServer/security/requestFiltering

Then check each of your sites to see that they are inheriting the server config.

Answer 3

Nmap detected my server as an IIS:

Mine too. Even though I set the headers to report as MVS and CICS.

https://nmap.org/book/man-version-detection.html

After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses. Nmap tries to determine the service protocol (e.g. FTP, SSH, Telnet, HTTP), the application name (e.g. ISC BIND, Apache httpd, Solaris telnetd), the version number, hostname, device type (e.g. printer, router), the OS family (e.g. Windows, Linux).

https://nmap.org/book/vscan.html

To reiterate what I posted in my first reply, this falls into the "So What?" category. If' you've got a web server exposed to the internet, then you are likely running one of these web servers.

https://w3techs.com/technologies/overview/web_server

If you really have IIS running but you set the host headers to report that you are running Apache, It's not like any hacker is going to say: "well, he's running Apache, so we will only run Apache specific hack attempts against him".

Heck no, they are going to try every known exploit that they have access to to see if they can break into your server. Because you never know when an IIS exploit might work on Apache.

Disclaimer: The above reply is my personal opinion based on decades of professional experience. I do not represent Microsoft.

Answer 4

configured an IIS web site to return a header

Add the response header at the server level instead of at the site level.

Or add the header to all web sites.

Answer 5

Hello,
No idea about it?