Friday, April 14, 2017

Remove X-powered by ASP.NET version and IIS version from HTTP response header of IIS webservers

Russian-hackersHackers are using footprinting techniques to collect as much information about a target network. By simply telnetting a webserver, sensitive information such as servername, server type, operating systems and application running can be disclosed. For example, tools such as httprecon, ID serve and NMAP can perform such tasks.

After obtaining information about version of applications, the hacker will know whether the applications have the latest patches or not. If the latter is true, all the vulnerabilities that are not yet patched could be potentially be exploited by the hacker. Therefore it is important not to reveal such information on webservers.

The following details how to remove X-powered by ASP.NET version and IIS version from HTTP response header of IIS webservers.

Generally, when a client browser requests a Web page, IIS returns a response with a Hypertext Transfer Protocol (HTTP) header. HTTP response headers are name and value pairs that contain information about the requested page. These include the HTTP version, date, and content type.

You can create or modify HTTP headers to pass special information in responses to clients. For example, You could create a custom header named “authors” that might contain the names of content authors. Or you might create a Content-Language header to describe the natural languages used in the body of your Web page, and provide several language-country/region values such as en-US (United States English), en-CA (Canadian English), and en-GB (British English).

If you create a custom HTTP response header at the Web server level, all Web sites, Web applications, virtual directories, and files inherit the header unless you override the header at a child level. Likewise, Web applications and virtual directories inherit headers from the Web site level, and files inherit headers from the Web application or virtual directory level. You can remove an inherited header so that it is not passed in a response, and restore the header later if it is required.

Note: To view HTTP response headers, You need to install the browser add -ons. Browser add-ons can be downloaded from the internet.

Steps to remove server name from HTTP Header:

Download and install the latest version of urlsacn tool (version 3.1) from the following link

32-Bit (x86):

64-Bit (x64):

1.Double-click the MSI file to begin the installation process.

2.Review the agreement in the UrlScan Installer Package End User Agreement and then click Yes to accept the agreement and continue. If you click No, the installer will close.

3.When the installer completes, a dialog box stating that UrlScan has been successfully installed will be displayed.

4.Click Finish to close the installer.

Verify whether the installer is configured correctly:

1.Installs the UrlScan.dll and UrlScan.ini files in the %windir%\system32\inetsrv\UrlScan directory. If UrlScan is already installed on the computer, the UrlScan.ini file is updated with any new settings that are not present in the current configuration file.

2.Adds UrlScan as a global filter to IIS.

3.Creates a %windir%\system32\inetsrv\UrlScan\Logs directory.

4.We can configure UrlScan's operation by setting options in the UrlScan.ini file. This file should reside in the same directory as UrlScan.dll, and it contains the sections and options that are listed below.

Note: UrlScan 3.0 added change notifications for the UrlScan.ini file, so it is no longer necessary to restart IIS after updating your UrlScan.ini file.

The [Options] section of a UrlScan.ini file contains a list of name/value pairs that define the general behavior for UrlScan. A few of the settings enable or disable other sections in the UrlScan.ini file.

Set Remote server header Allowed values are 0 or 1. The default value for RemoveServerHeader is 0.

If set to 1, UrlScan will remove the server header on all responses, and the value of AlternateServerName will be ignored.

If set to 0, IIS will return the default server header on all responses.

Note: This feature is only available if UrlScan is installed on IIS 4.0 or later.

Remove X-powered header from HTTP header:

IIS 7:

1.From the Internet information console, Click on server name in the left pane.


2.Click on HTTP response header.


3.Now Click on X-Powered version HTTP header and click remove in the top right panel.


IIS 6:

1.Right click on web site, and click properties.

2.Click on HTTP header.

3.Now under custom HTTP header, click on X-powered ASP.NET version.

4.Click Remove on the right pane.


Post a Comment