Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IIS returns IP address in HTTP header vulnerability

Status
Not open for further replies.

Kozimoto

Technical User
Sep 25, 2002
44
US
Anyone know how to mask (remove) what IIS 6 reveals in the HTTP header response? Our organization would like to mask the following header info (X) returned by our DMZ IIS servers. We are testing MS's fix for the IP vulnerability right now. We chose to go with SetHostName instead of UseHostName since we feel this is a more secure way to have the server respond. I'll post the results here once we finish testing. In the meantime, here's a typical header returned by IIS 6 with X's by the info we want to mask.

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0 (X)
Content-Location: (X)
Date: Thu, 18 Feb 1999 14:03:52 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 06 Jan 1999 18:56:06 GMT
ETag: "067d136a639be1:15b6"
Content-Length: 4325

Also, when you go to and look up your site, they actually provide the OS and web server + version. Any way to block the acquisition of this info as well?

We have security auditors all over this one and are hot for a resolution or reasons why we can't provide a solution.

I think everyone in this forum would like an answer on this one too... Why give hackers any more info if we can prevent it?

Everyone's input is very valuable. Thanks in advance. To read more about the problem:

 
Thanks Jeff, I think this is what I'm looking for. Where's my Easy Button?
 
I do apologize for the incorrect name. Thanks again. I'm sure your post will address the problem for many other's as well who are concerned with their outward facing DMZ servers.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top