Anyone know how to mask (remove) what IIS 6 reveals in the HTTP header response? Our organization would like to mask the following header info (X) returned by our DMZ IIS servers. We are testing MS's fix for the IP vulnerability right now. We chose to go with SetHostName instead of UseHostName since we feel this is a more secure way to have the server respond. I'll post the results here once we finish testing. In the meantime, here's a typical header returned by IIS 6 with X's by the info we want to mask.
HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0 (X)
Content-Location: (X)
Date: Thu, 18 Feb 1999 14:03:52 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 06 Jan 1999 18:56:06 GMT
ETag: "067d136a639be1:15b6"
Content-Length: 4325
Also, when you go to and look up your site, they actually provide the OS and web server + version. Any way to block the acquisition of this info as well?
We have security auditors all over this one and are hot for a resolution or reasons why we can't provide a solution.
I think everyone in this forum would like an answer on this one too... Why give hackers any more info if we can prevent it?
Everyone's input is very valuable. Thanks in advance. To read more about the problem:
HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0 (X)
Content-Location: (X)
Date: Thu, 18 Feb 1999 14:03:52 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 06 Jan 1999 18:56:06 GMT
ETag: "067d136a639be1:15b6"
Content-Length: 4325
Also, when you go to and look up your site, they actually provide the OS and web server + version. Any way to block the acquisition of this info as well?
We have security auditors all over this one and are hot for a resolution or reasons why we can't provide a solution.
I think everyone in this forum would like an answer on this one too... Why give hackers any more info if we can prevent it?
Everyone's input is very valuable. Thanks in advance. To read more about the problem:
