Previous Next

• 07-23-2008, 11:42 AM

  raynkel Joined on 02-02-2004, 5:59 AM Posts 2

  Stop displaying too much info Reply Contact We had a security scan run our web applications and this was the only issue. Does anyone have any idea what to do for this? I know just enough about IIS to get in trouble. Thanks  Description:   Default configurations of web servers often provide too much information about their platform and version in HTTP headers and on error pages. This data is not itself dangerous, but it can help an attacker focus on vulnerabilities associated with your specific web server platform/version.   Recommendations:   Configure your web server to avoid having it announce its own details. For example in Apache you would want these two configuration directives in your config file: ServerSignature Off

• 07-23-2008, 11:54 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 758

  Re: Stop displaying too much info Reply Contact security/Penetration  testers always bring this one up. It really doesn't really matter there are plenty of way of knowing what the server is. Apart from the HTTP banner which they pick up. It is a little tricky to remove this in IIS if you want to remove the HTTP banner Here is how http://www.microsoft.com/technet/community/en-us/iis/iis6_faq.mspx Q. Is it possible to hide the identity of my Web servers by removing or revising the banner information that is returned with a request? A. Yes. You can use an ISAPI filter to hide banner information. For example, you can write a custom ISAPI filter, or you can install the UrlScan security tool. UrlScan contains the RemoveServerHeader feature, which removes or alters the identity of the server from the "Server" response header in the response to the client. IIS 6.0 does not include the RemoveServerHeader feature because it offers no real security benefit. Most server attacks are not operating system-specific. Also, it is possible to detect the identity of a server and information about the operating system by mechanisms that do not depend on the server header.  But seriously it is not worth the effort. It is nothing to really worry about. Most overused word in IT is 'should' as in 'That should work!?!'

• 07-23-2008, 3:17 PM

  In reply to

  raynkel Joined on 02-02-2004, 5:59 AM Posts 2	Re: Stop displaying too much info Reply Contact  Thanks, that is what I seem to be hearing, Thank you.