http://forums.iis.net/1031.aspxA forum aimed at helping understand IIS security such as Authentication, IP restrictions, and SSLenCommunityServer 2007 SP1 (Build: 20510.895)http://forums.iis.net/thread/1874775.aspxWed, 23 Jul 2008 19:17:40 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1874775raynkel0http://forums.iis.net/thread/1874775.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1031&PostID=1874775<p>&nbsp;Thanks, that is what I seem to be hearing, Thank you.<br /></p>http://forums.iis.net/thread/1874750.aspxWed, 23 Jul 2008 15:54:53 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1874750Rovastar0http://forums.iis.net/thread/1874750.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1031&PostID=1874750<p>security/Penetration&nbsp; testers always bring this one up. It really doesn&#39;t really matter there are plenty of way of knowing what the server is. Apart from the HTTP banner which they pick up.<br /></p><p>It is a little tricky to remove this in IIS if you want to remove the HTTP banner</p><p>Here is how</p><p>http://www.microsoft.com/technet/community/en-us/iis/iis6_faq.mspx <br /></p><table class="QandAEntry" cellpadding="0" cellspacing="0"><tr style="padding:0px 0px 7px;" id="title411"><td class="dropCapQ" align="left"><a>Q.</a></td><td class="titleBlock"><a>Is it possible to hide the identity of my Web servers by removing or revising the banner information that is returned with a request?</a></td></tr><tr id="question411"><td><br /></td><td class="QBlock"><br /></td></tr><tr style="padding-top:3px;" id="answer411"><td class="dropCapA" align="left">A.</td><td class="ABlock"><p>Yes. You can use an ISAPI filter to hide banner information. For example, you can write a custom ISAPI filter, or you can install the <a href="http://go.microsoft.com/fwlink/?LinkId=16538">UrlScan</a> security tool. UrlScan contains the <b>RemoveServerHeader</b> feature, which removes or alters the identity of the server from the &quot;Server&quot; response header in the response to the client. IIS 6.0 does not include the <b>RemoveServerHeader</b> feature because it offers no real security benefit. Most server attacks are not operating system-specific. Also, it is possible to detect the identity of a server and information about the operating system by mechanisms that do not depend on the server header.</p></td></tr></table><p>&nbsp;But seriously it is not worth the effort. It is nothing to really worry about.</p>http://forums.iis.net/thread/1874749.aspxWed, 23 Jul 2008 15:42:34 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:1874749raynkel0http://forums.iis.net/thread/1874749.aspxhttp://forums.iis.net/commentrss.aspx?SectionID=1031&PostID=1874749<p>We had a security scan run our web applications and this was the only issue. Does anyone have any idea what to do for this? I know just enough about IIS to get in trouble. Thanks&nbsp;</p><p><b>Description:</b>&nbsp; <br />&nbsp;Default configurations of web servers often provide too much information about their platform and version in HTTP headers and on error pages. This data is not itself dangerous, but it can help an attacker focus on vulnerabilities associated with your specific web server platform/version.<br /><b>&nbsp;<br />Recommendations:&nbsp; </b><br />&nbsp;Configure your web server to avoid having it announce its own details. For example in Apache you would want these two configuration directives in your config file:<br />ServerSignature Off<br /></p>