Your security department wants you to do this to make the server type harder to identify. This may lessen the barrage of automated hacking tools and make it more difficult for people to break into the server.
Within IIS, open the web site properties, then go to the HTTP Headers tab. Most of the X- headers can be found and removed here. This can be done for individual sites, or for the entire server (modify the properties for the Web Sites object in the tree).
For the Server header, on IIS6 you can use Microsoft's URLScan tool to remote that. Port 80 Software also makes a product called ServerMask that will take care of that, and a lot more, for you.
For IIS7 (and higher), you can use the URL Rewrite Module to rewrite the server header or blank it's value. In web.config (at a site or the server as a whole), add this content after the URL Rewrite Module has been installed:
<rewrite>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
You can put a custom value into the rewrite action if you'd like. This sample sourced from this article which also has other great information.
For the MVC header, in Global.asax:
MvcHandler.DisableMvcResponseHeader = true;
Edited 11-12-2019 to update the IIS7 info since the TechNet blog link was no longer valid.
IIS logs requests after they have completed. W3WP.exe logs to memory after the response has been sent to the client. Then, at regular intervals (usually less than 10 seconds) W3Wp.exe writes to the IIS log file specified in the Website configuration. You may have to wait several seconds before requests are visible in the IIS log file. I believe that HTTP.sys is written to in realtime. If you don't see your requests in the IIS log file, check that you are indeed visiting the website you think you are. You can also check the most recent \%systemroot%\System32\LogFiles\HTTPERR log file for your request... if IIS can't handle your request, HTTP.sys will log why IIS could not accept the request. Hope this helps.
-Chris
Best Answer
The request is logged after the response has been prepared (you have the ability to modify the data that will be logged, under your request).
It will be logged even during errors, even though some errors might end up in the HTTPERR-folder (by default under C:\windows\system32\LogFiles\HTTPERR), and I think that certain request might only show up there.
I had an issue where a firewall with http inspection would cut a connection that stalls for more than 2 minutes, and since the request failed with "broken pipe" sort of error, I think that only showed up in that error log with status 995.
IIS aborts request thread with status 995