We recently had a 3rd party auditor perform a penetration test on our MS 2008 webserver that uncovered remote OS detection vulnerability. It detected the OS as well as version of IIS.
The Auditors recommended: "if Possible, configure the web server so that it does not present identifiable information in the banners"
I've done quite a bit of research and I could not find any easy way that will allow me to quickly block this information from being detected.
Does anyone know of any way to do this? Is this something that needs to be configured/denied on the server level or web application level within the code?
Best Answer
You can (among other features) remove the
Server:header from HTTP responses with UrlScan. See the configuration reference for options.To remove the
X-Powered-By:header, in IIS manager, select the HTTP Response Header feature, and remove the ASP.NET entry