How to Remove Microsoft-HTTPAPI/2.0 Header on IIS 8 and 10
原文链接:https://serverfault.com/questions/941585/how-to-remove-microsoft-httpapi-2-0-header-on-iis-8-and-10
1
I’m trying to remove Microsoft-HTTPAPI/2.0 server header from my HTTP responses following this article form MSDN. Currently I’m applying the registry-based solution on Windows Server 2008 R2 and Windows 10 to no luck. I still receive the headers whenever I send an HTTP request with empty Host header.
curl -X GET “127.0.0.1” -H “Host:” --head
The command above returns HTTP 400 Bad Request with Server: Microsoft-HTTPAPI/2.0.
Is there any newer approach to remove the particular header? I know this was asked before for IIS 7 (which probably the solution still works), but reboot doesn’t cure the problem on those two Windows I have mentioned above.
Thank you in advance.
ps. I know its kind of security in obscurity, but auditors wants it.
Asked 3 years, 1 month ago
Active 2 months ago
Viewed 7k times
1
I’m trying to remove Microsoft-HTTPAPI/2.0 server header from my HTTP responses following this article form MSDN. Currently I’m applying the registry-based solution on Windows Server 2008 R2 and Windows 10 to no luck. I still receive the headers whenever I send an HTTP request with empty Host header.
curl -X GET “127.0.0.1” -H “Host:” --head
The command above returns HTTP 400 Bad Request with Server: Microsoft-HTTPAPI/2.0.
Is there any newer approach to remove the particular header? I know this was asked before for IIS 7 (which probably the solution still works), but reboot doesn’t cure the problem on those two Windows I have mentioned above.
Thank you in advance.
ps. I know its kind of security in obscurity, but auditors wants it.
windows-server-2008-r2
iis
windows-10
iis-8
Share
Improve this question
Follow
asked Nov 26 '18 at 1:26
Bagus Tesa
11311 silver badge77 bronze badges
Add a comment
2 Answers
3
If the response’s Server header returns “Microsoft-HttpApi/2.0”, it means that the HTTP.sys is being called instead of IIS. Exploits and port scans use this as a means of fingerprinting an IIS server (even one that is otherwise hiding the Server header).
You can test this by throwing an error using CURL:
curl -v http://www.yourdomain.com/ -H “Range: bytes=00-18446744073709551615”
You will see something like this if your server is sending the header:
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339
You can add a registry value so HTTP.sys doesn’t include the header.
Open Regedit
Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
If DisableServerHeader doesn’t exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn’t 2, set it to 2.
Reboot the server OR restart the HTTP service by calling “net stop http” then “net start http”
Reference: WS/WCF: Remove Server Header
After you add the registry key, the response looks like this:
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339
Posting here so people who need this can find it. (Thanks, Oram!)