Version Disclosure (IIS)
Description
The web application's HTTP responses include a Server header that reveals the specific version of Microsoft Internet Information Services (IIS) in use. This header is sent automatically by default and exposes detailed software version information to anyone who makes a request to the server, including potential attackers.
Remediation
Remove or modify the Server header to prevent version disclosure. This can be accomplished through several methods:
Method 1: Using URL Rewrite Module
Install the IIS URL Rewrite Module and add an outbound rule to remove or modify the Server header. Add the following to your web.config:
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Remove Server Header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>Method 2: Using Custom Headers Module
Add the following to web.config to replace the header value:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="Server" />
<add name="Server" value="WebServer" />
</customHeaders>
</httpProtocol>
</system.webServer>Method 3: Registry Modification (IIS 10.0+)
Set the DisableServerHeader registry value to prevent IIS from sending the Server header entirely. After making configuration changes, restart IIS and verify the header is removed or modified using browser developer tools or command-line tools like curl.