locked
Server version disclosure in response Header in Sharepoint 2007 asp.net RRS feed

  • Question

  • Hi,

    I don't want to disclose IIS server version for security reasons. When using fidler tool I am getting the IIS Server:Microsoft-IIS/7.5 from Response header.

    I tried to set the reseponse header value using httpmodule as shown below:

    HttpContext.Current.Response.Header.Set("Server", "WebServer");

    But no use. Again I have tried with URL Sacn tool, then my sharepoint application is not working.

    I have removed Response header also from IIS, even then no use.

    Please give suggestions in order to avoid disclosure of Server Header.

    Thanks in advance.

    Wednesday, July 24, 2013 8:59 AM

Answers

  • Are you in a place to write your own HTTP module? 

    Stefan Grobner's (a Senior MS Escalations Engineer and a fprum regular here) has a blog entry , IIS 7 - How To Send A Custom "Server" HTTP Header, that provides code that modifies the Server header.

    You'd need to create an HTTP Module that makes an event handler for the PreSendRequestHeaders event. Something like: -

    HttpContext.Current.Response.Headers.Remove("Server"); 

    Cheers,

    Steven Andrews

    SharePoint Business Analyst

    Blog: Steve's SharePoint Space  Twitter:   LinkedIn:   Facebook:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, July 25, 2013 12:13 PM
    Answerer

All replies

  • To deal with penetration testing, please do the following:

    1. Create a folder named App_Code in the IIS folder of the SharePoint site where the headers need to be removed

    2. Create a file with notepad named CustomHttpModule.cs in that folder.

    3. Edit with notepad:


    	using System;
    using System.Text;
    using System.Web; 
     
    namespace Custom.ServerModules
    {
      public class CustomHttpHeaderModule : IHttpModule
      {
        public void Init(HttpApplication context)
        {
          context.PreSendRequestHeaders += OnPreSendRequestHeaders;
        }
        public void Dispose()
        {
        }
        void OnPreSendRequestHeaders(object sender, EventArgs e)
        {
          HttpContext.Current.Response.Headers.Remove("Server");
          HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
          HttpContext.Current.Response.Headers.Remove("X-SharePointHealthScore");
          HttpContext.Current.Response.Headers.Remove("SPRequestGuid");
        }
     }
    }
    

    4. Save the file

    5. Edit the web.config file of the SharePoint web application - Add the custom module to the section system.webserver - have the custom headers removed

    <system.webServer>
      <modules runAllManagedModulesForAllRequests="true">
        ...
        <add name="CustomHttpModule" type="Custom.ServerModules.CustomHttpHeaderModule" />
      </modules>
      ...
      <httpProtocol>
        <customHeaders>
          <remove name="MicrosoftSharePointTeamServices" />
          <remove name="X-Powered-By" />
        </customHeaders>
      </httpProtocol>
    </system.webserver>
    

    One remark though if you implement this. Removing the header MicrosoftSharePointTeamServices may break your search crawling. In my case I usually dedicate a web front end for crawling or have the Web application role activated on the crawler. Evidently this web front end does not get the custom httpmodule.

    For more info, please refer here.



    THosE wHo doN'T apPreCiATe LiFe, DOn't DeSerVe iT

    Wednesday, July 24, 2013 9:22 AM
  • Hi Ragab,

    Thanks for the response. I had tried with the above one suggested by you also before, but not resolved.

    Can I have other solution to resolve my issue.

    Thanks in advance.

    Wednesday, July 24, 2013 10:54 AM
  • Are you in a place to write your own HTTP module? 

    Stefan Grobner's (a Senior MS Escalations Engineer and a fprum regular here) has a blog entry , IIS 7 - How To Send A Custom "Server" HTTP Header, that provides code that modifies the Server header.

    You'd need to create an HTTP Module that makes an event handler for the PreSendRequestHeaders event. Something like: -

    HttpContext.Current.Response.Headers.Remove("Server"); 

    Cheers,

    Steven Andrews

    SharePoint Business Analyst

    Blog: Steve's SharePoint Space  Twitter:   LinkedIn:   Facebook:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, July 25, 2013 12:13 PM
    Answerer