Home All Groups Group Topic Archive Search About

suppressing http banner in IIS 6.0

microsoft.public.inetserver.iis.security
Author
18 Jul 2006 8:01 PM
DD
I know you can suppress the ftp banner in IIS 6.0 - but how do you suppress
the http banner from displaying the web version? I was able to do it back in
IIS 5, but it no longer works in IIS 6.0 (W2K3 SP1).
We usually get written up about this during Security Assessments but the
security vendor can't tell us how to suppress it themselves. I have searched
the web extensively for an answer but found nothing.

Author
18 Jul 2006 9:53 PM
Miha Pihler [MVP]
Hi,

Check
http://www.microsoft.com/technet/community/columns/insider/iisi1004.mspx#ESG.

I hope it helps you out.

--
Mike
Microsoft MVP - Windows Security

Show quoteHide quote
"DD" <D*@discussions.microsoft.com> wrote in message
news:EC56088A-1247-424D-82D7-7322EE94627A@microsoft.com...
>I know you can suppress the ftp banner in IIS 6.0 - but how do you suppress
> the http banner from displaying the web version? I was able to do it back
> in
> IIS 5, but it no longer works in IIS 6.0 (W2K3 SP1).
> We usually get written up about this during Security Assessments but the
> security vendor can't tell us how to suppress it themselves. I have
> searched
> the web extensively for an answer but found nothing.
Author
18 Jul 2006 10:25 PM
Karl Levinson, mvp
Agreed... in addition, here are some links on how exactly to do that [use
URLScan], and some more reasons why simply disabling the HTTP banner doesn't
increase your security all that much:

http://securityadmin.info/faq.asp?banner


--

kind regards,
Karl Levinson, CISSP, CCSA, MCSE [MS MVP]
-------------------------
Microsoft Security FAQ:
http://www.securityadmin.info




Show quoteHide quote
"Miha Pihler [MVP]" wrote:

> Hi,
>
> Check
> http://www.microsoft.com/technet/community/columns/insider/iisi1004.mspx#ESG.
>
> I hope it helps you out.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "DD" <D*@discussions.microsoft.com> wrote in message
> news:EC56088A-1247-424D-82D7-7322EE94627A@microsoft.com...
> >I know you can suppress the ftp banner in IIS 6.0 - but how do you suppress
> > the http banner from displaying the web version? I was able to do it back
> > in
> > IIS 5, but it no longer works in IIS 6.0 (W2K3 SP1).
> > We usually get written up about this during Security Assessments but the
> > security vendor can't tell us how to suppress it themselves. I have
> > searched
> > the web extensively for an answer but found nothing.
>
>
>



Post Other interesting topics
Supressing Public ASP Error Codes
Flaw in default permissions
Urlscan 2.5 question
Pass though authenticateion
Getting Ip address of the actual client
404 errors on downloading files
Secure SFTP Server
IIS default file permissions used improperly?
Problem with Anonymous Access
Web Server Type