You may want to remove the server version from your HTTP response for security reasons, there are a couple ways you can go about this depending on how the header is being handled.
Microsoft-HTTPAPI/2.0
If you are seeing the Server header Microsoft-HTTPAPI/2.0 then the header is being managed by HTTP.SYS driver and is not being forwarded to User mode for forwarding. To stripe this header you will need to:
- Open REGEDIT and navigate to:
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters - Create a DWORD entry called DisableServerHeader in the following Registry key and set the value to 1.
- Open CMD as admin and restart the HTTP service with:
net stop httpnet start http
- While in CMD restart IIS with:
iisreset
Microsoft-IIS/x.x
- Install URL Rewrite on the IIS server. http://www.iis.net/downloads/microsoft/url-rewrite
- You can limit the exposure of the server header per site or globally
- Select the site in particular when using URL Rewrite or select the IIS server to apply the changes globally
The location of URL Rewrite within IIS
- Click on the View Server Variables in the Actions pane in the right hand side
Viewing the Server Variables within IIS
- Click on the Add button
Adding Server Variables within IIS
- Enter RESPONSE_SERVER in the textbox provided
Adding Server Variables within IIS
- Click View Rules, then add a new Outbound rule
Selecting Outbound rule within IIS
- Create an Outbound rule with the following:
- Name: The name for your rule
- Change Matching Scope to
Server Variable - Enter the pattern
.+ - Optionally you can define the returned header in the Action Properties -> Value text box
Defining the outbound rule within IIS
Final Thoughts
You can either use this method to completly remove the Server headers from the site(s) or as an opportunity for misdirection. Its quite a cheap and easy change to implement, below is the output from a Telnet response which indicates the Server header has been stripped.
Telnet response when connecting to the website