If you get into the mind of potential hackers to your site, you soon realize that it would be a great benefit for them to know what operating system and web server you are running. With this information, they could exploit weaknesses in the web server, while providing little or no utility to legitimate users, is often the starting place for hackers and "script kiddies".

Security vulnerabilities tend to be dependent on software vendor and version. Blind probing might lead to further requests being denied or a system temporarily taken off line. Knowing Web server details greatly increases the efficiency of any attack. If an attacker can target exploits, the chances of successful cracking prior to detection increase significantly. Script kiddies can leverage canned, newly-discovered exploits to do more damage faster by targeting hosts with recognizable signatures. A self-identifying system invites trouble.

Here is an example of an HTTP response header for a standard II6 Server with ASP enabled:

URL=http://www.vdhout.nl
Result code: 200 (OK / OK)
Date: Thu, 08 Nov 2007 15:13:30 GMT
Server: Microsoft-IIS/6.0
cache-control: Public
last-modified: Thu, 8 Nov 2007 15:13:28 GMT
Content-Length: 20571
Content-Type: text/html
Expires: Thu, 08 Nov 2007 15:12:29 GMT
Set-Cookie: ASPSESSIONIDAABQBRCT=OLHHMDJBICGKHFCOEMPCECAK; path=/

Masking or anonymizing a Web server involves removing identifying details that intruders could use to detect your OS and Web server vendor and version.
A commercial ISAPI filter called ServerMask by Port80 Software is available to easily customize, mask or anonymize your webserver.

In this article i will try to show you what can be done using free available tools and techniques to customize, mask or anonymize your IIS webserver.

Using the Microsoft UrlScan Security Tool

Microsoft has build the UrlScan Security Tool that enables you to hide your default Server header,
Microsoft Windows Server 2003 has many built-in features that help secure IIS 6.0 servers. UrlScan provides some additional functionality, such as verb control, beyond what IIS 6.0 provides. Also, some organizations have integrated UrlScan features into their server management practices for IIS and for other Microsoft servers. If you want to utilize the additional functionality and features of UrlScan 2.5 or simply maintain your current security management, then consider installing and using UrlScan with IIS 6.0.

If you decide to install UrlScan on your IIS 6.0 server, you should read this document.
You can configure UrlScan by editing the URLScan.ini file, which is located in the %WinDir%\System32\Inetsrv\URLscan\ folder. To configure URLScan, open this file in a text editor such as Notepad, make the appropriate changes, and then save the file.

Hide Server Header using UrlScan
RemoveServerHeader=1

If RemoveServerHeader is set to 0, you can specify a string in the AlternateServerName option to specify what will be passed back in the Server header. If RemoveServerHeader is set to 1, this option is ignored.

Customize Server Header
AlternateServerName=(not specified by default)

Using XMask ISAPI Filter
An alternative to urlscan is to use a simple ISAPI filter to do the job that you can install on your server right away.
This ISAPI filter is called XMask and is available in the article posted here.

Hide Server Headers using XMask ISAPI Filter
Download XMask.zip (24 KB)

1. Save XMask.dll to %WinDir%\system32\inetsrv\
2. Open up Internet Information Services (IIS) Manager
3. Expand the tree until you see the [Web Sites] node and right click on it.
4. From the drop down menu choose [Properties]
5. Choose the [ISAPI Filters] tab
6. Press The [Add] Button
7. Enter in XMask for the Filter Name and %WinDir%\system32\inetsrv\xmask.dll for the Executable.
8. Press Ok to exit the Filters Properties.
9. Press Ok to exit the Web Sites Properties.

Customize Server Headers using XMask ISAPI Filter
Attached in the article posted over at www.asp101.com you will find the C++ source code used to build the XMask Isapi Filter, You could customize the source code to replace the default server string with one specified in the ISAPI filter.

X-Powered By ASP.NET
Another easy way for a hacker to tell what type of web server you are running is to look at a new HTTP response header that ASP.NET sets on your machine. It is called X-Powered-By: ASP.NET and it gets automatically added when you install ASP.NET on your server. However, this one is very easy to remove and doesn`t require a special ISAPI Filter. The way Microsoft added the HTTP response header was by using the Custom HTTP header interface in IIS. To remove it, follow these steps:

1. Open up Internet Information Services (IIS) Manager
2. Expand the tree until you see the "Web Sites" node and right click on it.
3. From the drop down menu choose "Properties"
4. Choose the "HTTP Headers" tab.
5. Under Custom HTTP header section choose "X-Powered-By: ASP.NET"
6. Press Delete
7. Press Ok to exit the Web Site Properties. 

Active Server Pages (ASP) Session object 
The Active Server Pages (ASP) Session object has a distinct HTTP response header that hackers can clue into, and even if you are not using ASP Session object, the response header is still present. One way to avoid this is to turn off the Session objects via the IIS manager. 
Note: you can only turn off ASP Session objects if you are not using them.


Modify the IIS SMTP welcome message
The following is an example of such a welcome message:
220 Localhost Microsoft ESMTP MAIL Service, Version: 6.5.7226.0 ready at Sun, 04 Nov 07 10:42:33 +0100

We can change this message to hide the server type and version number, or to put a unique identifier in there to help you remember which server you are connected to. Why hide the server type and version number? Well it allows a hacker to find out what type of server you are running, changing the banner to look like the banner for a different type of server, Sendmail for example, would have them attacking Sendmail exploits which should have no effect on your Windows Server 2003 IIS servers.
For details take a look at this story: Modify IIS SMTP welcome message

Here is an example of an Anonymized HTTP response header for a standard II6 Server with ASP enabled:

URL=http://www.vdhout.nl
Result code: 200 (OK / OK)
Cache-Control: Public
Content-Length: 20571
Content-Type: text/html
Expires: Thu, 08 Nov 2007 15:17:49 GMT
Last-Modified: Thu, 8 Nov 2007 15:18:48 GMT
Date: Thu, 08 Nov 2007 15:18:50 GMT