15

Whilst security vetting our machines, I found that one host was exposing a Microsoft-HTTPAPI/2.0 service over port 80 to the internet.

I'm not familiar with this, but after googling around, I found that SQL Server 2008 publishes SQL Server Reporting Services on port 80 by default and identifies itself as HTTPAPI/2.0. The host is also running IIS7.

I'm guessing this is probably not something that should be exposed to the world. Can anyone offer me any information or advice on the security risk of exposing this service?

Response Headers - http://#.#.#.#/
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 10 Aug 2009 10:44:25 GMT
Connection: close
Content-Length: 315

404 Not Found
SharpC
  • 233
  • 2
  • 4
Cheekysoft
  • 397
  • 1
  • 4
  • 11

4 Answers4

9

If the response's Server header returns "Microsoft-HttpApi/2.0", it means that the HTTP.sys is being called instead of IIS. Exploits and port scans use this as a means of fingerprinting an IIS server (even one that is otherwise hiding the Server header).

You can test this by throwing an error using CURL:

curl -v http://www.yourdomain.com/ -H "Range: bytes=00-18446744073709551615"

You will see something like this if your server is sending the header:

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339

You can add a registry value so HTTP.sys doesn't include the header.

  • Open Regedit
  • Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  • If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.
  • Reboot the server OR restart the HTTP service by calling "net stop http" then "net start http"

Reference: WS/WCF: Remove Server Header

After you add the registry key, the response looks like this:

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339

Posting here so people who need this can find it. (Thanks, Oram!)

Jeffry McGee
  • 131
  • 1
  • 2
8

If you don't have any good reason to expose it, Then you should probably not expose it. By the way you may be interested in this article to decide wether or not you should expose it

Maxwell
  • 5,026
  • 1
  • 25
  • 31
2

Try looking for vulnerabilities in an exploit database for this

2

The most common cause for this Server response header is when IIS cannot determine which website to serve.

IIS will respond with this Server header when the following are both true

  • the request contains an unrecognised Host header
  • no default website is configured

Alternatively, if the configuration for the website that IIS is attempting to deliver is malformed, it will be ignored and considered absent, also having the same effect.

Cheekysoft
  • 397
  • 1
  • 4
  • 11
  • 2
    There are more ways to get this header to appear. This header means that HTTP.sys sent the response, not IIS' worker process. Applications like ADFS 3 I believe, which register a URL on HTTP.sys usually responds with this header as well. – milope Jun 03 '17 at 21:27
  • 1
    I often forget that requests go through http.sys. Another way to force this header is to make an iilegal request e.g. http://server/% and http.sys immediately rejects the request with `HTTP/1.1 400 Bad Request Server: Microsoft-HTTPAPI/2.0` without passing it on to a registered handler – Cheekysoft Jun 05 '17 at 08:30