5

I need to remove the 'Server' header from all http requests coming to my IIS site due to PCI DSS scanning restrictions. I am running the latest version of Windows Server 2016 using the latest version of IIS 10. The IIS Request Filtering role is installed in Roles and Features.

My configuration file looks like this:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering removeServerHeader="true" />
    </security>
  </system.webServer>
</configuration>

I am serving a static file, for the purposes of this test, it is called index.html and contains <html></html>.

After creating the config file, restarting IIS, and requesting the file, IIS is still sending the Server header:

enter image description here

The only other way I know of is to install the IIS-rewrite module, however this is extremely undesirable as we are running a server farm and this would need to be done to multiple servers and server images.

Are there any other things I can try to get request filtering working?

Is there any other way to remove the Server header which doesn't require IIS-rewrite?

P.S. I can reproduce this on multiple servers by creating a new site in IIS, and creating an index file and a web config as above - it feels like i'm missing something obvious.

caesay
  • 295
  • 1
  • 3
  • 9
  • That post could help; https://stackoverflow.com/questions/22401219/remove-server-response-header-iis-8-0-8-5 – yagmoth555 Jan 31 '19 at 12:20
  • @yagmoth555: that is for using iis-rewrite or native code modules, not for request rewriting - thanks anyways – caesay Jan 31 '19 at 13:07
  • 1
    PCI-DSS does not require removing the Server response header. What is this all about? – Michael Hampton Jan 31 '19 at 13:26
  • @MichaelHampton At least two different ASV's here in the UK that I've used require it (it's the reason they're failing our scans right now). If other ASV's don't require that, it's news to me - but we are not interested in changing providers over what should be a simple fix. – caesay Jan 31 '19 at 14:03
  • 1
    I agree, that should be a simple fix. I'm only saying I've never heard of any ASV requiring this. There's no obvious reason for it, and not even a security benefit. – Michael Hampton Jan 31 '19 at 14:30
  • I plan to write a blog post some time about removing the server header, but it is never a simple task. – Lex Li Jan 31 '19 at 14:53
  • Did you try this? I hope this helps.. – MarmiK Apr 06 '22 at 09:46

0 Answers0