The StripHeaders module is a Native-Code module for IIS 7.0 and above, designed to easily remove unnecessary response headers and prevent information leakage of software and version information, which can be useful to an attacker.
- See the installation section for information regarding deploying StripHeaders within your organisation.
- See the configuration section for information regarding removing additional headers.
Binary – Download from GitHub
Why create a module to remove headers?
Web servers, frameworks and applications often set response headers that reveal software in use and version information. Such headers are optional and whilst they serve no real purpose, can often assist an attacker in identifying vulnerabilities in a system.
As an example, the following headers are contained in responses from recently installed IIS 8.5 web server:
HTTP/1.1 200 OK [...] Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET X-Powered-By: ARR/2.5
Headers beginning “X-” are non-standard headers and are completely optional. The “Server” header is defined in RFC 2616, which actively encourages server implementors to make setting this header a configurable option due to the benefit it can provide to an attacker. Unfortunately, most implementors have ignored this encouragement. Whilst many web servers support removing specific version information from the “Server” header, or overwriting it with a new value, few allow it to be easily removed entirely.
Removing Unnecessary Headers in IIS
IIS 7.0 and above does not contain an option to configure whether or not the “Server” header is sent in responses. Historically, there have been a number of workarounds available for removing the “Server” header, unfortunately none of these methods are ideal and as of IIS 8.0 are no longer supported. There are a number of resources available that discuss the available methods in length, however the main methods are:
- Overwrite the “Server” header using the IIS Manager HTTP Response Headers or URL Rewrite modules. Both of these modules can be used to set the server header to a custom or blank value, however will not remove it entirely.
- Use UrlScan (https://www.iis.net/downloads/microsoft/urlscan). This requires additional configuration and is only supported up to IIS 7.0.
- Create a custom IIS ASP.NET managed module and remove the “Server” header using the “PreSendRequestHeaders” event. This only works for requests that pass through the ASP.NET pipeline, as such the “Server” header will still be sent for static content. Whilst IIS can be configured to force all requests through the pipeline, this is less than desirable. Additionally, use of the “PreSendRequestHeaders” event is no longer recommended by Microsoft (https://www.asp.net/aspnet/overview/web-development-best-practices/what-not-to-do-in-aspnet,-and-what-to-do-instead#presend).
In addition to the “Server” response header, it is common to see other unnecessary headers in an IIS environment, such as “X-Powered-By”, “X-Aspnet-Version” and other custom version headers for applications such as Outlook Web Access and SharePoint. These headers are configured in various locations and as such removing these headers becomes a significant task, particularly across a large infrastructure. This can involve making IIS server configuration changes, web application configuration changes and even registry changes.
The solution to removing unnecessary headers in IIS responses lies in the use of a Native-Code module. Native-Code modules differ from the more common managed modules in that they use the WIN32 APIs rather than the .NET framework. This means that a Native-Code module can process all requests, not just those that pass through the ASP.NET pipeline. Additionally, due to the low overhead, Native-Code is also arguably faster, although this would normally only be a consideration for web servers that process a very large number of requests.
The IIS StripHeaders Native-Code Module
The StripHeaders Native-Code module has been created to allow an easy to deploy method of removing unnecessary headers in IIS 7.0 and above. By default, it removes the “Server”, “X-Aspnet-Version” and any “X-Powered-By” headers and additional headers to remove can be easily configured.
In an effort to make the module as easy to use as possible, it is provided as an MSI installer, which can be installed directly on web servers, or deployed through group policy to all required servers in an organisation.
The main component of the StripHeaders module is stripheaders.dll, being the actual IIS module. Using this file alone would still require a fair amount of configuration and as such the installer automatically takes care of this work. The installer performs the following tasks:
- Installs stripheaders.dll
- Registers the Native-Code module with IIS using the appcmd.exe command
- Extends the IIS configuration schema to allow setting of headers to remove
- Adds default settings to the IIS configuration to remove the common “Server”, “X-Powered-By” and “X-Aspnet-Version” response headers
- Adds a registry setting to remove the “Server: Microsoft-HTTPAPI/2.0” response header.
The “Server: Microsoft-HTTPAPI/2.0” response header is added by the “http” service, this is normally only sent in responses if the request fails to be passed to IIS, for instance when no application pools are available. The registry setting only takes effect when the service is restarted. The installer makes no attempt to restart the service (in fact the installer takes a number of steps to ensure that it never needs to restart any services, as this is not desirable on production systems). This setting will therefore take effect when the server is restarted for scheduled maintenance, such as when Windows Updates are installed. If you wish it to take effect immediately, you can manually restart the “http” service. This will also stop the IIS service. Please note that, other services, such as the Web Management Service (WMSVC), also depend on the “http” service and will need to be manually started.
net stop http iisreset /force
Download and run the latest installer on your IIS servers.
Alternatively, use Group Policy to assign the installer package to all IIS servers within an organisation. See https://support.microsoft.com/kb/816102 for more information.
The StripHeaders module uses a very simple syntax to add additional headers to remove. The configuration is contained in the applicationHost.config file and can be edited directly or from the Configuration Manager module in the site settings in IIS Manager. The default configuration is shown below:
[...] <configuration> [...] <system.webServer> [...] <stripHeaders> <header name="Server" /> <header name="X-Powered-By" /> <header name="X-Aspnet-Version" /> </stripHeaders> </system.webServer> </configuration> [...]
If you would like to know how the module works, full source code for the StripHeaders module and installer is available from https://github.com/dionach/stripheaders.
If you would like to learn more about how Native-Code modules work and how to create them, more information is available in the Native-Code development overview in the MSDN (https://msdn.microsoft.com/en-us/library/aa347657(v=vs.90).aspx).