Server: Microsoft-IIS/7.0
Few methods are used to prevent IIS from sending the identification of the server to a client. This prevents the client from identifying the server hence delaying easy break through into the server.
One such method is writing a custom module (code given below) and saving the Class file under App_Code folder
Code from Stefan Gossner
using System;
using System.Text;
using System.Web;
namespace StefanG.ServerModules
{
public class CustomServerHeaderModule : IHttpModule
{
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += OnPreSendRequestHeaders;
}
public void Dispose()
{ }
void OnPreSendRequestHeaders(object sender, EventArgs e)
{
// modify the "Server" Http Header
HttpContext.Current.Response.Headers.Set("Server", "My Test Server");
}
}
}
Then, go to IIS 7 server and double click on "Modules". Then click "Add Managed Module". A dialog will open asking you to enter Name and Type. Enter a strong name for the module and choose the module (the one that we saved under App_Code) from the drop down and click OK. Restart the server.
Thats it! When you browse the website, Server identification will now be removed or modified based on the code in your module.
For IIS 6 UrlScan needs to be setup.
No comments:
Post a Comment