Removing Server response header

Please, tell me how I can remove or change "Server:" response http header?

Re: Removing Server response header

On Dec 27, 2:18=A0am, Alexander Rybin Ry...@discussions.microsoft.com> wrote:
> Please, tell me how I can remove or change "Server:" response http header?=


http://www.iis.net/downloads/default.aspx?tabid=3D34&g=3D6&i =3D1268

URLScan does this as well, but there are other caveats when you
install and use it on IIS6.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: Removing Server response header

Also note: Security researchers like to make this an "action item". (After
all, unless they put something in their little report it looks like the
service wasnt necessary.)

It is my opinion however, it means absolutely nothing and does not slow
anybody down at all. The ONLY thing it does is make NetCraft's statistics
slightly less accurate.

For one, most worms and such dont stop to check what version of server is
there, they just attack with whatever payload they have with the "throw it
against the wall and see what sticks" method. I have NEVER seen a worm or
worm description that did or said anything about doing that. If they did,
Apache web server logs wouldn't get those attacks. But they do all the time.

So you aren't making it safer from worms.

Secondly, the guys that attack manually can either look at the server
header, or spend a few minutes looking at OTHER teltale clues the server
gives off (like, it's response to an asp file request, timing, error
messages, etc.). Or even, gasp, reading the web site of the host to see what
types of server they use. Often it's right there in plain text. Figuring
out what server is running without a server stamp is EASY. It might slow
down some 12 year old punk in Turkey, but it won't stop anybody with any
brains or experience.

So, spending any time trying to remove it is flat out a waste of time. The
ONLY thing you accomplish is to satisfy the ignorant pointy haired manager
that you did something about a line item in some bogus "security report" by
some shitty scammer assed "security consultant".

Go ahead and do it if you need to, but don't bear the illusion that it
actually does something with practical use.

"David Wang" wrote in message
news:363eab28-9bf9-4ccd-9a9d-ecafadf29e10@f52g2000hsa.google groups.com...
On Dec 27, 2:18 am, Alexander Rybin Ry...@discussions.microsoft.com> wrote:
> Please, tell me how I can remove or change "Server:" response http header?

http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=126 8

URLScan does this as well, but there are other caveats when you
install and use it on IIS6.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//