Manage HTTP Response in Microsoft IIS v10.0

May 5, 2019

If you are in the process of remediating your IIS v10.0 then this article may be useful. By default, IIS can be described as generous with information in its HTTP response headers. It’s a best practice to restrict the information as part of your web security. The HTTP response does not necessarily provide a security hole in its own right but does provide a potential hacker useful information.

Your vulnerability tool will usually pick this up, but if you google “HTTP response online testers” you will find numerous tools to review your current header information.

The tool will display something like the following:

  • HTTP/1.1 200 OK
  • Content-Type: text/html
  • Last-Modified: Tue, 02 Oct 2018 16:45:29 GMT
  • Accept-Ranges: bytes
  • ETag: “5e25e1536f5ad41:0”
  • Server:
  • X-Powered-By:
  • Date: Mon, 06 May 2019 02:16:24 GMT
  • Connection: close
  • Content-Length: 436

This is a header that has had some of the information removed already, such as Server and X-Powered-By which will tell the tester which web server and what technology is being used.

Change the HTTP Header in IIS

To do this you will need to install the URL Rewrite module:

https://www.iis.net/downloads/microsoft/url-rewrite

Don’t Create the System Variable First!

Once installed, you can then start. Some sites will tell you to create the System Variables first before adding the outbound rule. This does not seem to work and gives a duplicates key in the IIS config file, resulting in a 500 internal server error when browsing. Note, access the site from the localhost to see the full error.

In the URL Rewrite module, create an outbound rule for each HTTP Response header you want to hide:

  1. RESPONSE_SERVER
  2. X-POWERED-BY

Use the following screenshot as a settings guide for both variables:

server-header-rule

The 500 Internal Server Error is the general catch all error when the server throws an exception. … Simply, the 500 Internal Server Error is a general http status code that means something has gone wrong on the website’s server, but the server could not be more specific on what that exact problem is.