Question

4
Replies
92
Views
nikitas1350 Member since 2017 7 posts
ericsson
Posted: August 8, 2018
Last activity: August 9, 2018
Closed

Web Server Discloses Software Type And Version

Hi Team,

Can you please review the below recommendation and suggest a way to implement.

Web Server Discloses Software Type And Version

Specific Detail

The Team observed that software type and version details were disclosed within the HTTP ‘Server’ header

Field.

Impact

Knowing the server type and version allows an attacker to focus on the vulnerabilities of that specific version, whereas someone without this knowledge would have to try different vulnerabilities by brute- force. In addition, some servers disclose the operating system version within HTTP response headers. For example, Apache often discloses UNIX or Windows whilst Microsoft-IIS only runs on Windows, and each version of IIS only runs on a single version of Windows.

Recommendation

Cisco recommends that the web server is reconfigured to display the minimal amount of information, or to display false information where possible.

In IIS it is possible to remove the web server banner in two ways:

  • Creating a custom ‘ISAPI’ filter to hide the banner in the response headers.
  • Downloading the ‘URLScan’ tool, part of the IIS Lockdown Tool, from the Microsoft website and changing the value of the ‘RemoveServerHeader’ setting.

***Moderator Edit-Vidyaranjan: Updated Platform Capability***

Security
Moderation Team has archived post
Share this page LinkedIn