2

IIS reveals "Server: Microsoft-HTTPAPI/2.0" in the response header when a invalid Post request is made. e.g. content-length is not included in the header. The Response returned also says HTTP/1.1 411 Length Required.

the closest case i have found was this forum post at iis.net: http://forums.iis.net/t/1178183.aspx/1 but still not having any luck.

i have also attempted to implement this: http://blogs.technet.com/b/stefan_gossner/archive/2008/03/12/iis-7-how-to-send-a-custom-server-http-header.aspx and it doesnt stop the server header from being added / renamed

My client is asking for all "Server" headers to be removed as part of their security requirements. (don't ask me why, i'm just the schmuck who just has to get it done)

anyone encounter this before?

munsense
  • 51
  • 1
  • 5
  • My condolences. Programs like [`nmap`](http://nmap.org) will find out much more than what the offending header might divulge anyway. An _extremely_ dirty solution would be to overwrite those strings in the executable with something of the same length... – vonbrand Feb 19 '13 at 03:24
  • The blog article in question was: http://blog.paulbouwer.com/2013/01/09/asafaweb-excessive-headers-and-windows-azure/ – munsense Feb 19 '13 at 04:15
  • OK, doing what is suggested there then solved your problem? If so, please summarize what has to be done, where you stumbled and how you fixed it in the end as an answer, and accept it later to close the issue. – vonbrand Feb 19 '13 at 04:28
  • 1
    @vonbrand sure thing. edited my question with an answer below. will add answer again later. – munsense Feb 19 '13 at 05:30

1 Answers1

3

Stumbled on Paul Bouwer's blog.

Turns out that when the "Microsoft-HTTPAPI/2.0" server header appears, it means that the HTTP.SYS driver has handled the request and it never gets to IIS for processing. makes sense, why waste time sending to IIS when you can tackle an invalid request as early as possible.

in order to stop HTTP.SYS from adding the server header a REG_DWORD needs to be added to the registry: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

add a REG_DWORD called "DisableServerHeader" with a value of 1.

I wasnt keen on trying to find a way to restart the driver and deal with the dependencies so i rebooted the machine.

after reboot, tested with Fiddler and everything worked fine.

munsense
  • 51
  • 1
  • 5