2

I'm trying to remove Microsoft-HTTPAPI/2.0 server header from my HTTP responses following this article form MSDN. Currently I'm applying the registry-based solution on Windows Server 2008 R2 and Windows 10 to no luck. I still receive the headers whenever I send an HTTP request with empty Host header.

curl -X GET "127.0.0.1" -H "Host:" --head

The command above returns HTTP 400 Bad Request with Server: Microsoft-HTTPAPI/2.0.

Is there any newer approach to remove the particular header? I know this was asked before for IIS 7 (which probably the solution still works), but reboot doesn't cure the problem on those two Windows I have mentioned above.

Thank you in advance.

ps. I know its kind of security in obscurity, but auditors wants it.

Bagus Tesa
  • 123
  • 1
  • 1
  • 7

2 Answers2

5

If the response's Server header returns "Microsoft-HttpApi/2.0", it means that the HTTP.sys is being called instead of IIS. Exploits and port scans use this as a means of fingerprinting an IIS server (even one that is otherwise hiding the Server header).

You can test this by throwing an error using CURL:

curl -v http://www.yourdomain.com/ -H "Range: bytes=00-18446744073709551615"

You will see something like this if your server is sending the header:

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339

You can add a registry value so HTTP.sys doesn't include the header.

  • Open Regedit
  • Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  • If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.
  • Reboot the server OR restart the HTTP service by calling "net stop http" then "net start http"

Reference: WS/WCF: Remove Server Header

After you add the registry key, the response looks like this:

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339

Posting here so people who need this can find it. (Thanks, Oram!)

Jeffry McGee
  • 171
  • 2
  • 3
  • hi Jeffry McGee, welcome to serverfault. just to let you know that i have tried the windows registry solution to no avail on newer windows. have you tried the thing yourself on windows 10 education and pro? may i know which windows the registry fix tested? i suspect there is something else in play. – Bagus Tesa Dec 21 '19 at 00:31
  • I have tested this on Windows Server 2016 and Windows Server 2019. – Jeffry McGee Dec 22 '19 at 01:16
  • 2
    I tried on Windows Server 2012 R2, it does not work – Abubakar Riaz Sep 08 '20 at 15:55
  • @AbubakarRiaz that's expected because Windows Server 2012 R2 is too old to support the registry key setting. – Lex Li Jun 25 '22 at 09:16
  • run powershell as administrator and execute: New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters' -Name 'DisableServerHeader' -Value 2 -PropertyType DWord – Mohammad Reza Sadreddini Nov 27 '22 at 16:38
0

as per Jeffry comment below worked

  • Open Regedit
  • Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  • If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.
  • Reboot the server OR restart the HTTP service by calling "net stop http" then "net start http"

Remember to restart the HTTP service, or else this solution wont work.

Tested on Windows 2019 server with IIS 10.

Arunvishy
  • 1
  • 1
  • hi, welcome to serverfault, as I have said and tagged on the question. i cant get it to work on Windows Server 2008 R2. Abubakar Riaz also pointed out that it also doesnt work on Windows Server 2012 R2. I suppose it only work on Windows Server 2016 and above. – Bagus Tesa Oct 20 '21 at 11:42