How to remove unwanted HTTP Response Headers in IIS 7.5

Hiding server software is one of ways to protect your services from hackers. It’s quite easy to obscure IIS identity. In few steps I’ll show you how to accomplish this task on WIMP stack.

Step one – hide PHP version

Locate the php.ini file. It is often located in a installation directory (C:\Program Files (x86)\PHP) or Windows dir. You can also digg this information by putting phpinfo() function in a php file. Open php.ini and search for a string expose_php. Now turn it off:

expose_php = Off

Best practice is to use the PHP manager for this task. You can view recommendations and manage settings from it.


Step two – remove server header

Microsoft adds by default server response header with content looking like this Server: Microsoft-IIS/7.5. We’re going to change this and deceive attacker.

If you don’t have it already installed, download URL Rewrite (it’s Apache mod_rerwrite equivalent).

On a server level in IIS Menager enter URL Rewrite and click View Server Variables in a right pane. Click Add... in the same pane and type RESPONSE_SERVER in the dialog. Click OK and Back to Rules.

Now click Add Rule(s)… and create new blank outbound rule:


Fill only nedded fields with this contents:

  • Name: Remove response server
  • Matching scope: Server variable
  • Variable name: RESPONSE_SERVER
  • Variable value: Matches the Pattern
  • Using: Regular Expressions
  • Pattern: .+
  • Action type: Rewrite
  • Value: type bogus server name eg. nginx, apache etc.
  • Reokace existing server variable value: true

Apply and use header sniffer to check result (Firefox extension Tamper Data is a pretty good tool).


Step three – remove FTP banner

On a server level go to FTP Messages and mark Suppress default banner. From this moment there will bo no Microsoft FTP Service message.