Like all web servers, Microsoft’s Internet Information Server (IIS) sends its version number with every response:
This information is in most cases no problem. However, hiding it may be a requirement because some security scanner mark it as a problem or your reports give you false positive results (like unsupported version while you have extended support). In this post, I explain you a different approach to the widely shared one with the registry key, then that key did not work for me and you may have the same problem.
If you want to remove this header for all sites on this server, open the IIS Manger and click on the top node in the server tree. If you just want to disable the server header for a single site, you can do the following steps starting with the home screen for that site.
Locate the IIS feature section and click on the icon for URL Rewrite:
You now have two sections, one for inbound rules and the other one for outbound rules. We want to modify the response; therefore, we need to add a rule in the outbound section. Right-click into the outbound section to open the context menu and select Add Rule(s)…
Select Blank rule from the Outbound rules section:
The rule needs a few values, that you can copy from here and paste into the dialog:
| Number | Value |
| 1 | Remove Server Header |
| 2 | Server Variable (select from menu) |
| 3 | RESPONSE_SERVER |
| 4 | .* |
| 5 | Rewrite (select from menu) |
Make sure that the Value in (6) is empty before you click on Apply (7):
You now have a rule that replaces everything inside the server header with an empty string:
That needs a few more steps than adding a registry key, but it works on my machines and I do not need to reboot the whole server.
This solution does not work when intercept the request with burp and change the Method name in the request to something that is invalid name such as #@! which IIS server is sending as 400-Bad Request in the response, and in this response the Request does not reaches URL Rewrite hence the value is not overwritten.
Dear ravi, i recently used this technique to remove server header and it works. However it works well on Burp tool also.