Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Asset Information Management

TABLE OF CONTENTS

Remove Version Number from IIS

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedMay 10, 2023
  • 2 minute read

The IIS Server sends the following three headers for every request it serves:

  • Server - Specifies the IIS Server version.

  • X-AspNet-Version - Specifies the version of ASP.NET framework used.

  • X-AspNetMvc-Version - Specifies the version of ASP.NET MVC framework used.

It is common practice to remove such headers from software, such as application servers and web servers, to limit the amount of information easily obtained by a potentially hostile party. Applications running under IIS, based on ASP.NET, present places where you can remove the headers. These options are ON by default and you can turn them off by using the steps given below. It is recommended that the values for the headers be removed from the response, which the IIS server generates for both non-secure (HTTP) and secure (HTTPS) installations.

To rewrite the values for the above-mentioned headers from all responses:

  1. Install the compatible version of the URL Rewrite extension for IIS.

    Note: You can install it from: https://www.iis.net/downloads/microsoft/url-rewrite

  2. Open <AIM Install Path>/Dashboard/bin.

  3. Open the web.config file in a text editor.

  4. Under the <system.webServer> node, paste the following code:

    <rewrite>
    <outboundRules>
    <rule name="Remove Server header">
    <match serverVariable="RESPONSE_Server" pattern=".+" />
    <action type="Rewrite" value="" />
    </rule>

    <rule name="Remove AspNetMvc-Version">
    <match serverVariable="RESPONSE_X_AspNetMvc_Version" pattern=".+" />
    <action type="Rewrite" value="" />
    </rule>

    <rule name="Remove X-ASPNet-Version header">
    <match serverVariable="RESPONSE_X_ASPNet_Version" pattern=".+" />
    <action type="Rewrite" value="" />
    </rule>
    </outboundRules>
    </rewrite>

  5. Reset IIS.

If it is imperative that the headers be removed completely, the UrlScan tool is recommended for this purpose.

To remove the headers completely:

  1. Install UrlScan, version 3.1, from the path: https://learn.microsoft.com/en-us/iis/extensions/working-with-urlscan/urlscan-overview.

  2. Configure the tool, and then set the RemoveServerHeader option to 1 in the UrlScan.ini file.

  3. If the header does not need to be removed entirely, let your IIS Administrator choose either UrlScan or URL Rewrite, depending on the server setup, and if any of the features from either of these will prove useful.

  4. If the Application Pool is running in the Integrated mode, you can add a module to the processing pipeline to remove the header completely.

    Note: See the CustomHeaderModule.zip file for sample code. This method is recommended only if the other methods prove unsuitable.

    Related Links
    TitleResults for “How to create a CRG?”Also Available in