Scripts that scan for IIS machines to target them for possible exploitation have little difficulty identifying those machines. The scripts simply examine the HTTP headers that the server returns, which clearly declare that the server is IIS 5.0 or IIS 4.0. Can I adjust IIS so that the server machine doesn't identify itself as an IIS server?
Yes, you can. Figure 3 shows an example of an IIS response to an HTTP request. The Server HTTP header clearly declares that the response is from an IIS 5.0 server. Some security experts recommend obscuring this information to hide the identify of your server. Changing the Server header is also a good way to protect your secure servers from tools that scan Web servers and create lists of potential targets based on the contents of the Server header. Keep in mind, however, that identifying an IIS server by other means (e.g., "fingerprinting" the server by determining what services and ports are available) is equally simple. So, changing the Server header won't prevent an intruder from penetrating your system. Nevertheless, staying off those automatically generated lists is a step in the right direction.
A few methods exist for changing the Server header. MobiusWare MoIIS-Protect is an Internet Server API (ISAPI) filter that completely removes the Server heading. You can purchase this filter from http://www.mobiusware .com/prof/products/security/default .htm for $15. Be sure to test MoIISProtect under load before you implement it on a production server.
A second possibility is the new Microsoft URLScan security tool. Like MoIISProtect, URLScan is an ISAPI filter, but this tool has a great deal more flexibility. In addition to scanning the URLs sent to the Web server for validity before processing them, URLScan lets you remove the Server HTTP header and substitute a custom entry. This substitution lets you determine how your IIS machine reports what kind of server it is. For more information about URLScan and to download the tool, see the Microsoft article "INFO: Availability of URLScan Security Tool" (http://support.microsoft.com/support/kb/articles/q307/6/08.asp).
Other than installing an ISAPI filter, your only choice is to edit w3svc.dll. However, editing protected .dll files on production servers is risky. Instead, I recommend that you write to iiswish @microsoft.com and ask Microsoft to make the Server HTTP response "soft" (i.e., configurable by the user). Microsoft takes user feedback seriously.
