Is is possible to:
- Disable HTTP Server response headers.
- Disable X-Powered-By response headers.
- Disabling banners of the services used.
- Removal of information about the server type / version from the default error pages, eg 404, 403.
This is required for the security reason
we got IIS 10.0
Hi Piotr,
I was still planning on documenting these steps, so I went ahead and did it now. The procedures are still being reviewed, but you can access them already on our docs GitHub.
Note: for the Server header, IIS does not allow to completely remove it. That's why we need to create a Rewrite Rule to clear its value. Since IIS 10 there is a removeServerHeader setting, but I've tried this on several servers and it does not work. Neither did setting the DisableServerHeader registry key.
To remove the server type/version from the error pages, you could set the customErrors mode on 'On' or 'RemoteOnly' in C:\Skyline DataMiner\Webpages\API\Web.config, but please be aware that this will have an impact on the error handling of the DataMiner Web applications and APIs.
PS: These settings will bring little extra security if your DataMiner system is not HTTPS only. So if you have not configured HTTPS yet, I strongly recommend enabling HTTPS.
Documentation has now been published: https://docs.dataminer.services/user-guide/Advanced_Functionality/Security/Advanced_security_configuration/WebServer_security/HTTP_Headers.html
Some of the steps will depend on your IIS version, which IIS version are you running? You can find this by executing the following PowerShell command: Get-ItemProperty -Path registry::HKEY_LOCAL_MACHINESOFTWAREMicrosoftInetStp | Select-Object