Our environment consists of a web layer (IIS using ARR) and then an app layer (MS Dynamics CRM and MS SharePoint)
Personally I think this is a bit of security through obscurity but needs must so here we go:
MS Dynamics CRM 2013
In the web.config, <drive>:Program Files\Microsoft Dynamics CRM\CRMWeb add enableVersionHeader="false" to the httpRuntime element, normally you'll end up with something like this:
<httpRuntime executionTimeout="300" maxRequestLength="32768" requestValidationMode="3.0" encoderType="Microsoft.Crm.CrmHttpEncoder, Microsoft.Crm" enableVersionHeader="false"/>
MS SharePoint 2013
In the web.config, <drive>:inetpub\wwwroot\wss\VirtualDirectories\80\ add enableVersionHeader="false" to the httpRuntime element, normally you'll end up with something like this:
<httpRuntime maxRequestLength="51200" requestValidationMode="2.0" enableVersionHeader="False" />
<httpRuntime maxRequestLength="51200" requestValidationMode="2.0" enableVersionHeader="False" />
From IIS Manager -> Server -> HTTP Response Headers
The simplest way I found is to use URL Rewrite to blank this header, which works very well for our system as we're using ARR already so just need to do this one on the web layer ... from IIS Manager -> Url Rewrite -> Add Rule
Select Blank Outbound Rule
Fill in the details as below
Don't forget to click Apply when you've finished.
It's worth pointing out that this will simply blank out the value of the Server Header, rather than remove it completely.
If you want to remove it completely you will need to install urlscan.
This approach can be used for all the other headers above I suppose.
.\appcmd.exe set config -section:webFarms /"[name='serverfarmname'].applicationRequestRouting.protocol.arrResponseHeader:false" /commit:apphost
Just don't understand why Server headers are shown by default. Thanks for the guide!
ReplyDelete