Exchange Server 2016(CU23) "http-server-header: Microsoft-IIS/8.5 – Only available on Microsoft Serveur 2012 R2 Last CVE is 2014 on IIS 8.5 Exploitation of recent CVE (ex : CVE 10-05-2022 with 9.0 CVE Score On Microsoft Serveur 2012 R2) "

Sathishkumar Singh 486 Reputation points
2022-09-13T09:43:15.523+00:00

Hello All

My Current Infra

1-Primary Domain Controller
1-Secondary Domain Controller + File Server

2-RODC

  1. UK-RODC

2 Child Domain

1 Exchange Server 2016 (CU23) Standard Version (Standalone Server)

Note from the pentest:

"http-server-header: Microsoft-IIS/8.5 – Only available on Microsoft Serveur 2012 R2 Last CVE is 2014 on IIS 8.5
Exploitation of recent CVE (ex : CVE 10-05-2022 with 9.0 CVE Score On Microsoft Serveur 2012
R2) "

https://stackoverflow.com/questions/67584329/how-to-hide-asp-net-technologies-from-wappalyzer-hosted-on-iis

From above the link.
I can able to see 1st point
To stop this, able to remove the header:

Open the IIS Manager.
In the Connections tree, select the website that SS is running under.
Click the HTTP Response Headers button on the right. The HTTP Response Headers panel appears.
Click to select the X-Powered-By HTTP header.
Click the Remove button in the Actions panel. The header disappears.

-----------------------------------------------------------------------------------------------------------------------------------------

240531-exchange.png
2nd Point. i don;t understand the changes what exactly to be done. i don;t see any The HTTP header “X-ASPNET-VERSION"
Hide the ASP.NET version. The HTTP header “X-ASPNET-VERSION” reveals the version of ASP.NET being used by the SS application pool. To stop this, remove the header:

Open the web.config file, which is located in the root directory for the website.
Inside the <system.web> tag, add the tag .
Save the file.

--------------------------------------------------------------------------------------------------------------------------------------------

240532-webconf.png

3rd Point. i don;t see in the registry DisableServerHeader it means need to be add this DisableServerHeader
Hide the server type. The HTTP header line Server: Microsoft-HTTPAPI/2.0 is added to the header by the .NET framework. To remove that information, you must update the Windows registry:

Open the Windows Registry Editor.
Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters.
Change the DisableServerHeader (REG_DWORD type) registry key from 0 to 1.

Please advise without any impact Exchange Server

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,628 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Aholic Liang-MSFT 13,856 Reputation points Microsoft Vendor
    2022-09-14T09:08:18.873+00:00

    Hi @Sathishkumar Singh ,

    "http-server-header: Microsoft-IIS/8.5 – Only available on Microsoft Serveur 2012 R2 Last CVE is 2014 on IIS 8.5
    Exploitation of recent CVE (ex : CVE 10-05-2022 with 9.0 CVE Score On Microsoft Serveur 2012
    R2) "

    I wonder where you got this error from ? Since different testing methods focus on different directions, it is recommended that you could use healthchecker.ps1 to check that there are security vulnerabilities in your environment.
    In addition, I have referred to the method you provided and operated it in my lab. I got the same result as you . I also didn't find the HTTP header " X-ASPNET-VERSION" . Since this link is not officially provided by Microsoft, we cannot guarantee the accuracy and security of this method .
    I would suggest that you could refer to the following link to update the Exchange Server Security Updates to the latest version to protect your environment.
    Released: August 2022 Exchange Server Security Updates - Microsoft Tech Community


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.