Exposed X-OWA-Version HTTP Header reveals Exchange server Build number

Question

I would like to disclose X-OWA-Version from HTTP response headers as it is revealing Exchange Server Build info. I have tried to create Blank outbound rule using URLrewrite, post which OWA returned 500 URL rewrite Module error.

I would like to know detailed procedure on on how to disclose this info from response HTTP headers.

your response/help would be greatly appreciated. Thank you.

Answer 1

Hi @Saisree, Tenali,

This question may be more related to IIS than Exchange.

Please kindly note that we mainly focus on Exchange and may not be very familiar with IIS.

For better support I would suggest creating a new thread and add the IIS related tags.

Thanks for your understanding.

---

To my knowledge, you can follow below link to remove the headers in IIS:

Remove Unwanted HTTP Response Headers

While please note that since this is not documented in any official Exchange documentations, it may possibly cause issues to your environment.

In my test, I am using the IIS url rewrite method.

Below are the test steps:

1.before the change, access OWA in browser and confirmed X-OWA-Version header is present in the response

2.In IIS on the Exchange server, locate server>IIS rewrite url, create a server variable named RESPONSE_X-OWA-Version

3.back to former page, create an outbound rule like below

4.restart IIS and check the response again (now it is blank)

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".  Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi Kael, You are a Champ. I have followed the steps provided by you and it worked perfectly.
Much Appreciated!!! Thank you so much :) :)