Share via

Application hosted in Microsoft IIS 8.5 & How to overcome the following vulnerabilities - Security Misconfiguration (Vulnerable server Version Disclosure)

Rajeshkumar I 1 Reputation point
2022-03-01T07:35:11.78+00:00

We are using VS2013 for our project and hosted in IIS server Version<8.5>.
We received the following vulnerabilities from one of our vendor for the Site hosted in IIS server.
Hence please suggest how to rectify this vulnerabilities for a Website.

Windows development | Internet Information Services
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce Zhang-MSFT 3,771 Reputation points
    2022-03-02T02:19:26.233+00:00

    Hi @Rajeshkumar I ,

    There are some settings about IIS to prevent version disclosure.

    1. Disable directory listing to prevent attacker get the file struction of site and server appcmd set config /section:directoryBrowse /enabled:false
    2. Restrict user or IP access for some specific directories or urls.
      179043-1.png
    3. Some response headers will expose server and web application information. Such as X-Power-By and Server. Remove them or rewrite its value.
      179102-2.png
      179056-3.png <rewrite>
      <outboundRules>
      <rule name="remove server headers">
      <match serverVariable="RESPONSE_Server" pattern=".*" />
      <action type="Rewrite" value="N/A" />
      </rule>
      </outboundRules>
      </rewrite>
      179093-4.png

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.