An error occurred:

Check: IIST-SV-000215

Microsoft IIS 10.0 Server STIG: IIST-SV-000215 (in versions v2 r10 through v2 r2)

Title

ASP.NET version must be removed from the HTTP Response Header information. (Cat III impact)

Discussion

HTTP Response Headers contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of certain HTTP Response Header information to remote requesters exposes internal configuration information to potential attackers.

Check Content

Open the IIS 10.0 Manager. Under the "Connections" pane on the left side of the management console, select the IIS 10.0 web server. Click the HTTP Response Headers button. Click to select the “X-Powered-By” HTTP Header. If “X-Powered-By” has not been removed, this is a finding.

Fix Text

Open the IIS 10.0 Manager. Under the "Connections" pane on the left side of the management console, select the IIS 10.0 web server. Click the HTTP Response Headers button. Click to select the “X-Powered-By” HTTP Header. Click “Remove” in the Actions Panel. Note: This can be performed multiple ways, this is an example.

Additional Identifiers

Rule ID: SV-241789r879655_rule

Vulnerability ID: V-241789

Group Title: SRG-APP-000266-WSR-000159

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001312

The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-11

Error Handling