STIGQter: STIG Summary: Microsoft IIS 10.0 Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

HTTPAPI Server version must be removed from the HTTP Response Header information.

DISA Rule

SV-241788r695281_rule

Vulnerability Number

V-241788

Group Title

SRG-APP-000266-WSR-000159

Rule Version

IIST-SV-000210

Severity

CAT III

CCI(s)

• CCI-001312 - The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Weight

10

Fix Recommendation

Navigate to “HKLM\CurrentControlSet\Services\HTTP\Parameters”
Create REG_DWORD “DisableServerHeader” and set it to “1”
Note: This can be performed multiple ways, this is an example.

Check Contents

Open Registry Editor.

Navigate to “HKLM\CurrentControlSet\Services\HTTP\Parameters”

Verify “DisableServerHeader” is set to “1”.

If REG_DWORD DisableServerHeader is not set to 1, this is a finding.

If the System Administrator can show that Server Version information has been removed via other means, such as using a rewrite outbound rule, this is not a finding.

Vulnerability Number

V-241788

Documentable

False

Rule Version

IIST-SV-000210

Severity Override Guidance

Open Registry Editor.

Navigate to “HKLM\CurrentControlSet\Services\HTTP\Parameters”

Verify “DisableServerHeader” is set to “1”.

If REG_DWORD DisableServerHeader is not set to 1, this is a finding.

If the System Administrator can show that Server Version information has been removed via other means, such as using a rewrite outbound rule, this is not a finding.

Check Content Reference

M

Target Key

4052

Comments