Search

Technical : How to secure the web server

Updated: Aug 15

Procedure


First, hide the IIS version. The HTTP header “X-Powered-By” reveals the version of IIS used on the server. To stop this, remove the header:

  1. Open the IIS Manager.

  2. In the Connections tree, select the website that COACH is running under.

  3. Click the HTTP Response Headers button on the right. The HTTP Response Headers panel appears.

  4. Click to select the X-Powered-By HTTP header.

  5. Click the Remove button in the Actions panel. The header disappears.

Second, hide the ASP.NET version. The HTTP header “X-ASPNET-VERSION” reveals the version of ASP.NET being used by the application pool. To stop this, remove the header:

  1. Open the web.config file for COACH, which is located in the root directory for the website.

  2. Inside the <system.web> tag, add the tag <httpRuntime enableVersionHeader="false"/>.

  3. Save the file.

Third, hide the server type. The HTTP header line Server: Microsoft-HTTPAPI/2.0 is added to the header by the .NET framework. To remove that information, you must update the Windows registry:

Important: Do not simply remove the Server header variable—it will cause parts of COACH to malfunction.

  1. Open the Windows Registry Editor.

  2. Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters.

  3. Change the DisableServerHeader (REG_DWORD type) registry key from 0 to 1.

Note: There are other ways to hide the server type. We strongly recommend this one.


Forth, change the c:\inetpub\wwwroot\iisstart.htm and iisstart.png and other files to FileName.Ext.bak


Fifth, add web.config configuration to the root IIS and COACH application


<?xml version="1.0" encoding="UTF-8"?>

<configuration>

<system.web>

<httpCookies httpOnlyCookies="true" sameSite="Strict" requireSSL="true" />

<pages viewStateEncryptionMode="Always" >

</pages>

<machineKey validation="AES" />

<httpRuntime enableVersionHeader="false" />

</system.web>

<system.webServer>

<httpProtocol>

<customHeaders>

<add name="X-Frame-Options" value="SAMEORIGIN" />

<remove name="Server" />

<remove name="X-Powered-By" />

<remove name="X-AspNet-Version" />

<add name="strict-transport-security" value="max-age=31536000; includeSubdomains" />

</customHeaders>

</httpProtocol>

<urlCompression doDynamicCompression="false" />

<security>

<requestFiltering removeServerHeader="true">

<requestLimits maxUrl="2048" maxQueryString="1024">

<headerLimits>

<add header="content-type" sizeLimit="100" />

</headerLimits>

</requestLimits>

</requestFiltering>

</security>

</system.webServer>

</configuration>

63 views

Recent Posts

See All

ลดหย่อนส่งเงินสมทบประกันสังคม เหลือ 2% เริ่ม ก.ย.-พ.ย. 2563

ลดหย่อนส่งเงินสมทบประกันสังคม เหลือ 2% ทั้งฝั่งนายจ้างและลูกจ้าง เริ่ม ก.ย.-พ.ย. 2563 ดังนั้นลดหย่อน สปส ทั้งปี 2563 จะเท่ากับ 5,850.00 บาท Reference https://www.thairath.co.th/news/politic/1922084

© 2020 Puumsoft Company Limited. All Rights Reserved.