Security Risk? Microsoft-HTTPAPI/2.0

Solution 1:

If you don't have any good reason to expose it, Then you should probably not expose it. By the way you may be interested in this article to decide wether or not you should expose it

Solution 2:

If the response's Server header returns "Microsoft-HttpApi/2.0", it means that the HTTP.sys is being called instead of IIS. Exploits and port scans use this as a means of fingerprinting an IIS server (even one that is otherwise hiding the Server header).

You can test this by throwing an error using CURL:

curl -v http://www.yourdomain.com/ -H "Range: bytes=00-18446744073709551615"

You will see something like this if your server is sending the header:

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339

You can add a registry value so HTTP.sys doesn't include the header.

  • Open Regedit
  • Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  • If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.
  • Reboot the server OR restart the HTTP service by calling "net stop http" then "net start http"

Reference: WS/WCF: Remove Server Header

After you add the registry key, the response looks like this:

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339

Posting here so people who need this can find it. (Thanks, Oram!)

Solution 3:

Try looking for vulnerabilities in an exploit database for this

Tags:

Security

Iis

Ssrs

Recent Posts