STIGQter: STIG Summary: Microsoft IIS 10.0 Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

ASP.NET version must be removed from the HTTP Response Header information.

DISA Rule

SV-241789r695284_rule

Vulnerability Number

V-241789

Group Title

SRG-APP-000266-WSR-000159

Rule Version

IIST-SV-000215

Severity

CAT III

CCI(s)

CCI-001312 - The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Weight

Fix Recommendation

Open the IIS 10.0 Manager.
Under the "Connections" pane on the left side of the management console, select the IIS 10.0 web server.
Click the HTTP Response Headers button.
Click to select the “X-Powered-By” HTTP Header.
Click “Remove” in the Actions Panel.
Note: This can be performed multiple ways, this is an example.

Check Contents

Open the IIS 10.0 Manager.

Under the "Connections" pane on the left side of the management console, select the IIS 10.0 web server.

Click the HTTP Response Headers button.

Click to select the “X-Powered-By” HTTP Header.

If “X-Powered-By” has not been removed, this is a finding.

Vulnerability Number

V-241789

Documentable

False

Rule Version

IIST-SV-000215

Severity Override Guidance

Open the IIS 10.0 Manager.

Under the "Connections" pane on the left side of the management console, select the IIS 10.0 web server.

Click the HTTP Response Headers button.

Click to select the “X-Powered-By” HTTP Header.

If “X-Powered-By” has not been removed, this is a finding.

Check Content Reference

Target Key

4052

ASP.NET version must be removed from the HTTP Response Header information.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments