Security Risk? Microsoft-HTTPAPI/2.0
Whilst security vetting our machines, I found that one host was exposing a Microsoft-HTTPAPI/2.0 service over port 80 to the internet.
I'm not familiar with this, but after googling around, I found that SQL Server 2008 publishes SQL Server Reporting Services on port 80 by default and identifies itself as HTTPAPI/2.0. The host is also running IIS7.
I'm guessing this is probably not something that should be exposed to the world. Can anyone offer me any information or advice on the security risk of exposing this service?
Response Headers - http://#.#.#.#/
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 10 Aug 2009 10:44:25 GMT
Connection: close
Content-Length: 315
404 Not Found
If you don't have any good reason to expose it, Then you should probably not expose it. By the way you may be interested in this article to decide wether or not you should expose it
If the response's Server header returns "Microsoft-HttpApi/2.0", it means that the HTTP.sys is being called instead of IIS. Exploits and port scans use this as a means of fingerprinting an IIS server (even one that is otherwise hiding the Server header).
You can test this by throwing an error using CURL:
curl -v http://www.yourdomain.com/ -H "Range: bytes=00-18446744073709551615"
You will see something like this if your server is sending the header:
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339
You can add a registry value so HTTP.sys doesn't include the header.
- Open Regedit
- Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
- If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.
- Reboot the server OR restart the HTTP service by calling "net stop http" then "net start http"
Reference: WS/WCF: Remove Server Header
After you add the registry key, the response looks like this:
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339
Posting here so people who need this can find it. (Thanks, Oram!)