IIS7 UrlScan and ColdFusion

I was doing a security scan of my ColdFusion 9 server to make sure things were locked down (using the ever so awesome hackmycf.com) and I came across a warning for “Server Header Disclosure”.  This linked me to an article by Pete Freitag on how to fix this security risk on Apache with direction on how to fix it with IIS.

Well ummm… the direction got me to install UrlScan, but not how to fix it, and stupid me I spent a solid 15 minutes looking for a pretty icon in IIS to configure it via the GUI.  Oops.  Turns out the settings are in a simple text ini file in the following directory:

C:\Windows\System32\inetsrv\urlscan

Cool.  Now what the heck am I looking for?

First and foremost, take some time to familiarize yourself with the whole thing as it’s relatively short, but darn powerful.  And after you install, check your sites.  I have some older sites that don’t use SES URLs and the ‘&’ is blocked by default, which I had to change/comment out… so tweak as needed, but carefully.  For something I’ve never used before, I will definitely be relying on this tool heavily in the future… it’s just simple and awesome.

The setting we’re looking for, in reference to the warning we’re getting from the ever so rockin hackmycf though, is right near the top.  Change RemoveServerHeader from 0 to 1 and you’re done.  Smooth!

Leave a Reply

Your email address will not be published. Required fields are marked *