Hiding system information

Development model: MVC Portal Engine
Copy to clipboard

You should always try to hide the information about the server and operating system you are using. When attackers are not able to determine this information, it is much more difficult for them to find flaws in the system and exploit them. 

If attackers discover a flaw in a certain technology (IIS, ASP.NET, or Kentico), they could utilize this flaw to attack a large number of web servers with the same configuration.

Fingerprinting

Fingerprinting are techniques, that allow attackers to learn the exact version of web servers by querying the servers and analyzing their responses. Since different versions of web servers have different implementations, they respond to special queries in different ways.

The same applies for content management systems. By analyzing the input code and the files located on the server, the attacker can figure out the type of CMS running on the server and its version.

Server banners

The servers send greeting messages, called banners, with information about the server versions and used technologies. The servers send these messages in HTTP headers (in response to fingerprinting queries) and you can also find them in page footers of directory listings.

The best practice is to hide as much information as you can. See the procedures in this article: Configuring HTTP Response Headers in IIS 7

Information about Kentico

Unfortunately, it is not possible to completely hide the fact that the server uses the ASP.NET framework or make it impossible to determine that the application is based on Kentico.

For Portal Engine sites, it may in some cases help to forbid access to the administration interface (if you do not use it on the live production site). You can set this by adding the CMSDisableAdministrationInterface key in the <appSettings> section of the web.config file:




<add key="CMSDisableAdministrationInterface" value="true"/>