Whilst defense vetting ours machines, I uncovered that one host was exposing a Microsoft-HTTPAPI/2.0 service over port 80 come the internet.

You are watching: Microsoft httpapi httpd 2.0 (ssdp/upnp)

I"m not familiar with this, however after googling around, I discovered that SQL Server 2008 publishes SQL Server Reporting services on harbor 80 by default and identifies itself as HTTPAPI/2.0. The hold is also running IIS7.

I"m guessing this is more than likely not other that have to be exposed to the world. Can anyone market me any information or advice on the protection risk that exposing this service?

Response Headers - http://#.#.#.#/Content-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 10 Aug 2009 10:44:25 GMTConnection: closeContent-Length: 315404 Not discovered
protection iis ssrs
boost this question
edited jan 18 at 13:08


22322 silver- badges44 bronze title
request Aug 10 "09 in ~ 10:52

37711 yellow badge33 silver badges1111 bronze badges
include a comment |

4 answers 4

active earliest Votes
If friend don"t have any good reason to expose it, climate you should probably not expose it.By the means you may be interested in this post to decide wether or no you need to expose it

enhance this prize
answer Aug 10 "09 in ~ 12:17

5,00811 yellow badge2424 silver- badges3131 bronze badges
include a comment |
If the response"s Server header return "Microsoft-HttpApi/2.0", it way that the HTTP.sys is being referred to as instead that IIS. Exploits and also port scans usage this as a way of fingerprinting one IIS server (even one that is otherwise hiding the Server header).

See more: Does Dr Phil Pay His Guests For Being On His Show? Does Dr Phil Have A Medical Degree

You deserve to test this by cram an error using CURL:

HTTP/1.1 400 bad RequestContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 19 Dec 2019 00:45:40 GMTConnection: closeContent-Length: 339You can include a registry value so HTTP.sys doesn"t incorporate the header.

Open RegeditNavigate to: ComputerHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesHTTPParametersIf DisableServerHeader doesn"t exist, create it (DWORD 32bit) andgive it a worth of 2. If that does exist, and also the value isn"t 2, collection itto 2.Reboot the server OR restart the HTTP organization by phone call "net stop http" climate "net start http"

Reference: WS/WCF: eliminate Server Header

After you include the registry key, the response looks like this:

HTTP/1.1 400 bad RequestContent-Type: text/html; charset=us-asciiDate: Thu, 19 Dec 2019 00:45:40 GMTConnection: closeContent-Length: 339Posting here so civilization who need this can uncover it. (Thanks, Oram!)