Home / server / Questions / 52199
Accepted
Cheekysoft
Asked: 2009-08-11 02:52:00 +0800 CST

Security Risk? Microsoft-HTTPAPI/2.0

  • 772

Whilst security vetting our machines, I found that one host was exposing a Microsoft-HTTPAPI/2.0 service over port 80 to the internet.

I'm not familiar with this, but after googling around, I found that SQL Server 2008 publishes SQL Server Reporting Services on port 80 by default and identifies itself as HTTPAPI/2.0. The host is also running IIS7.

I'm guessing this is probably not something that should be exposed to the world. Can anyone offer me any information or advice on the security risk of exposing this service?

Response Headers - http://#.#.#.#/
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 10 Aug 2009 10:44:25 GMT
Connection: close
Content-Length: 315

404 Not Found
security iis ssrs

4 Answers

  1. If the response's Server header returns "Microsoft-HttpApi/2.0", it means that the HTTP.sys is being called instead of IIS. Exploits and port scans use this as a means of fingerprinting an IIS server (even one that is otherwise hiding the Server header).

    You can test this by throwing an error using CURL:

    curl -v http://www.yourdomain.com/ -H "Range: bytes=00-18446744073709551615"

    You will see something like this if your server is sending the header:

    HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339

    You can add a registry value so HTTP.sys doesn't include the header.

    • Open Regedit
    • Navigate to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
    • If DisableServerHeader doesn't exist, create it (DWORD 32bit) and give it a value of 2. If it does exist, and the value isn't 2, set it to 2.
    • Reboot the server OR restart the HTTP service by calling "net stop http" then "net start http"

    Reference: WS/WCF: Remove Server Header

    After you add the registry key, the response looks like this:

    HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Date: Thu, 19 Dec 2019 00:45:40 GMT
Connection: close
Content-Length: 339

    Posting here so people who need this can find it. (Thanks, Oram!)

    • 9

  2. If you don't have any good reason to expose it, Then you should probably not expose it. By the way you may be interested in this article to decide wether or not you should expose it

    • 8

  3. Try looking for vulnerabilities in an exploit database for this

    • 2
  4. Best Answer

    The most common cause for this Server response header is when IIS cannot determine which website to serve.

    IIS will respond with this Server header when the following are both true

    • the request contains an unrecognised Host header
    • no default website is configured

    Alternatively, if the configuration for the website that IIS is attempting to deliver is malformed, it will be ignored and considered absent, also having the same effect.

    • 2