Google for long time regarding how to hide the HTTP header for IIS in order to mask the server identity and finally found out this tools call URLScan.
Basically URLScan is an ISAPI filter that allows Web site administrators to restrict the kind of HTTP requests that the server will process. By blocking specific HTTP requests, the URLScan filter prevents potentially harmful requests from reaching the server and causing damage.
Actually most of the features that provided by URLScan are included in IIS but not the Remove Server Header features as microsfot find out that this is not an important issue that that’s no real security benefit of include in IIS. But that’s some marketing purposes why microsoft not encourage web master to hide the identity.
How to hide the IIS identity:
- download the URL scan
- Install the URL scan in your server.
- go to the URLScan config file at C:WINDOWSsystem32inetsrvurlscanUrlScan.ini
- Change RemoveServerHeader=1 (by default is 0)
- Save the file
- Restart your IIS
- Check on your header (http://www.rexswain.com/httpview.html)
For more detail on the URLScan and the features, you may easily get a lot of information by Google on URLScan