Every webserver sends information in the HEAD of a response to the end user. EG. IIS and Apache send version info. An attacker could use that info to specifically target a server based on the info. Although the risk is minimal if you make sure that your server is fully patched, you can modify the behavior of the services to not send that information.

IIS: Although it is not possible to really remove the Server header, you can modify it with a rewrite rule.

Please check https://www.saotn.org/remove-iis-server-version-http-response-header/ for instructions


Apache:

In c:\apache24\conf\ the apache configuration file httpd.conf is stored. Edit this file with notepad and add the following 2 lines


ServerTokens Prod

ServerSignature Off


After saving the file, restart Apache from service manager and the new configuration will be in effect.