Over-posting occurs due to the default model binder not knowing which fields you actually included in the form. It will try to map all values in the request to object. Attackers can use your form to add additional fields to query strings/form post data and add properties as part of the request. The default model binder won't know the difference. Your Server class will deactivate once the mapping is complete and the update is processed. To prevent over-posting, set the annotation to include fields in the binding, or create a ViewModel like you mentioned in your code.
So which approach is recommended to use and why ?
Both annotation and ViewModel allow binding only on specified fields, but when you use ViewModel you will not bind against business objects or entities, and you will only have properties available for the input you expected. Once the model is validated, you can then move values from the input model to the object you used in the next layer.
k. Soctt Allen has a good article about which approach is better, you can take a look at by the following link: