UCF STIG Viewer Logo

The Content Location header must not contain proprietary IP addresses.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13702 WA000-WI120 IIS6 SV-38136r1_rule ECSC-1 Low
Description
When IIS receives a GET request without a host header, the web server may reveal the IP address of the server in the content-location field or the location field in the TCP header. This information could provide an attacker with valuable information aiding in a successful attack against the web server. See Microsoft support article ID: 834141.
STIG Date
IIS6 Site 2014-12-10

Details

Check Text ( C-10954r2_chk )
1. Open the metabase.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv)
2. Press CNTRL+F > Enter “servercomment” > Select the Find Next button to find the attribute ServerComment=the name of the web site being reviewed.
3. Verify the setting for either the UseHostName or SetHostName attribute.

If both settings are specified, this is a finding.
If neither setting is specified, this is a finding.
If UseHostName is specified and not set to TRUE, this is a finding.
If SetHostName is specified and the web servers’ private IP address is used, this is a finding.
Fix Text (F-13150r1_fix)
1. Open the metabase.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv).
2. Press CNTRL+F > enter “servercomment” > Select the Find Next button to find the attribute ServerComment=the name of the website being reviewed.
3. Go to the beginning of the IIsWebServer key for the web site being reviewed (a few lines prior to the servercomment attribute found in step 2).
4. Note the number after W3SVC as it will be used next.
5. From the CLI navigate to the location of the adsutil.vbs script.
6. Enter the following adsutil.vbs set w3svc/number from step 3/UseHostName true.

NOTE: The command in step 6 could be substituted with the following: adsutil.vbs set w3svc/number from step 3/SetHostName “name other than your private IP address”
NOTE: cscript may have to be input in front of the command adsutil.vbs (i.e., cscript adsutil.vbs set w3svc/1/UseHostName).