The Content Location header contains proprietary IP addresses.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-13702	WA000-WI120	SV-14312r1_rule		Low

Description
When using static HTML pages, a Content-Location header is added to the response. By default, Internet Information Server (IIS) 4.0 Content-Location references the IP address of the server rather than the FQDN or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses to sending the FQDN instead. The value that needs to be set is the w3svc/UseHostName, and it needs to be set to True. The other option to prevent this from occurring is to use Active Server Pages instead of static HTML pages and create a custom header that sends back a specific Content-Location. For complete instructions on this issue, please refer to Microsoft Knowledge Base article Q218180.

Description

When using static HTML pages, a Content-Location header is added to the response. By default, Internet Information Server (IIS) 4.0 Content-Location references the IP address of the server rather than the FQDN or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses to sending the FQDN instead. The value that needs to be set is the w3svc/UseHostName, and it needs to be set to True. The other option to prevent this from occurring is to use Active Server Pages instead of static HTML pages and create a custom header that sends back a specific Content-Location. For complete instructions on this issue, please refer to Microsoft Knowledge Base article Q218180.

STIG	Date
IIS 7.0 Server STIG	2019-03-22

Details

Check Text ( C-10953r1_chk )
Open a command prompt and navigate to the Inetpub\adminscripts directory. From there, enter the following command: adsutil.vbs get w3svc/usehostname The utiity will either return an error message that the property does not exist, if this is the case, this is a finding. It may also return either a true or false value. If it is false, this is a finding. NOTE: You may have to put cscript in front of the command. "cscript adsutil.vbs get w3svc/x/usehostname". NOTE: If the directory does not exist, you can search the system for the adsutil.vbs file. If the file does not exist, you will need to work with the SA to determine where the tool to query the metabase is located. --------------------

Check Text ( C-10953r1_chk )

Open a command prompt and navigate to the Inetpub\adminscripts directory.

From there, enter the following command:

adsutil.vbs get w3svc/usehostname

The utiity will either return an error message that the property does not exist, if this is the case, this is a finding.

It may also return either a true or false value. If it is false, this is a finding.

NOTE: You may have to put cscript in front of the command.
"cscript adsutil.vbs get w3svc/x/usehostname".

NOTE: If the directory does not exist, you can search the system for the adsutil.vbs file. If the file does not exist, you will need to work with the SA to determine where the tool to query the metabase is located.

--------------------

Fix Text (F-13147r1_fix)
Set the value on an IIS 5.0 server: 1. Open a command window (cmd). 2. Change the directory to: inetpub\adminscripts. Note This may vary depending on your installation of Internet Information Server. 3. Type the following syntax: adsutil set w3svc/UseHostName True By default, this value is set to False. Therefore, it returns only the IP address of the IIS computer. Setting this value to True returns the Fully Qualified Domain Name (FQDN) for the IIS computer. 4. We recommend that you restart the Inetinfo service or restart your computer after you make this modification. To stop the Inetinfo process, type the following at the command line: net stop iisadmin /y Note Make a note of what services are stopped so that you can restart them. 5. Type the following: Net start w3svc Note This is the minimum to allow the Web server to operate again. Any other services will depend on what is installed for IIS or SiteServer that you noted in step 4.

Fix Text (F-13147r1_fix)

Set the value on an IIS 5.0 server:

1. Open a command window (cmd).
2. Change the directory to: inetpub\adminscripts.

Note This may vary depending on your installation of Internet Information Server.

3. Type the following syntax:

adsutil set w3svc/UseHostName True

By default, this value is set to False. Therefore, it returns only the IP address of the IIS computer. Setting this value to True returns the Fully Qualified Domain Name (FQDN) for the IIS computer.

4. We recommend that you restart the Inetinfo service or restart your computer after you make this modification. To stop the Inetinfo process, type the following at the command line:

net stop iisadmin /y

Note Make a note of what services are stopped so that you can restart them.

5. Type the following:

Net start w3svc

Note This is the minimum to allow the Web server to operate again. Any other services will depend on what is installed for IIS or SiteServer that you noted in step 4.