The Content Location header on the IIS 8.5 website must not contain proprietary IP addresses.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-76883	IISW-SI-000260	SV-91579r1_rule		Medium

Description
When using static HTML pages, a Content-Location header is added to the response. The Internet Information Server (IIS) Content-Location may reference the IP address of the server, rather than the Fully Qualified Domain Name (FQDN) or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses, to sending the FQDN instead.

Description

When using static HTML pages, a Content-Location header is added to the response. The Internet Information Server (IIS) Content-Location may reference the IP address of the server, rather than the Fully Qualified Domain Name (FQDN) or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses, to sending the FQDN instead.

STIG	Date
IIS 8.5 Site Security Technical Implementation Guide	2018-01-03

Details

Check Text ( C-76539r1_chk )
Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click “Configuration Editor”. From the drop-down box select “system.webserver serverRuntime”. If “alternateHostName” has no assigned value, this is a finding.

Fix Text (F-83579r1_fix)
Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click “Configuration Editor”. Click the drop-down box located at the top of the “Configuration Editor” Pane. Scroll until the “system.webserver/serverRuntime” is found, double-click the element, and add the appropriate value.