UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Content Location header on the IIS 8.5 website must not contain proprietary IP addresses.


Overview

Finding ID Version Rule ID IA Controls Severity
V-76883 IISW-SI-000260 SV-91579r1_rule Medium
Description
When using static HTML pages, a Content-Location header is added to the response. The Internet Information Server (IIS) Content-Location may reference the IP address of the server, rather than the Fully Qualified Domain Name (FQDN) or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses, to sending the FQDN instead.
STIG Date
IIS 8.5 Site Security Technical Implementation Guide 2018-04-06

Details

Check Text ( C-76539r1_chk )
Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Double-click “Configuration Editor”.

From the drop-down box select “system.webserver serverRuntime”.

If “alternateHostName” has no assigned value, this is a finding.
Fix Text (F-83579r1_fix)
Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.

Double-click “Configuration Editor”.

Click the drop-down box located at the top of the “Configuration Editor” Pane.

Scroll until the “system.webserver/serverRuntime” is found, double-click the element, and add the appropriate value.