Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-76883 | IISW-SI-000260 | SV-91579r1_rule | Medium |
Description |
---|
When using static HTML pages, a Content-Location header is added to the response. The Internet Information Server (IIS) Content-Location may reference the IP address of the server, rather than the Fully Qualified Domain Name (FQDN) or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses, to sending the FQDN instead. |
STIG | Date |
---|---|
IIS 8.5 Site Security Technical Implementation Guide | 2018-04-06 |
Check Text ( C-76539r1_chk ) |
---|
Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click “Configuration Editor”. From the drop-down box select “system.webserver serverRuntime”. If “alternateHostName” has no assigned value, this is a finding. |
Fix Text (F-83579r1_fix) |
---|
Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click “Configuration Editor”. Click the drop-down box located at the top of the “Configuration Editor” Pane. Scroll until the “system.webserver/serverRuntime” is found, double-click the element, and add the appropriate value. |