Check: WA000-WI120 IIS6
IIS6 Site:
WA000-WI120 IIS6
(in version v6 r16)
Title
The Content Location header must not contain proprietary IP addresses. (Cat III impact)
Discussion
When using static HTML pages, a Content-Location header is added to the response. By default, Internet Information Server (IIS) 4.0 Content-Location references the IP address of the server rather than the FQDN or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses to sending the FQDN instead. The value that needs to be set is the w3svc/UseHostName, and it needs to be set to True. The other option to prevent this from occurring is to use Active Server Pages instead of static HTML pages and create a custom header that sends back a specific Content-Location. For complete instructions on this issue, please refer to Microsoft Knowledge Base article Q218180.
Check Content
1. Open the metabase.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv) 2. Press CNTRL+F > Enter “servercomment” > Select the Find Next button to find the attribute ServerComment=the name of the web site being reviewed. 3. Verify the setting for either the UseHostName or SetHostName attribute. If both settings are specified, this is a finding. If neither setting is specified, this is a finding. If UseHostName is specified and not set to TRUE, this is a finding. If SetHostName is specified and the web servers’ private IP address is used, this is a finding.
Fix Text
1. Open the metabase.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv). 2. Press CNTRL+F > enter “servercomment” > Select the Find Next button to find the attribute ServerComment=the name of the website being reviewed. 3. Go to the beginning of the IIsWebServer key for the web site being reviewed (a few lines prior to the servercomment attribute found in step 2). 4. Note the number after W3SVC as it will be used next. 5. From the CLI navigate to the location of the adsutil.vbs script. 6. Enter the following adsutil.vbs set w3svc/number from step 3/UseHostName true. NOTE: The command in step 6 could be substituted with the following: adsutil.vbs set w3svc/number from step 3/SetHostName “name other than your private IP address” NOTE: cscript may have to be input in front of the command adsutil.vbs (i.e., cscript adsutil.vbs set w3svc/1/UseHostName).
Additional Identifiers
Rule ID: SV-38025r1_rule
Vulnerability ID: V-13702
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |