1.2 Ensure 'Host headers' are on all sites - host headers are on all sites

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Host headers provide the ability to host multiple websites on the same IP address and port. It is recommended that host headers be configured for all sites.

Note: Wildcard host headers are now supported.

Rationale:

Requiring a Host header for all sites may reduce the probability of DNS rebinding attacks successfully compromising or abusing site data or functionality and IP-based scans successfully identifying or interacting with a target application hosted on IIS.

Impact:

If a wildcard DNS entry exists and a wildcard host header is used, it may be serving data to more domains than intended.

Solution

Obtain a listing of all sites by using the following appcmd.exe command:
Enter the following command in AppCmd.exe to configure the host header:

%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites /'[name='<website name>'].bindings.[protocol='http',bindingInformation='*:80:<host header>'].bindingInformation:'*:80:<host header>'' /commit:apphost

OR

Enter the following command in PowerShell to configure the host header:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.applicationHost/sites/site[@name='<website name>']/bindings/binding[@protocol='http' and @bindingInformation='*:80:']' -name 'bindingInformation' -value '*:80:<host header value>'

OR

Perform the following in IIS Manager to configure host headers for the Default Web Site:

Open IIS Manager

In the Connections pane expand the Sites node and select Default Web Site

In the Actions pane click Bindings

In the Site Bindings dialog box, select the binding for which host headers are going to be configured, Port 80 in this example

Click Edit

Under host name, enter the sites FQDN, such as <www.examplesite.com>

Click OK, then Close

Note: Requiring a host header may impair site functionality for HTTP/1.0 clients.

Default Value:

By default, host headers are not required or set up automatically.

See Also

https://workbench.cisecurity.org/files/4131