4.6 Ensure 'HTTP Trace Method' is disabled - Default

Information

The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. Attackers could leverage this behavior to access sensitive information, such as authentication data or cookies, contained in the HTTP headers of the request. One such way to mitigate this is by using the <verbs> element of the <requestFiltering> collection. The <verbs> element replaces the [AllowVerbs] and [DenyVerbs] features in UrlScan.

It is recommended the HTTP TRACE method be denied.

Rationale:

Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. This risk can be mitigated by not allowing the TRACE verb.

Impact:

Contents of client HTTP requests in the entity-body of the TRACE response will not be available.

Solution

Open Internet Information Services (IIS) Manager

In the Connections pane, select the site, application, or directory to be configured

In the Home pane, double-click Request Filtering

In the Request Filtering pane, click the HTTP verbs tab, and then click Deny Verb... in the Actions pane

In the Deny Verb dialog box, enter the TRACE, and then click OK

Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /+verbs.[verb='TRACE',allowed='false']

OR

Enter the following command in PowerShell to configure:

Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/security/requestFiltering/verbs' -name '.' -value @{verb='TRACE';allowed='False'}

Default Value:

The TRACE verb is not filtered by default.

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-8, CSCv7|18

Plugin: Windows

Control ID: 1be6e05189665c20b4f64be89117351e1d5c3de5d33b2df21f0e9669364edfa3