1.1.2 Require Host Headers on all Sites

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Requiring a Host header for all sites may reduce the probability of: DNS rebinding attacks successfully compromising or abusing site data or functionality [2] IP-based scans successfully identifying or interacting with a target application hosted on IIS

Solution

Obtain a listing of all sites by using the following appcmd.exe command: %systemroot%\system32\inetsrv\appcmd list sites Perform the following in IIS Manager to configure host headers for the Default Web Site: Open IIS Manager In the Connections pane expand the Sites node and select Default Web Site In the Actions pane click Bindings In the Site Bindings dialog box, select the binding for which host headers are going to be configured, Port 80 in this example Click Edit Under host name, enter the sites FQDN, such as <www.examplesite.com> Click OK, then Close Note: Requiring a host header may impair site functionality for HTTP/1.0 clients.

See Also

https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|3.1

Plugin: Windows

Control ID: 0a77c26f165b56c27cc2128c08d288358d9bc453c718c4a93fa27462cf5e1e9f