1.4.10 Disable HTTP Trace Method

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. This risk can be mitigated by not allowing the TRACE verb.

Solution

Open Internet Information Services (IIS) Manager In the Connections pane, select the site, application, or directory to be configured In the Home pane, double-click Request Filtering In the Request Filtering pane, click the HTTP verbs tab, and then click Deny Verb... in the Actions pane In the Deny Verb dialog box, enter the TRACE, and then click OK

See Also

https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_7_Benchmark_v1.7.1.pdf

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|3.1

Plugin: Windows

Control ID: 2aafc34905bfa5c36a34bda45be63afe874608fee1b2ba3e756794f23767a964