WA000-WI120 IIS6 - The Content Location header must not contain proprietary IP addresses.

Information

When using static HTML pages, a Content-Location header is added to the response. By default, Internet Information Server (IIS) 4.0 Content-Location references the IP address of the server rather than the FQDN or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses to sending the FQDN instead.

The value that needs to be set is the w3svc/UseHostName, and it needs to be set to True.

The other option to prevent this from occurring is to use Active Server Pages instead of static HTML pages and create a custom header that sends back a specific Content-Location. For complete instructions on this issue, please refer to Microsoft Knowledge Base article Q218180.

NOTE: Review each websites UseHostName value to ensure it is set to True.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

1. Open the metabase.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv).
2. Press CNTRL+F > enter 'servercomment' > Select the Find Next button to find the attribute ServerComment=the name of the website being reviewed.
3. Go to the beginning of the IIsWebServer key for the web site being reviewed (a few lines prior to the servercomment attribute found in step 2).
4. Note the number after W3SVC as it will be used next.
5. From the CLI navigate to the location of the adsutil.vbs script.
6. Enter the following adsutil.vbs set w3svc/number from step 3/UseHostName true.

NOTE: The command in step 6 could be substituted with the following: adsutil.vbs set w3svc/number from step 3/SetHostName 'name other than your private IP address'
NOTE: cscript may have to be input in front of the command adsutil.vbs (i.e., cscript adsutil.vbs set w3svc/1/UseHostName).

See Also

http://iasecontent.disa.mil/stigs/zip/July2015/U_IIS_6-0_V6R16_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, Rule-ID|SV-38025r1_rule, STIG-ID|WA000-WI120_IIS6, Vuln-ID|V-13702

Plugin: Windows

Control ID: de36921aa578c01c310f571ffb0ed6e452ae7bbe3a61408ba12abfa08fb801ca