IIS

Was getting this error on a client’s web server while running PCI compliance scans. It came up as a vulnerability on a windows server 2008 box with IIS 7. I was able to confirm this problem by going to:

http://web-sniffer.net/

Entering the URL for testing.

Selecting the HTTP/1.0 (without Host header)

Selecting User Agent: NONE

The submitted the form. The location field on the bottom showed the server (which is behind a load balancer) showed it’s internal IP address which is a security concern. To fix this, we wanted to have IIS not show the IP. This can be done with the following command:

c:\Windows\System32\inetsrv>appcmd.exe set config -section:system.webServer/serverRuntime /alternateHostName:WHATEVER.COM /commit:apphost Applied configuration changes to section “system.webServer/serverRuntime” for “MACHINE/WEBROOT/APPHOST” at configuration commit path “MACHINE/WEBROOT/APPHOST”

Replace WHATEVER.COM with the value you want displayed.

Leave a Reply

Your email address will not be published. Required fields are marked *