From IIS 8.5 Site Security Technical Implementation Guide
Part of SRG-APP-000516-WSR-000174
Associated with: CCI-000366
When using static HTML pages, a Content-Location header is added to the response. The Internet Information Server (IIS) Content-Location may reference the IP address of the server, rather than the Fully Qualified Domain Name (FQDN) or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses, to sending the FQDN instead.
Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click “Configuration Editor”. From the drop-down box select “system.webserver serverRuntime”. If “alternateHostName” has no assigned value, this is a finding.
Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click “Configuration Editor”. Click the drop-down box located at the top of the “Configuration Editor” Pane. Scroll until the “system.webserver/serverRuntime” is found, double-click the element, and add the appropriate value.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer