IP Disclosure Solution On IIS 6
Sometimes the internal IP address of an IIS server is revealed if an HTTP Request that does not have a Host header or has a NULL Host header is sent to the server https://support.microsoft.com/kb/967342
So we can hid this information or replace it with alternate text.
Step 1: Obtain the latest service pack for Microsoft Windows Server 2003.
889100 How to obtain the latest service pack for Windows Server 2003
Step 2: Hot Fix 935469.
It is also very important that you install the following additional update. FIX: The IP address or the host header of the server that is running IIS may be returned unexpectedly when you use the Request.ServerVariables collection in IIS6
https://support.microsoft.com/default.aspx?scid=kb;EN-US;935469.
Step 3: use either the UseHostName or the SetHostName property on the site if you want an alternate host name to be sent for requests.
The Content-Location and the Location headers are sent by an HTTP server as part of its response to an HTTP request, and contain location information for the resource that the client requested.
To know which option you want; you can read at www.w3.org.
For Content-Location, see https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.14,
And for Location see https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30.
set the UseHostName property:
- From CMD, Change to the folder where the Adsutil.vbs tool is located: %SYSTEMROOT%\Inetpub\AdminScripts
- Type the following command:where Site ID is the Site Identifier
cscript adsutil.vbs set w3svc/Site ID /UseHostName true
Set the SetHostName property
To set the SetHostName property, follow these steps:
- From CMD; change to the folder where the Adsutil.vbs tool is located: %SYSTEMROOT%\Inetpub\AdminScripts
- Type the following command: where Site ID is the Site Identifier and hostname is the alternate host name that you want to use:
cscript adsutil.vbs set w3svc/Site ID/SetHostName hostname
References:
https://support.microsoft.com/default.aspx?scid=kb;EN-US;935469