Microsoft KB Archive/218180

= Internet Information Server returns IP address in HTTP header (Content-Location) =

Article ID: 218180

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Services 5.1
 * Microsoft Internet Information Services 6.0

-



This article was previously published under Q218180



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
When you use static HTML pages (for example, Default.htm), a Content-Location header is added to the response. By default, in Internet Information Server (IIS), the Content-Location references the IP address of the server instead of the Fully Qualified Domain Name (FQDN) or Hostname.

This header may expose internal IP addresses that are typically hidden or masked behind a Network Address Translation (NAT) Firewall or a proxy server.

Example:

HTTP/1.1 200 OK

Server: Microsoft-IIS/4.0

Content-Location: http://10.1.1.1/Default.htm

Date: Thu, 18 Feb 1999 14:03:52 GMT

Content-Type: text/html

Accept-Ranges: bytes

Last-Modified: Wed, 06 Jan 1999 18:56:06 GMT

ETag: "067d136a639be1:15b6"

Content-Length: 4325

In this example, the Content-Location specifies the private internal address of the IIS computer in the header. This header is then unchanged when it passes through a firewall or proxy server. Therefore, the security of the internal network may be compromised by exposing the network addresses that are being used.



RESOLUTION
There are two solutions depending on your version of IIS that you are using. Because of this, follow the correct steps based on your version.

Correct for IIS 4.0, 5.0, or 5.1
Example:

HTTP/1.1 200 OK

Server: Microsoft-IIS/4.0 or Microsoft-IIS/5.0

Content-Location: http://www.domain.com/Default.htm

Date: Thu, 18 Feb 1999 15:08:44 GMT

Content-Type: text/html

Accept-Ranges: bytes

Last-Modified: Mon, 30 Nov 1998 15:40:15 GMT

ETag: "f07f84b9771cbe1:3068"

Content-Length: 4739

Warning Using the Adsutil.vbs file incorrectly causes serious problems that require you to reinstall Internet Information Server 4.0. Microsoft cannot guarantee that problems resulting from the incorrect use of the Adsutil.vbs file can be solved. Use the Adsutil.vbs file at your own risk.

Set the value on an IIS 4.0 server
 Open a command window (cmd). Change directory to: winnt\system32\inetsrv\adminsamples.

Note This may vary depending on your installation of Internet Information Server. Type the following syntax:

adsutil set w3svc/UseHostName True

By default, this value is set to False. Therefore, it returns only the IP address of the IIS computer. Setting this value to True returns the Fully Qualified Domain Name (FQDN) for the IIS computer. We recommend that you restart Inetinfo service after you make this modification. To stop the Inetinfo process, type the following at the command line:

net stop iisadmin /y

Note Make a note of what services are stopped so that you can restart them. Type the following:

Net start w3svc

Note This is the minimum to allow the Web server to operate again. Any other services will depend on what is installed for IIS or SiteServer that you noted in step 4.

Set the value on an IIS 5.0 server
 Open a command window (cmd).</li> Change the directory to: inetpub\adminscripts.

Note This may vary depending on your installation of Internet Information Server.</li> Type the following syntax:

adsutil set w3svc/UseHostName True

By default, this value is set to False. Therefore, it returns only the IP address of the IIS computer. Setting this value to True returns the Fully Qualified Domain Name (FQDN) for the IIS computer.</li> We recommend that you restart the Inetinfo service or restart your computer after you make this modification. To stop the Inetinfo process, type the following at the command line:

net stop iisadmin /y

Note Make a note of what services are stopped so that you can restart them.</li> Type the following:

Net start w3svc

Note This is the minimum to allow the Web server to operate again. Any other services will depend on what is installed for IIS or SiteServer that you noted in step 4.</li></ol>

IIS 6.0 on Windows Server 2003
For additional information about a fix for IIS 6.0 on Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

834141 FIX: IP address is revealed in the content-location field in the TCP header in IIS 6.0

<div class="workaround_section">

WORKAROUND
Another way to work around this issue is to use Active Server Pages (ASP) instead of static HTML pages (.htm or .html) and create a custom header that sends back a specific Content-Location. The ASP engine does not return a Content-Location when the response is built. Therefore, the ability to add a custom one is there.

For IIS 4, 5, 5.1 and 6.0, you can set the Web site to use a host header to respond to any requests for content. For additional information about how to configure IIS to use a host header, click the following article number to view the article in the Microsoft Knowledge Base:

190008 How to use host header names to host multiple sites from one IP address

Additional query words: IIS Content-Location Header HTTP adsutil.vbs

Keywords: kbprb KB218180

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.