Article ID: 218180
Article Last Modified on 12/3/2007
APPLIES TO
- Microsoft Internet Information Server 4.0
- Microsoft Internet Information Services 5.0
- Microsoft Internet Information Services 5.1
- Microsoft Internet Information Services 6.0
This article was previously published under Q218180
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
SYMPTOMS
When you use static HTML pages (for example, Default.htm), a Content-Location header is added to the response. By default, in Internet Information Server (IIS), the Content-Location references the IP address of the server instead of the Fully Qualified Domain Name (FQDN) or Hostname.
This header may expose internal IP addresses that are typically hidden or masked behind a Network Address Translation (NAT) Firewall or a proxy server.
Example:
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Content-Location: http://10.1.1.1/Default.htm
Date: Thu, 18 Feb 1999 14:03:52 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 06 Jan 1999 18:56:06 GMT
ETag: "067d136a639be1:15b6"
Content-Length: 4325
In this example, the Content-Location specifies the private internal address of the IIS computer in the header. This header is then unchanged when it passes through a firewall or proxy server. Therefore, the security of the internal network may be compromised by exposing the network addresses that are being used.
RESOLUTION
There are two solutions depending on your version of IIS that you are using. Because of this, follow the correct steps based on your version.
Correct for IIS 4.0, 5.0, or 5.1
Example:
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0 or Microsoft-IIS/5.0
Content-Location: http://www.domain.com/Default.htm
Date: Thu, 18 Feb 1999 15:08:44 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Mon, 30 Nov 1998 15:40:15 GMT
ETag: "f07f84b9771cbe1:3068"
Content-Length: 4739
Warning Using the Adsutil.vbs file incorrectly causes serious problems that require you to reinstall Internet Information Server 4.0. Microsoft cannot guarantee that problems resulting from the incorrect use of the Adsutil.vbs file can be solved. Use the Adsutil.vbs file at your own risk.
Set the value on an IIS 4.0 server
- Open a command window (cmd).
- Change directory to: winnt\system32\inetsrv\adminsamples.
Note This may vary depending on your installation of Internet Information Server. - Type the following syntax:
By default, this value is set to False. Therefore, it returns only the IP address of the IIS computer. Setting this value to True returns the Fully Qualified Domain Name (FQDN) for the IIS computer.
adsutil set w3svc/UseHostName True
- We recommend that you restart Inetinfo service after you make this modification. To stop the Inetinfo process, type the following at the command line:
Note Make a note of what services are stopped so that you can restart them.
net stop iisadmin /y
- Type the following:
Note This is the minimum to allow the Web server to operate again. Any other services will depend on what is installed for IIS or SiteServer that you noted in step 4.
Net start w3svc
Set the value on an IIS 5.0 server
- Open a command window (cmd).
- Change the directory to: inetpub\adminscripts.
Note This may vary depending on your installation of Internet Information Server. - Type the following syntax:
By default, this value is set to False. Therefore, it returns only the IP address of the IIS computer. Setting this value to True returns the Fully Qualified Domain Name (FQDN) for the IIS computer.
adsutil set w3svc/UseHostName True
- We recommend that you restart the Inetinfo service or restart your computer after you make this modification. To stop the Inetinfo process, type the following at the command line:
Note Make a note of what services are stopped so that you can restart them.
net stop iisadmin /y
- Type the following:
Note This is the minimum to allow the Web server to operate again. Any other services will depend on what is installed for IIS or SiteServer that you noted in step 4.Net start w3svc
IIS 6.0 on Windows Server 2003
For additional information about a fix for IIS 6.0 on Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
834141 FIX: IP address is revealed in the content-location field in the TCP header in IIS 6.0
WORKAROUND
Another way to work around this issue is to use Active Server Pages (ASP) instead of static HTML pages (.htm or .html) and create a custom header that sends back a specific Content-Location. The ASP engine does not return a Content-Location when the response is built. Therefore, the ability to add a custom one is there.
For IIS 4, 5, 5.1 and 6.0, you can set the Web site to use a host header to respond to any requests for content. For additional information about how to configure IIS to use a host header, click the following article number to view the article in the Microsoft Knowledge Base:
190008 How to use host header names to host multiple sites from one IP address
Additional query words: IIS Content-Location Header HTTP adsutil.vbs
Keywords: kbprb KB218180
