What is the best value for the 'sethostname' given that multiple websites will use this same value?
A recent security audit concluded that IIs v6 was revealing our internal IP address when host header isn't set as described in http://support.microsoft.com/kb/834141. I am not able to use the usehostname to fix the issue since this reveals an internal host name so I must use the sethostname property instead. I have multiple websites running in IIs which are constantly changing so I do not want to set the sethostname value per website (site identifier). Instead, I would like to use a generic value that would work for all the websites. Does anyone have any experience with this setting? Is there a 'best practice' in this scenario? My initial thought was to set it to the value 'nohostheaderfound' !
My understanding of that option is that it will only show up when there is no host header provided in the request header, and so it should never show up unless someone is attempting to access using the direct IP address - therefore, setting to 'nohostheaderfound' is a reasonable suggestion.
Thank you! I can change the host headers easily from the IIs admin but in testing this I've discovered that some of my websites crash when a value exists for the default host header. Doesn't matter whether the value is 'nohostheaderfound' or the domain name of the site itself. I am investigating further now and update with more information. Do you have any thoughts on this?
meaning they stop browsing altogether. Yes, I can repeat this issue by accessing the default site.