PCI Complaince failure "web server leaks a private IP address through its HTTP headers."

davidfrank
davidfrank used Ask the Experts™
on
Hi
I am just sorting out the PCI compliance for our organisation.
We have failed due to the "web server leaks a private IP address through its HTTP headers. Description : This may expose internal IP addresses that are usually hidden or masked behind a Network Address"

The PCI complaince scan is reporting this leak on ports 443 and 80.

We are running SBS2008, IIS7 (IIS6 is installed just for FTP but this is disabled)

I found a possible solution at  http://blogs.iis.net/rakkimk/archive/2008/06/07/iis7-prevent-the-server-sending-its-private-ip-address-for-a-request-made-by-http-1-0-clients-with-no-host-header.aspx

which instructs you to run the following
appcmd.exe set config  -section:system.webServer/serverRuntime /alternateHostName:"2008SBSServerName"  /commit:apphost

I tried the above with no luck.

Any other ideas to solve this issue?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Technical Manager
Top Expert 2010
Commented:

Author

Commented:
@ChrisHanna Yes I have read the post, but the main issue is that no credit card details are stored on this 2008SBS server, but it sits as the domain controller on a network with another server which does store credit card details. Therefore, as far the PCI guys are concerned all ports have to be screwed down to their perceived level of acceptability no matter how draconian they are.

The only issue stopping us from becomming compliant is this last issue.

@Shreedhar Just trying the solutions recommended on the links you gave me, just waiting for the PCI results. The scan takes roughly 3 hours.


CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Author

Commented:
PCI scan results are  "web server leaks a private IP address through its HTTP headers" on ports
443
80

This is with IIS7 and after I have tried the fixes in the links from Shreedhar

Any other suggestions, the router is a Draytek 2820, which is a good router with the latest firmware on it.

Cris HannaSr IT Support Engineer

Commented:
Port 80 should not be open anyway...if you're doing PCI it should be over SSL port 443.
Is port 80 closed on the router?

Author

Commented:
It is open and directed to the SBS server.
The SBS server then redirects the user to port 443, for OWA, etc..
The redirect is the save me the hassle of people informing me they can not login because they forgot the s after http.

Port 80 being open is not the problem as I would still have the issue of port 443 leaking the internal IP address of the server.

Author

Commented:
Yes, that was an issue with the PCI compliance last week.
I used the above to help close SSL 2 and force SSL3 and TLS.
Cris HannaSr IT Support Engineer
Commented:
I would suggest you ask for attention to this question and ask for wider distribution.  Susan Bradley is our go to expert in the SBS community for all things security related.
If the combination of the two links to her blog didn't resolve it...I'm not sure where else to tell you to look

Author

Commented:
Just passed the test! Hopefully will pass on the next schedule scan too.

On the thought that this issue may have to go to the "SBS Diva" my personal SBS poster girl, I was hopeful this is was not working.

Anyway, I returned again to the solutions suggested by both experts and slowly walked through the whole exercise again.
I do not know what I missed or which solution cured the problem as running a 3 hour port scan in-between each recommendation was just not practicable.

Thanks!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial