I am just sorting out the PCI compliance for our organisation.
We have failed due to the "web server leaks a private IP address through its HTTP headers. Description : This may expose internal IP addresses that are usually hidden or masked behind a Network Address"
The PCI complaince scan is reporting this leak on ports 443 and 80.
We are running SBS2008, IIS7 (IIS6 is installed just for FTP but this is disabled)
I found a possible solution at http://blogs.iis.net/rakkimk/archive/2008/06/07/iis7-prevent-the-server-sending-its-private-ip-address-for-a-request-made-by-http-1-0-clients-with-no-host-header.aspx
which instructs you to run the following
appcmd.exe set config -section:system.webServer/
I tried the above with no luck.
Any other ideas to solve this issue?