Solved

Content-location http header errors divulged DMZ/internal IP address

Posted on 2011-09-22
4
554 Views
Last Modified: 2012-05-12
I've had an external security audit recently done and I'm having some trouble with one of the items they cited as a security concern.  It is for an Exchange 2003 OWA server, here is what they wrote:

Content-location http header” errors divulged DMZ/internal IP address xxx.xxx.xxx.xxx for device with external address xxx.xxx.xxx.xxx.  Auditor recommends configuring the web servers to not disclose specific information.

I looked this up and found this KB Article:
http://support.microsoft.com/kb/834141

I already have all service packs applied so I entered the command as directed with the following variables:
cscript adsutil.vbs set w3svc/1/SetHostName exchange

This broke something in DNS and I couldn't load the page at all.  Fortunately I had backed up the metabase right before so was able to do a full restore.  Unfortunately none of the icons on the page would load which turned out to be an authentication problem but I was able to correct that.

Obviously making that change caused some kind of DNS problem but I'm not sure what variable I should replace "exchange" with in order to both fix the problem and allow OWA to continue operating.  Any advice would be appreciated.
0
Comment
Question by:First Last
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 17

Expert Comment

by:Rovastar
ID: 36582308
Does this actually recreated an issue or is this an automateed report by an "auditor" using old data?

Anyway I worked with a OWASP leading pen tester for a few days solely to try and reproduce this problem as we had time and week just to look at a IIS 6 configuration with no code...

The conclusion is that if the server is setup correctly it is not a problem and cannot be reproducable.

Really all you have to do was not respond to IP address and make it so you have to respond *only* to a host header.

Generally it is best practice to have host headers for a site and only reply to host headers anyway. So if you do this best practice this is not reproducable.

It gets stopped in the http.sys and that does not process the request to IIS and therefore the internal IP adreess is never recorded.
0
 
LVL 1

Author Comment

by:First Last
ID: 36582345
This particular item was cited several times, we have an external vulnerability assessment done twice yearly.  It came up again last month and I've been asked to take care of it permanently.  When you say "if the server is setup correctly' I'm not sure what you mean.  You also wrote that it is best practice to have host headers for a site and only reply to host headers...I'm not sure what that means either, can you elaborate?

The vulnerability exists, it does show up on the current EVA and I'm looking for ways to prevent the disclosure of the internal IP.  I believe the answer is to use the "UseHostName True" variable in the link I posted but I want to be sure it won't break DNS again.
0
 
LVL 17

Accepted Solution

by:
Rovastar earned 500 total points
ID: 36586668
So the external vulerability testers have displayed to you the internal IP of your server? Not just spectalated that this might be the case (they just run a test see you are using IIS6 and say you are vulernable to x, y, z without any checking)

There are a few way to get to a web site

host header is one e.g. http://www.experts-exchange.com
Ip address is another http://123.124.125.126

In IIS many sites can be served from 1 IP address via many host headers.

If you enter the IP address directly (this is not widley seen or recommened - hence best practice) of your external server IP address it may be possible to view your internal IP address.

If entering your external IP say http://123.124.125.126 doesn't return any page at all (the http.sys blocks it because IIS says that no website exists and no page is returned) then there is no vulernability.

Now

Do you currently want to display your website to your users via an IP address like http://123.124.125.126?
Hopefully you do not and it is via a domian name. That is what I am presuming.

If you don't want to ever serve content from an IP address then in IIS set this so you never respond to an IP address and the client has to enter a valid host header (domain name).

Select each website --> Properties --> Web site tab --> Click Advanced and for make sure that the host header is not left blank. If it is blank it menas that you do not have to specfic a host header or in other word you can just enter the IP address.

Hope that helps.
0
 
LVL 1

Author Comment

by:First Last
ID: 36587548
Excellent, I will check on this info over the weekend and post back the results on Monday, thank you for the help!
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question