1) Can I ask what the security impact of having HTTP PUT and HTTP DELETE on a server are? Can you provide a technical impact of what this may cause and a business impact of what (if exploited) this may cause?
2) What’s “at risk”, is it the availability of the server, or is it the data housed on the server/being pulled from the backend DB? I.e. how does the evidence of HTTP PUT compare to a SQL-injection flaw?
3) Is HTTP PUT and HTTP DELETE disabled in IIS? Is there a default on why HTTP commands are allowed and/denied? Are by default HTTP PUT and DELETE allowed?
4) Should these be disabled during the servers build phase?
5) Is there any genuine reason why they would be enabled? I.e. any sort of web app that would rely on them?