Re: TRACE Request: how to disable in IIS5
From: BB (Bernard_at_3exp.com)
Date: 01/24/03
- Next message: BB: "Re: Unable to view SMTP in IIS 5.0"
- Previous message: BB: "Re: What User ID does IIS run under?"
- In reply to: Mike Beste: "TRACE Request: how to disable in IIS5"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "BB" <Bernard_at_3exp.com> Date: Fri, 24 Jan 2003 11:05:06 +0800
1) Trace is a HTTP verb (like get and post and etc.
it enable extensive info of server to be reply
together from a http request.
2) Urlscan is design specifically to block certain http
request. and the Trace is one of them. you can customize
the http verbs allowed in the IIS.
Refer
http://support.microsoft.com/?id=307608
Rgds.
"Mike Beste" <mbeste@fulcrum.net> wrote in message
news:0a1101c2c33e$e1f31c70$8af82ecf@TK2MSFTNGXA03...
> As described in the acticle here:
>
> http://www.extremetech.com/article2/0,3973,841047,00.asp
>
> ***********************
> summary:
>
> page 1
>
> A flaw in the TRACE request, a rarely used portion of the
> HTTP standard akin to a "ping," makes XST possible,
> broadening its scope well beyond buggy Web browsers, and
> painting a sobering picture: all Web servers have TRACE
> switched on by default. The affected servers power the
> Web's day-to-day banking transactions and fuel the engines
> of e-commerce, as well as more mundane tasks.
>
> Immediately upon receiving the TRACE command, any Web
> server will simply echo back what is sent to it. Although
> this was originally intended to be a harmless and obscure
> function, the HTTP header information bounced back
> incorporates sensitive elements such as cookies and
> credentials for accessing protected sites. When used in
> tandem with scripts, information once deemed totally
> secure by network architects is left out in the open.
>
> page 2
>
> WhiteHat has assembled recommendations that go well beyond
> patching browsers for domain restriction bypass flaws.
> These include suggestions on the server side such as:
> disabling the TRACE request on all production and
> development Web servers; having vendors update Web server
> packages to disable TRACE out of the box; and complete
> disclosure by vendors to inform customers how to disabled
> TRACE on existing servers.
>
> Microsoft's URL Scan, included in the most recent Service
> Pack to IIS, can be used as an effective deterrent to XST,
> locking down IIS servers. Still, URL Scan is not the sole
> solution--Apache requires a source code modification, and
> Netscape's iPlanet must be edited to remove unwanted
> request methods
>
> ***********************
>
> How do I turn off TRACE? What does the MS URL scan do?
>
> What is an effective manner to avoid this vulnerability?
>
> Thanks,
>
> Mike Beste
> Fulcrum Technologies, Inc.
> Technet Plus Subscriber
>
>
- Next message: BB: "Re: Unable to view SMTP in IIS 5.0"
- Previous message: BB: "Re: What User ID does IIS run under?"
- In reply to: Mike Beste: "TRACE Request: how to disable in IIS5"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
