Disable TRACE IIS 6
- From: Rob <Rob@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 7 Dec 2007 02:16:00 -0800
We have had results from a pen test and they state that we have TRACE HHTP
enabled and also the OPTIONS request returns GET, HEAD, POST, PUT,
DELETE,TRACE, OPTIONS, CONNECT
We have disabled TRACE via the registry (EnableTraceMethod = 0)
I have installed urlscan and allowed only GET, HEAD, POST verbs
I've got into the home directory > configuration for the root, default and
each virutal site and edited each extension so that only GET, HEAD and POST
are allowed
We do not use WebDAV - prohibited and only use ASP
However, using Nesses, netcat and wfetch all return the same:
OPTIONS still show GET, HEAD, POST, PUT, DELETE,TRACE, OPTIONS, CONNECT
TRACE / HTTP/1.0 still returns a 200 OK and not a 501
PUT /../..HTTP/1.0 returns a 403 forbidden tho I am unsure whether that
matters or not?
Any ideas? Is thois a false positve?
Thanks
.
- Follow-Ups:
- Re: Disable TRACE IIS 6
- From: David Wang
- Re: Disable TRACE IIS 6
- Prev by Date: Re: Stumped by Authentication Problem
- Next by Date: Computer account "unknown username or password"
- Previous by thread: How to enable "Secure" cookie ?
- Next by thread: Re: Disable TRACE IIS 6
- Index(es):
