Is IIS giving up your private IP address?

Hackers love information about your network.  If you are not using Host Headers on your IIS website then IIS could be returning the IP address of the machine in the TCP header of the response.   In single server situations where the server is in a DMZ of a firewall, the machine is most likely using the same address that DNS resolves.   If this is the case, it may not matter as much because it is giving away information that that is freely available through DNS anyway.   

This becomes more of an issue where you have a load balancing device like a Cisco CSS or ACE device distributing the traffic across multiple servers.   In this situation you would not want the server to return it’s configured IP address because you would be providing information about your network that could be used against you. 

Microsoft in Q834141 states there are 2 options to fix this issue.    Two solutions provided have a patch requirement.   This shouldn’t be a problem because no one in their right mind would run a server accessible on the Internet that wasn’t fully patched..  Right?    I will also provide another option that I will call Option TRF.

Here are the Options for your reading pleasure…

Option TRF (easiest):

1. Configure all your websites to use Host Headers.    Most if not all modern browsers support host headers.  This will fix the issue and will not require a reboot or force you to confirm patch levels.    I do still recommend that you keep your sever patched. 

Microsoft Option 1: Set the UseHostName property

To set the UseHostName property, follow these steps:

1. Click Start, click Run, type cmd, and then click OK to open a command prompt.
2. Change to the folder where the Adsutil.vbs tool is located. By default, this folder is the following:       %SYSTEMROOT%\Inetpub\AdminScripts
3. Type the following command, where x is your site identifier: cscript adsutil.vbs set w3svc/x/UseHostName true

Microsoft Option 2: Set the SetHostName property

To set the SetHostName property, follow these steps:

1. Click Start, click Run, type cmd, and then click OK to open a command prompt.
2. Change to the folder where the Adsutil.vbs tool is located. By default, this folder is the following:        %SYSTEMROOT%\Inetpub\AdminScripts
3. Type the following command, where x is your site identifier and hostname is the alternate host name that you want to use: cscript adsutil.vbs set w3svc/x/SetHostName hostname