1.2 Ensure 'host headers' are on all sites

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Host headers provide the ability to host multiple websites on the same IP address and port. It is recommended that host headers be configured for all sites. Wildcard host headers are now supported.
Rationale:
Requiring a Host header for all sites may reduce the probability of:
* DNS rebinding attacks successfully compromising or abusing site data or functionality
* IP-based scans successfully identifying or interacting with a target application hosted on IIS
Note: If a wildcard DNS entry exists and a wildcard host header is used, you may be serving data to more domains than intended.

Solution

Obtain a listing of all sites by using the following appcmd.exe command:
Enter the following command in AppCmd.exe to configure the host header:
%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites /'[name='<website name'].bindings.[protocol='http',bindingInformation='*:80:<host header>'].bindingInformation:'*:80:<host header>'' /commit:apphost
OR
Enter the following command in PowerShell to configure the host header:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.applicationHost/sites/site[@name='<website name>']/bindings/binding[@protocol='http' and @bindingInformation='*:80:']' -name 'bindingInformation' -value '*:80:<host header value>'
OR
Perform the following in IIS Manager to configure host headers for the Default Web Site:
1. Open IIS Manager
2. In the Connections pane expand the Sites node and select Default Web Site
3. In the Actions pane click Bindings
4. In the Site Bindings dialog box, select the binding for which host headers are going to be configured, Port 80 in this example
5. Click Edit
6. Under host name, enter the sites FQDN, such as <www.examplesite.com>
7. Click OK, then Close
Note: Requiring a host header may impair site functionality for HTTP/1.0 clients.
Default Value:
By default, host headers are not required or set up automatically.

See Also

https://workbench.cisecurity.org/files/2297