Article ID: 218180 - View products that this article applies to.
This article was previously published under Q218180
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspxFor more information about IIS 7.0, visit the following Microsoft Web site:
When you use static HTML pages (for example, Default.htm), a Content-Location header is added to the response. By default, in Internet Information Server (IIS), the Content-Location references the IP address of the server instead of the Fully Qualified Domain Name (FQDN) or Hostname.
This header may expose internal IP addresses that are typically hidden or masked behind a Network Address Translation (NAT) Firewall or a proxy server.
HTTP/1.1 200 OKIn this example, the Content-Location specifies the private internal address of the IIS computer in the header. This header is then unchanged when it passes through a firewall or proxy server. Therefore, the security of the internal network may be compromised by exposing the network addresses that are being used.
Date: Thu, 18 Feb 1999 14:03:52 GMT
Last-Modified: Wed, 06 Jan 1999 18:56:06 GMT
There are two solutions depending on your version of IIS that you are using. Because of this, follow the correct steps based on your version.
Correct for IIS 4.0, 5.0, or 5.1Example:
HTTP/1.1 200 OKWarning Using the Adsutil.vbs file incorrectly causes serious problems that require you to reinstall Internet Information Server 4.0. Microsoft cannot guarantee that problems resulting from the incorrect use of the Adsutil.vbs file can be solved. Use the Adsutil.vbs file at your own risk.
Server: Microsoft-IIS/4.0 or Microsoft-IIS/5.0
Date: Thu, 18 Feb 1999 15:08:44 GMT
Last-Modified: Mon, 30 Nov 1998 15:40:15 GMT
Set the value on an IIS 4.0 server
Set the value on an IIS 5.0 server
IIS 6.0 on Windows Server 2003For additional information about a fix for IIS 6.0 on Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/834141/ )FIX: IP address is revealed in the content-location field in the TCP header in IIS 6.0
Another way to work around this issue is to use Active Server Pages (ASP) instead of static HTML pages (.htm or .html) and create a custom header that sends back a specific Content-Location. The ASP engine does not return a Content-Location when the response is built. Therefore, the ability to add a custom one is there.
For IIS 4, 5, 5.1 and 6.0, you can set the Web site to use a host header to respond to any requests for content. For additional information about how to configure IIS to use a host header, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/190008/ )How to use host header names to host multiple sites from one IP address
Article ID: 218180 - Last Review: July 7, 2008 - Revision: 6.1