Internet Information Server returns IP address in HTTP header (Content-Location)

When you use static HTML pages (for example, Default.htm), a Content-Location header is added to the response. By default, in Internet Information Server (IIS), the Content-Location references the IP address of the server instead of the Fully Qualified Domain Name (FQDN) or Hostname.

This header may expose internal IP addresses that are typically hidden or masked behind a Network Address Translation (NAT) Firewall or a proxy server.

Example: In this example, the Content-Location specifies the private internal address of the IIS computer in the header. This header is then unchanged when it passes through a firewall or proxy server. Therefore, the security of the internal network may be compromised by exposing the network addresses that are being used.

There are two solutions depending on your version of IIS that you are using. Because of this, follow the correct steps based on your version.

Correct for IIS 4.0, 5.0, or 5.1

Example: Warning Using the Adsutil.vbs file incorrectly causes serious problems that require you to reinstall Internet Information Server 4.0. Microsoft cannot guarantee that problems resulting from the incorrect use of the Adsutil.vbs file can be solved. Use the Adsutil.vbs file at your own risk.

Set the value on an IIS 4.0 server

1. Open a command window (cmd).
2. Change directory to: winnt\system32\inetsrv\adminsamples.
   
   Note This may vary depending on your installation of Internet Information Server.
3. Type the following syntax:
   adsutil set w3svc/UseHostName True
   By default, this value is set to False. Therefore, it returns only the IP address of the IIS computer. Setting this value to True returns the Fully Qualified Domain Name (FQDN) for the IIS computer.
4. We recommend that you restart Inetinfo service after you make this modification. To stop the Inetinfo process, type the following at the command line:
   net stop iisadmin /y
   Note Make a note of what services are stopped so that you can restart them.
5. Type the following:
   Net start w3svc
   Note This is the minimum to allow the Web server to operate again. Any other services will depend on what is installed for IIS or SiteServer that you noted in step 4.

Set the value on an IIS 5.0 server

1. Open a command window (cmd).
2. Change the directory to: inetpub\adminscripts.
   
   Note This may vary depending on your installation of Internet Information Server.
3. Type the following syntax:
   adsutil set w3svc/UseHostName True
   By default, this value is set to False. Therefore, it returns only the IP address of the IIS computer. Setting this value to True returns the Fully Qualified Domain Name (FQDN) for the IIS computer.
4. We recommend that you restart the Inetinfo service or restart your computer after you make this modification. To stop the Inetinfo process, type the following at the command line:
   net stop iisadmin /y
   Note Make a note of what services are stopped so that you can restart them.
5. Type the following:
   
   Net start w3svc
   Note This is the minimum to allow the Web server to operate again. Any other services will depend on what is installed for IIS or SiteServer that you noted in step 4.

IIS 6.0 on Windows Server 2003

For additional information about a fix for IIS 6.0 on Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

Another way to work around this issue is to use Active Server Pages (ASP) instead of static HTML pages (.htm or .html) and create a custom header that sends back a specific Content-Location. The ASP engine does not return a Content-Location when the response is built. Therefore, the ability to add a custom one is there.

For IIS 4, 5, 5.1 and 6.0, you can set the Web site to use a host header to respond to any requests for content. For additional information about how to configure IIS to use a host header, click the following article number to view the article in the Microsoft Knowledge Base: