Internet Information Server returns IP address in HTTP header (Content-Location)

Article translations Article translations
Article ID: 218180 - View products that this article applies to.
This article was previously published under Q218180
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
For more information about IIS 7.0, visit the following Microsoft Web site:
http://www.iis.net/default.aspx?tabid=1
Expand all | Collapse all

SYMPTOMS

When you use static HTML pages (for example, Default.htm), a Content-Location header is added to the response. By default, in Internet Information Server (IIS), the Content-Location references the IP address of the server instead of the Fully Qualified Domain Name (FQDN) or Hostname.

This header may expose internal IP addresses that are typically hidden or masked behind a Network Address Translation (NAT) Firewall or a proxy server.

Example:
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Content-Location: http://10.1.1.1/Default.htm
Date: Thu, 18 Feb 1999 14:03:52 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 06 Jan 1999 18:56:06 GMT
ETag: "067d136a639be1:15b6"
Content-Length: 4325
In this example, the Content-Location specifies the private internal address of the IIS computer in the header. This header is then unchanged when it passes through a firewall or proxy server. Therefore, the security of the internal network may be compromised by exposing the network addresses that are being used.

RESOLUTION

There are two solutions depending on your version of IIS that you are using. Because of this, follow the correct steps based on your version.

Correct for IIS 4.0, 5.0, or 5.1

Example:
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0 or Microsoft-IIS/5.0
Content-Location: http://www.domain.com/Default.htm
Date: Thu, 18 Feb 1999 15:08:44 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Mon, 30 Nov 1998 15:40:15 GMT
ETag: "f07f84b9771cbe1:3068"
Content-Length: 4739
Warning Using the Adsutil.vbs file incorrectly causes serious problems that require you to reinstall Internet Information Server 4.0. Microsoft cannot guarantee that problems resulting from the incorrect use of the Adsutil.vbs file can be solved. Use the Adsutil.vbs file at your own risk.

Set the value on an IIS 4.0 server

  1. Open a command window (cmd).
  2. Change directory to: winnt\system32\inetsrv\adminsamples.

    Note This may vary depending on your installation of Internet Information Server.
  3. Type the following syntax:
    adsutil set w3svc/UseHostName True
    By default, this value is set to False. Therefore, it returns only the IP address of the IIS computer. Setting this value to True returns the Fully Qualified Domain Name (FQDN) for the IIS computer.
  4. We recommend that you restart Inetinfo service after you make this modification. To stop the Inetinfo process, type the following at the command line:
    net stop iisadmin /y
    Note Make a note of what services are stopped so that you can restart them.
  5. Type the following:
    Net start w3svc
    Note This is the minimum to allow the Web server to operate again. Any other services will depend on what is installed for IIS or SiteServer that you noted in step 4.

Set the value on an IIS 5.0 server

  1. Open a command window (cmd).
  2. Change the directory to: inetpub\adminscripts.

    Note This may vary depending on your installation of Internet Information Server.
  3. Type the following syntax:
    adsutil set w3svc/UseHostName True
    By default, this value is set to False. Therefore, it returns only the IP address of the IIS computer. Setting this value to True returns the Fully Qualified Domain Name (FQDN) for the IIS computer.
  4. We recommend that you restart the Inetinfo service or restart your computer after you make this modification. To stop the Inetinfo process, type the following at the command line:
    net stop iisadmin /y
    Note Make a note of what services are stopped so that you can restart them.
  5. Type the following:
    Net start w3svc
    Note This is the minimum to allow the Web server to operate again. Any other services will depend on what is installed for IIS or SiteServer that you noted in step 4.

IIS 6.0 on Windows Server 2003

For additional information about a fix for IIS 6.0 on Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
834141 FIX: IP address is revealed in the content-location field in the TCP header in IIS 6.0

WORKAROUND

Another way to work around this issue is to use Active Server Pages (ASP) instead of static HTML pages (.htm or .html) and create a custom header that sends back a specific Content-Location. The ASP engine does not return a Content-Location when the response is built. Therefore, the ability to add a custom one is there.

For IIS 4, 5, 5.1 and 6.0, you can set the Web site to use a host header to respond to any requests for content. For additional information about how to configure IIS to use a host header, click the following article number to view the article in the Microsoft Knowledge Base:
190008 How to use host header names to host multiple sites from one IP address

Properties

Article ID: 218180 - Last Review: July 7, 2008 - Revision: 6.1
APPLIES TO
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services version 5.1
  • Microsoft Internet Information Services 6.0
Keywords: 
kbprb KB218180

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com