Disabling HTTP TRACE METHOD in IIS 6

Hi everyone,

I have spotted a few posts on this matter but still a little
confussed. Some people are saying that you need to install URLScan in
order to disable this however i don't really want to install this and
would much prefer to just disable it without the installation of
additional software.

If i issues the following commands once telneted to our webserver
port 80;

OPTIONS / HTTP/1.1
Host: www.ourserversaddress.whatever

i get

HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD
Content-Length: 0
Server: Microsoft-IIS/6.0
Public: OPTIONS, TRACE, GET, HEAD, POST
X-Powered-By: ASP.NET
Date: Mon, 23 Apr 2007 19:13:50 GMT

I still get the TRACE HTTP method included. In response to a
pentration test we had done, i am looking to disable this.

I have come across a registry key which doesn't seem to do anything,
i applied the registry key and restarted our IIS Service and nothing.
I then came across another post that said change the web.config file,
i removed the only line i found with TRACE in it and it did no
difference.

I have read another post in here where someone is saying that the
WEBDAV dll is the one thats saying its enabled even when it isn't
enabled.

The problem i have is that i need to put something into a report and
i am struggling to come up with a conclusion on this one;

1. If the registry key is set to not have TRACE on (its off by
default) yet i am getting it coming back, does this mean that it is
disabled ?
2. Is there any other setting i have missed that will stop this from
happening when i issue the commands to our webserver ?

Thanks very much in advance for any replies.

Regards

Re: Disabling HTTP TRACE METHOD in IIS 6

By default Trace is not enabled. you should get 501 not implemented status
code.
The reg key is
http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/d779ee4e-5cd1-4159-b098-66c10c5a3314.mspx?mfr =true
if you want to enable it set it to 1, which I don't think you want set it.

I still have no idea why it appears in the options query, but you can try do
a trace or track. IIS will returns 501.


--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/


wrote in message
news:1177355831.694689.254350@p77g2000hsh.googlegroups.com.. .
> Hi everyone,
>
> I have spotted a few posts on this matter but still a little
> confussed. Some people are saying that you need to install URLScan in
> order to disable this however i don't really want to install this and
> would much prefer to just disable it without the installation of
> additional software.
>
> If i issues the following commands once telneted to our webserver
> port 80;
>
> OPTIONS / HTTP/1.1
> Host: www.ourserversaddress.whatever
>
> i get
>
> HTTP/1.1 200 OK
> Allow: OPTIONS, TRACE, GET, HEAD
> Content-Length: 0
> Server: Microsoft-IIS/6.0
> Public: OPTIONS, TRACE, GET, HEAD, POST
> X-Powered-By: ASP.NET
> Date: Mon, 23 Apr 2007 19:13:50 GMT
>
> I still get the TRACE HTTP method included. In response to a
> pentration test we had done, i am looking to disable this.
>
> I have come across a registry key which doesn't seem to do anything,
> i applied the registry key and restarted our IIS Service and nothing.
> I then came across another post that said change the web.config file,
> i removed the only line i found with TRACE in it and it did no
> difference.
>
> I have read another post in here where someone is saying that the
> WEBDAV dll is the one thats saying its enabled even when it isn't
> enabled.
>
> The problem i have is that i need to put something into a report and
> i am struggling to come up with a conclusion on this one;
>
> 1. If the registry key is set to not have TRACE on (its off by
> default) yet i am getting it coming back, does this mean that it is
> disabled ?
> 2. Is there any other setting i have missed that will stop this from
> happening when i issue the commands to our webserver ?
>
> Thanks very much in advance for any replies.
>
> Regards
>

Re: Disabling HTTP TRACE METHOD in IIS 6

Just noticed that we have Webdav disabled on our server. Could
FrontPage be causing this to come up ?

Re: Disabling HTTP TRACE METHOD in IIS 6

Are you saying:
1. OPTIONS request reports TRACE as "Allowed" regardless of the
Registry Key setting
2. TRACE request actually functions after you have set the Registry
Key

Because they are different things. Security Audit cares about #2. You
are validating #1.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Apr 23, 12:17 pm, w...@piercedknob.co.uk wrote:
> Hi everyone,
>
> I have spotted a few posts on this matter but still a little
> confussed. Some people are saying that you need to install URLScan in
> order to disable this however i don't really want to install this and
> would much prefer to just disable it without the installation of
> additional software.
>
> If i issues the following commands once telneted to our webserver
> port 80;
>
> OPTIONS / HTTP/1.1
> Host:www.ourserversaddress.whatever
>
> i get
>
> HTTP/1.1 200 OK
> Allow: OPTIONS, TRACE, GET, HEAD
> Content-Length: 0
> Server: Microsoft-IIS/6.0
> Public: OPTIONS, TRACE, GET, HEAD, POST
> X-Powered-By: ASP.NET
> Date: Mon, 23 Apr 2007 19:13:50 GMT
>
> I still get the TRACE HTTP method included. In response to a
> pentration test we had done, i am looking to disable this.
>
> I have come across a registry key which doesn't seem to do anything,
> i applied the registry key and restarted our IIS Service and nothing.
> I then came across another post that said change the web.config file,
> i removed the only line i found with TRACE in it and it did no
> difference.
>
> I have read another post in here where someone is saying that the
> WEBDAV dll is the one thats saying its enabled even when it isn't
> enabled.
>
> The problem i have is that i need to put something into a report and
> i am struggling to come up with a conclusion on this one;
>
> 1. If the registry key is set to not have TRACE on (its off by
> default) yet i am getting it coming back, does this mean that it is
> disabled ?
> 2. Is there any other setting i have missed that will stop this from
> happening when i issue the commands to our webserver ?
>
> Thanks very much in advance for any replies.
>
> Regards

Re: Disabling HTTP TRACE METHOD in IIS 6

Dont think so...

--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/


wrote in message
news:1177406316.894890.25360@n15g2000prd.googlegroups.com...
> Just noticed that we have Webdav disabled on our server. Could
> FrontPage be causing this to come up ?
>

Re: Disabling HTTP TRACE METHOD in IIS 6

Hi,

(Sure i just posted but nothing here, will try again)

Anyhow, thanks very much for the replies. I have issued the OPTIONS
command against the webserver and got the output in the first post,
stating that the TRACE is responding. Nothing has been configured to
allow TRACE so if it should be disabled by default then i am unsure
why this is happening.

Is it just a bogus response to the OPTIONS and the TRACE won't
actually respond ? If i do the following;

TRACE / HTTP/1.1
Host: www.myserver

I do get Not Implemented

So i am coming to the conclusion that it is just a bogus response to
the OPTIONS command. Is that correct ?

Cheers

Wayne

On 25 Apr, 05:31, "Bernard Cheah [MVP]"
wrote:
> Dont think so...
>
> --
> Regards,
> Bernard Cheahhttp://www.iis.net/http://www.iis-resources.com/http:// msmvps.com/blogs/bernard/
>
> wrote in message
>
> news:1177406316.894890.25360@n15g2000prd.googlegroups.com...
>
>
>
> > Just noticed that we have Webdav disabled on our server. Could
> > FrontPage be causing this to come up ?- Hide quoted text -
>
> - Show quoted text -