Disabling OPTION Command in IIS6

Disabling OPTION Command in IIS6

am 10.04.2008 01:12:14 von Will

A web vulnerability tester is complaining about our IIS 6 server that it
supports the "OPTION" command. What is this and is there a way to cleanly
disable it in IIS 6?

--
Will

Re: Disabling OPTION Command in IIS6

am 10.04.2008 03:04:02 von David Wang

On Apr 9, 4:12=A0pm, "Will" wrote:
> A web vulnerability tester is complaining about our IIS 6 server that it
> supports the "OPTION" command. =A0 What is this and is there a way to clea=
nly
> disable it in IIS 6?
>
> --
> Will


No. And it's not something worth complaining about because the values
returned are not trusted. And if the vulnerability tester complains
about it being a "signature", then please note that there are many,
many other ways to signature a web server.

False/Obfuscating the signature of a web server, such as changing the
"Server" header or altering/removing the "OPTIONS" request are useless
measures to improve security. Proper security analysis assumes that
web server signature can be fingered and that some vulnerability can
be located. How you deal with and contain that threat is what your
security analysis should focus on. Not this obfuscating stuff.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: Disabling OPTION Command in IIS6

am 10.04.2008 03:04:02 von David Wang

On Apr 9, 4:12=A0pm, "Will" wrote:
> A web vulnerability tester is complaining about our IIS 6 server that it
> supports the "OPTION" command. =A0 What is this and is there a way to clea=
nly
> disable it in IIS 6?
>
> --
> Will


No. And it's not something worth complaining about because the values
returned are not trusted. And if the vulnerability tester complains
about it being a "signature", then please note that there are many,
many other ways to signature a web server.

False/Obfuscating the signature of a web server, such as changing the
"Server" header or altering/removing the "OPTIONS" request are useless
measures to improve security. Proper security analysis assumes that
web server signature can be fingered and that some vulnerability can
be located. How you deal with and contain that threat is what your
security analysis should focus on. Not this obfuscating stuff.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//