Details
Host headers provide the ability to host multiple websites on the same IP address and port. It is recommended that host headers be configured for all sites.
Requiring a Host header for all sites may reduce the probability of:
– DNS rebinding attacks successfully compromising or abusing site data or functionality [2]
– IP-based scans successfully identifying or interacting with a target application hosted on IIS
Solution
Obtain a listing of all sites by using the following appcmd.exe command:
%systemroot%system32inetsrvappcmd list sites
Perform the following in IIS Manager to configure host headers for the Default Web Site:
1. Open IIS Manager
2. In the Connections pane expand the Sites node and select Default Web Site
3. In the Actions pane click Bindings
4. In the Site Bindings dialog box, select the binding for which host headers are going to be configured, Port 80 in this example
5. Click Edit
6. Under host name, enter the sites FQDN, such as
7. Click OK, then Close
Note: Requiring a host header may impair site functionality for HTTP/1.0 clients.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.