IIS Server Security, HTTP Trace

microsoft.public.inetserver.iis.security - About IIS Web Server Security Issues


IIS Server Security >> http trace

by R1F1aXR1Z3Vh » Tue, 14 Jun 2005 02:25:06 GMT

I'm trying to secure the "http trace" vulnerability on my web server (xforce
article 11149). I have applied url scan and disabled the appropriate verbs.
My question is, I'd like to test it to ensure that in fact tracing is
disabled. Is there a command I can issue against my web server to test this
or some way I can check the status?

Regards,

George Quitugua

Top

IIS Server Security >> http trace

by Bernard Cheah [MVP] » Tue, 14 Jun 2005 08:50:17 GMT


Related to this ?
http://msmvps.com/bernard/archive/2003/12/30/1359.aspx

You can do a manual telnet to port 80 and issue the command, or you can try
wfetch
HOW TO: Use Wfetch.exe to Troubleshoot HTTP Connections
http://support.microsoft.com/?id=284285

--
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/








Top

IIS Server Security >> HTTP Trace

by QW5keQ » Mon, 24 Sep 2007 21:50:03 GMT

Is there a easy way to disbale http Trace in IIS 6 - Windows 2003? I do not
want to install urlscan.

Thanks
A

Top

HTTP Trace

by tiago.halm » Tue, 25 Sep 2007 03:23:14 GMT

As per:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d779ee4e-5cd1-4159-b098-66c10c5a3314.mspx?mfr=true
IIS6 does not handle TRACE by default.

Other threads on the same subject:
- http://groups.google.com/groups?q=disabling %20http%20trace%20method%20iis%206

Tiago Halm


Top

HTTP Trace

by QW5keQ » Tue, 25 Sep 2007 23:04:02 GMT

thanks




Top
Similar Threads

1. can't trace ASP performance using logman, while HTTP traces fine 

Hi, I am using logman to trace the performance problem of my IIS 6.0 on two 
web servers and get problem on one server.

Running "logman start "IIS Trace" -pf iistrace.guid -ct perf -o iis.etl 
-ets" with the same iistrace.guid file.

Seems every provider starts fine as there is no error message

But I always get 0 on the ASP performance data out of one perticular server 
A. Data from server B is fine (e.g. ASP performance data is not zeroes 000000)

The two servers are in a cluster both with active users (aspx .net 
application), so there must be something wrong with the result of trace in 
server A.


Cheers!


HTTP Response Time Statistics (server A
--------------------------------------------------------------------------------
 
Request Type Requests/sec Response Time(ms) IIS% Filter% ISAPI% ASP% CGI% 
Static HTTP (cached) 0.134 0.02 100.0 0.0 0.0 0.0 0.0 
ASP 0.000 0.00 0.0 0.0 0.0 0.0 0.0 
Static HTTP 0.000 0.00 0.0 0.0 0.0 0.0 0.0 
CGI 0.000 0.00 0.0 0.0 0.0 0.0 0.0 
 

HTTP Requests CPU Usage Statistics (server A
--------------------------------------------------------------------------------
 
Request Type Requests/sec CPU% IIS% Filter% ISAPI% ASP% CGI% 
Static HTTP (cached) 0.134 0.0 100.0 0.0 0.0 0.0 0.0 
ASP 0.000 0.0 0.0 0.0 0.0 0.0 0.0 
 



HTTP Response Time Statistics (server B
--------------------------------------------------------------------------------
 
Request Type Requests/sec Response Time(ms) IIS% Filter% ISAPI% ASP% CGI% 
Static HTTP (cached) 1.442 0.02 100.0 0.0 0.0 0.0 0.0 
ASP 0.323 606.20 2.1 0.0 97.8 0.0 0.0 
Static HTTP 0.085 0.68 99.2 0.7 0.0 0.0 0.0 
CGI 0.000 0.00 0.0 0.0 0.0 0.0 0.0 
Error 0.071 0.38 98.6 1.4 0.0 0.0 0.0 

HTTP Requests CPU Usage Statistics (server B
--------------------------------------------------------------------------------
 
Request Type Requests/sec CPU% IIS% Filter% ISAPI% ASP% CGI% 
Static HTTP (cached) 1.442 0.0 100.0 0.0 0.0 0.0 0.0 
ASP 0.323 0.0 33.3 33.3 33.3 0.0 0.0 
Static HTTP 0.085 0.0 100.0 0.0 0.0 0.0 0.0 
CGI 0.000 0.0 0.0 0.0 0.0 0.0 0.0 
Error 0.071 0.0 50.0 50.0 0.0 0.0 0.0 
 
 

CONTENT of iistrace.guid:

{1fbecc45-c060-4e7c-8a0e-0dbd6116181b} 0 5 IIS: SSL Filter
{3a2a4e84-4c21-4981-ae10-3fda0d9b0f83} 0 5 IIS: WWW Server
{06b94d9a-b15e-456e-a4ef-37c984a2cb4b} 0 5 IIS: Active Server Pages (ASP)
{dd5ef90a-6398-47a4-ad34-4dcecdef795f} 0 5 Universal Listener Trace
{a1c2040e-8840-4c31-ba11-9871031a19ea} 0 5 IIS: WWW ISAPI Extension

2. http trace

3. How to disable HTTP TRACE in IIS 5.x 

How do I check if the HttpTraceEnabled / EnableTraceMethod is turn on or off? 
If it is turned on, how do I turn it off and vice-versa?

4. HTTP TRACE Support - IIS Server Security

5. HTTP TRACE verb on IIS 6.0 

Hi,
I am using IIS 6.0 resource kit "Wfetch" utility to check my IIS 6.0 web 
server for HTTP TRACE verb. If I send a TRACE verb to my web site, I recieve:

HTTP/1.1 Error 501 - Not Implemented

which based on KB247643 is an indication of TRACE verb being disabled on my 
site, a good sign for my specific requirement.

However if I send HTTP OPTIONS verb to the same web site I receive:

HTTP/1.1 200 OK\r\n
Allow: OPTIONS, TRACE, GET, HEAD\r\n
Content-Length: 0\r\n
Server: Microsoft-IIS/6.0\r\n
Public: OPTIONS, TRACE, GET, HEAD, POST\r\n
Date: Tue, 12 Jul 2005 17:12:21 GMT\r\n
\r\n

Does this indicate the TRACE is enabled? or Allowed? Which one of the above 
two responses supercedes the other?

I am responding back to an audit report and need to confirm this.

Thanks
Omid

6. DIsabling HTTP TRACING - IIS Server Security

7. How to disable HTTP trace in IIS 5 

i'm not familiar with iis or http and its jargon.  my iis5 server (windows 
2000 sp4) is currently hosting our website & owa. it is a requirement to 
ensure that the http trace is disabled on the server. i have try but still 
could not understand what or how to configure the urlscan.ini to just disable 
the http trace, without affecting any other things.  i know in ii6 (windows 
2003), i can do that through the registry. is there any reference document or 
anyone that can enlighten or guide me on how to go about it in iis5 (windows 
2000 sp4).

8. Disabling HTTP Trace Without using URL Scan - IIS Server Security