Home All Groups Group Topic Archive Search About

HTTP TRACE verb on IIS 6.0

microsoft.public.inetserver.iis.security
Author
12 Jul 2005 5:16 PM
Omid
Hi,
I am using IIS 6.0 resource kit "Wfetch" utility to check my IIS 6.0 web
server for HTTP TRACE verb. If I send a TRACE verb to my web site, I recieve:

HTTP/1.1 Error 501 - Not Implemented

which based on KB247643 is an indication of TRACE verb being disabled on my
site, a good sign for my specific requirement.

However if I send HTTP OPTIONS verb to the same web site I receive:

HTTP/1.1 200 OK\r\n
Allow: OPTIONS, TRACE, GET, HEAD\r\n
Content-Length: 0\r\n
Server: Microsoft-IIS/6.0\r\n
Public: OPTIONS, TRACE, GET, HEAD, POST\r\n
Date: Tue, 12 Jul 2005 17:12:21 GMT\r\n
\r\n

Does this indicate the TRACE is enabled? or Allowed? Which one of the above
two responses supercedes the other?

I am responding back to an audit report and need to confirm this.

Thanks
Omid

Author
18 Jul 2005 3:55 AM
Bernard Cheah [MVP]
It should be 501. There's a metabase or registry key to enable this, but I
can't find it now :( anyway, by default you will get 501 for both trace and
track verb.


--
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/


Show quoteHide quote
"Omid" <O***@discussions.microsoft.com> wrote in message
news:AD625BFD-F8A2-4665-81D8-E7456790A1B0@microsoft.com...
> Hi,
> I am using IIS 6.0 resource kit "Wfetch" utility to check my IIS 6.0 web
> server for HTTP TRACE verb. If I send a TRACE verb to my web site, I
> recieve:
>
> HTTP/1.1 Error 501 - Not Implemented
>
> which based on KB247643 is an indication of TRACE verb being disabled on
> my
> site, a good sign for my specific requirement.
>
> However if I send HTTP OPTIONS verb to the same web site I receive:
>
> HTTP/1.1 200 OK\r\n
> Allow: OPTIONS, TRACE, GET, HEAD\r\n
> Content-Length: 0\r\n
> Server: Microsoft-IIS/6.0\r\n
> Public: OPTIONS, TRACE, GET, HEAD, POST\r\n
> Date: Tue, 12 Jul 2005 17:12:21 GMT\r\n
> \r\n
>
> Does this indicate the TRACE is enabled? or Allowed? Which one of the
> above
> two responses supercedes the other?
>
> I am responding back to an audit report and need to confirm this.
>
> Thanks
> Omid
>



Post Other interesting topics
Redirecting http:// to https:/
How to disable SSL Security Alert in IE
IIS Crashes at regular interval of time - Urgent
Web Applicaiton using Trusted Connections to SQL on different machine?
Problem with IIS, Powerpoint and AVI-File
Certificate Question
HTW file security risk
IIS Lockdown Tool
Securing IIS 6
Exchange 2003 OWA and IIS over SSL