Blog Post

IIS Support Blog
1 MIN READ

HTTP OPTIONS and Default page vulnerabilities

Nedim's avatar
Nedim
Former Employee
Jul 05, 2020

Penetration tools may alert if IIS server is accepting requests with HTTP OPTIONS method. This is because the response to these requests may reveal what other methods are supported by the web server.

 

 

Warning: Disabling OPTIONS may have unintended consequences like CORS preflight requests to break. Please test the applications thoroughly after making the change below.

Follow the steps below to disable OPTIONS method.

  1. Open IIS Manager
  2. Click the server name
  3. Double click on Request Filtering
  4. Go to HTTP Verbs tab
  5. On the right side, click Deny Verb
  6. Type OPTIONS. Click OK

 

 

Penetration tools may also raise an alarm if the default IIS page is still available in your server. This page comes by default when you install Web Server role.

 

Warning: Disabling the default page of a web application may cause unwanted results. Please make sure to test the application thoroughly after following the steps below.

Follow the steps below to disable it so this vulnerability don’t come up in the reports anymore.

  1. Open IIS Manager
  2. Click the server name
  3. Double click on Default Document
  4. On the right side, click “Disable”

 

Updated Jul 08, 2020
Version 3.0

6 Comments

  • alissa914's avatar
    alissa914
    Copper Contributor

    The default IIS page shouldn't be solved that way.  It will cause more problems.  Just delete the iisstart.* pages at c:\inetpub\wwwroot and it solves the problem.

  • SaikiranKoyyada's avatar
    SaikiranKoyyada
    Copper Contributor

    Server is reporting HTTP OPTIONS / Default Page Vulnerability, but IIS Manager is not installed in it. How to remediate the Vulnerability in this case?
    Any insights would be grateful. Thanks in Advance.