Disabling TRACE verb on IIS 6.0

TheMSsForum.com: The Microsoft Software Forum

I have alraedy posted this on IIS-Security, and since I have not recieved any
responses, I am posting it here again:

Hi,
I am using IIS 6.0 resource kit "Wfetch" utility to check my IIS 6.0 web
server for HTTP TRACE verb. If I send a TRACE verb to my web site, I recieve:

HTTP/1.1 Error 501 - Not Implemented

which based on KB247643 is an indication of TRACE verb being disabled on my
site, a good sign for my specific requirement.

However if I send HTTP OPTIONS verb to the same web site I receive:

HTTP/1.1 200 OK\r\n
Allow: OPTIONS, TRACE, GET, HEAD\r\n
Content-Length: 0\r\n
Server: Microsoft-IIS/6.0\r\n
Public: OPTIONS, TRACE, GET, HEAD, POST\r\n
Date: Tue, 12 Jul 2005 17:12:21 GMT\r\n
\r\n

Does this indicate the TRACE is enabled? or Allowed? Which one of the above
two responses supercedes the other?

I am responding back to an audit report and need to confirm this.

Thanks
Omid
Top

Re: Disabling TRACE verb on IIS 6.0 by Wade

Wade
Wed Jul 13 23:40:22 CDT 2005

Hi Omid,

If making a TRACE request results in a 501, you can say definitively that
the TRACE verb is disabled.

The reason for the discrepency in the OPTIONS output is that the OPTIONS
request is not handled by the IIS core. It is handled by WebDAV (which is
actually not even produced by the IIS team) and the WebDAV code apparently
does not recognize the registry setting that disables TRACE. Also, the
functionality to disable TRACE went into the IIS 6 code very late in the
development cycle, so there would have been no opportunity for the other
team to modify WebDAV to account for this.

I hope that this clears up the question for you.

Thank you,
-Wade A. Hilmo,
-Microsoft

"Omid" <Omid@discussions.microsoft.com> wrote in message
news:65F1407C-22C4-4BA0-B7DE-FEB4F4A58822@microsoft.com...
> I have alraedy posted this on IIS-Security, and since I have not recieved
any
> responses, I am posting it here again:
>
> Hi,
> I am using IIS 6.0 resource kit "Wfetch" utility to check my IIS 6.0 web
> server for HTTP TRACE verb. If I send a TRACE verb to my web site, I
recieve:
>
> HTTP/1.1 Error 501 - Not Implemented
>
> which based on KB247643 is an indication of TRACE verb being disabled on
my
> site, a good sign for my specific requirement.
>
> However if I send HTTP OPTIONS verb to the same web site I receive:
>
> HTTP/1.1 200 OK\r\n
> Allow: OPTIONS, TRACE, GET, HEAD\r\n
> Content-Length: 0\r\n
> Server: Microsoft-IIS/6.0\r\n
> Public: OPTIONS, TRACE, GET, HEAD, POST\r\n
> Date: Tue, 12 Jul 2005 17:12:21 GMT\r\n
> \r\n
>
> Does this indicate the TRACE is enabled? or Allowed? Which one of the
above
> two responses supercedes the other?
>
> I am responding back to an audit report and need to confirm this.
>
> Thanks
> Omid
>
>


Top

Re: Disabling TRACE verb on IIS 6.0 by Omid

Omid
Thu Jul 14 10:09:02 CDT 2005

Wade,

Thanks very much for the info. I have two follow up questiond though:

1-I don't recall disabling trace manually, is it disabled by deafult?, and
where is the setting for disabling/enabling TRACE in IIS 6.0?

2-I need a refernce to a Microsoft KB or any document for that matter that
states what you have mentioned here. I am replying back to an audit report
that claims TRACE is enabled on my IIS site and need to provide evidence that
it isn't. To generate their report, they have used some thrid party tool to
send "OPTIONS" verb to the server.

Thanks
Omid

"Wade A. Hilmo [MS]" wrote:

> Hi Omid,
>
> If making a TRACE request results in a 501, you can say definitively that
> the TRACE verb is disabled.
>
> The reason for the discrepency in the OPTIONS output is that the OPTIONS
> request is not handled by the IIS core. It is handled by WebDAV (which is
> actually not even produced by the IIS team) and the WebDAV code apparently
> does not recognize the registry setting that disables TRACE. Also, the
> functionality to disable TRACE went into the IIS 6 code very late in the
> development cycle, so there would have been no opportunity for the other
> team to modify WebDAV to account for this.
>
> I hope that this clears up the question for you.
>
> Thank you,
> -Wade A. Hilmo,
> -Microsoft
>
> "Omid" <Omid@discussions.microsoft.com> wrote in message
> news:65F1407C-22C4-4BA0-B7DE-FEB4F4A58822@microsoft.com...
> > I have alraedy posted this on IIS-Security, and since I have not recieved
> any
> > responses, I am posting it here again:
> >
> > Hi,
> > I am using IIS 6.0 resource kit "Wfetch" utility to check my IIS 6.0 web
> > server for HTTP TRACE verb. If I send a TRACE verb to my web site, I
> recieve:
> >
> > HTTP/1.1 Error 501 - Not Implemented
> >
> > which based on KB247643 is an indication of TRACE verb being disabled on
> my
> > site, a good sign for my specific requirement.
> >
> > However if I send HTTP OPTIONS verb to the same web site I receive:
> >
> > HTTP/1.1 200 OK\r\n
> > Allow: OPTIONS, TRACE, GET, HEAD\r\n
> > Content-Length: 0\r\n
> > Server: Microsoft-IIS/6.0\r\n
> > Public: OPTIONS, TRACE, GET, HEAD, POST\r\n
> > Date: Tue, 12 Jul 2005 17:12:21 GMT\r\n
> > \r\n
> >
> > Does this indicate the TRACE is enabled? or Allowed? Which one of the
> above
> > two responses supercedes the other?
> >
> > I am responding back to an audit report and need to confirm this.
> >
> > Thanks
> > Omid
> >
> >
>
>
>
Top

Re: Disabling TRACE verb on IIS 6.0 by Wade

Wade
Thu Jul 14 21:29:18 CDT 2005

Hi Omid,

TRACE handling is disabled by default. It can be enabled by a registry key.
The following article describes a number of registry keys, and the one in
question is the first on the list:

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d779ee4e-5cd1-4159-b098-66c10c5a3314.mspx

As for documentation explaining why OPTIONS lists it, I doubt that anything
exists for that. My explanation below for why the WebDAV handler doesn't
know about whether TRACE is enabled or disabled is a hypothesis on my part
(but it is a very educated hypothesis.)

Thank you,
-Wade A. Hilmo,
-Microsoft

"Omid" <Omid@discussions.microsoft.com> wrote in message
news:1E5728B8-B687-464A-B413-2DC14A123A45@microsoft.com...
> Wade,
>
> Thanks very much for the info. I have two follow up questiond though:
>
> 1-I don't recall disabling trace manually, is it disabled by deafult?, and
> where is the setting for disabling/enabling TRACE in IIS 6.0?
>
> 2-I need a refernce to a Microsoft KB or any document for that matter that
> states what you have mentioned here. I am replying back to an audit report
> that claims TRACE is enabled on my IIS site and need to provide evidence
that
> it isn't. To generate their report, they have used some thrid party tool
to
> send "OPTIONS" verb to the server.
>
> Thanks
> Omid
>
> "Wade A. Hilmo [MS]" wrote:
>
> > Hi Omid,
> >
> > If making a TRACE request results in a 501, you can say definitively
that
> > the TRACE verb is disabled.
> >
> > The reason for the discrepency in the OPTIONS output is that the OPTIONS
> > request is not handled by the IIS core. It is handled by WebDAV (which
is
> > actually not even produced by the IIS team) and the WebDAV code
apparently
> > does not recognize the registry setting that disables TRACE. Also, the
> > functionality to disable TRACE went into the IIS 6 code very late in the
> > development cycle, so there would have been no opportunity for the other
> > team to modify WebDAV to account for this.
> >
> > I hope that this clears up the question for you.
> >
> > Thank you,
> > -Wade A. Hilmo,
> > -Microsoft
> >
> > "Omid" <Omid@discussions.microsoft.com> wrote in message
> > news:65F1407C-22C4-4BA0-B7DE-FEB4F4A58822@microsoft.com...
> > > I have alraedy posted this on IIS-Security, and since I have not
recieved
> > any
> > > responses, I am posting it here again:
> > >
> > > Hi,
> > > I am using IIS 6.0 resource kit "Wfetch" utility to check my IIS 6.0
web
> > > server for HTTP TRACE verb. If I send a TRACE verb to my web site, I
> > recieve:
> > >
> > > HTTP/1.1 Error 501 - Not Implemented
> > >
> > > which based on KB247643 is an indication of TRACE verb being disabled
on
> > my
> > > site, a good sign for my specific requirement.
> > >
> > > However if I send HTTP OPTIONS verb to the same web site I receive:
> > >
> > > HTTP/1.1 200 OK\r\n
> > > Allow: OPTIONS, TRACE, GET, HEAD\r\n
> > > Content-Length: 0\r\n
> > > Server: Microsoft-IIS/6.0\r\n
> > > Public: OPTIONS, TRACE, GET, HEAD, POST\r\n
> > > Date: Tue, 12 Jul 2005 17:12:21 GMT\r\n
> > > \r\n
> > >
> > > Does this indicate the TRACE is enabled? or Allowed? Which one of the
> > above
> > > two responses supercedes the other?
> > >
> > > I am responding back to an audit report and need to confirm this.
> > >
> > > Thanks
> > > Omid
> > >
> > >
> >
> >
> >


Top

Re: Disabling TRACE verb on IIS 6.0 by Tiago

Tiago
Fri Jul 15 00:24:38 CDT 2005

Wade, OPTIONS is a quite core verb of the HTTP protocol.
However, you state that the OPTIONS request is handled by WebDav?? (and by
WebDav I would assume its core DLL, httpext.dll). Disabling that DLL
(unACLing it fully or even deleting it) would then prevent IIS from
answering OPTIONS?
I think not.

While I'm not in any way aware of the inner workings of IIS, I would assume
OPTIONS is handled by the core of IIS and has a default response. The fact
that the response always includes all available verbs does not mean they are
available or that they are not blocked by any kind of filtering scheme
running inside the Web Server.

www.microsoft.com is blocking OPTIONS via a filtering scheme.
However, my IIS6 does not block OPTIONS and answers "OPTIONS, TRACE, GET,
HEAD, POST" as you would expect it to.

I presume WebDav "adds" some more additional methods like "DELETE, PUT,
COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH", but these
"additional" methods should be queried by the IIS core to WebDav's DLL and
should only be returned if WebDav is "enabled". The "enabled" concept in
IIS5 is somewhat not defined, but in IIS6 it is defined and works as
expected.

I am probably mistaken in some statements above in terms of the IIS inner
workings, but stating that OPTIONS is handled by WebDav is not coherent.

PS: I always find your posts unvaluable, so please take this comment in a
good sense.

Tiago Halm


"Wade A. Hilmo [MS]" <wadeh@microsoft.com> wrote in message
news:u9rP5TOiFHA.2180@TK2MSFTNGP15.phx.gbl...
> Hi Omid,
>
> TRACE handling is disabled by default. It can be enabled by a registry
key.
> The following article describes a number of registry keys, and the one in
> question is the first on the list:
>
>
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d779ee4e-5cd1-4159-b098-66c10c5a3314.mspx
>
> As for documentation explaining why OPTIONS lists it, I doubt that
anything
> exists for that. My explanation below for why the WebDAV handler doesn't
> know about whether TRACE is enabled or disabled is a hypothesis on my part
> (but it is a very educated hypothesis.)
>
> Thank you,
> -Wade A. Hilmo,
> -Microsoft
>
> "Omid" <Omid@discussions.microsoft.com> wrote in message
> news:1E5728B8-B687-464A-B413-2DC14A123A45@microsoft.com...
> > Wade,
> >
> > Thanks very much for the info. I have two follow up questiond though:
> >
> > 1-I don't recall disabling trace manually, is it disabled by deafult?,
and
> > where is the setting for disabling/enabling TRACE in IIS 6.0?
> >
> > 2-I need a refernce to a Microsoft KB or any document for that matter
that
> > states what you have mentioned here. I am replying back to an audit
report
> > that claims TRACE is enabled on my IIS site and need to provide evidence
> that
> > it isn't. To generate their report, they have used some thrid party tool
> to
> > send "OPTIONS" verb to the server.
> >
> > Thanks
> > Omid
> >
> > "Wade A. Hilmo [MS]" wrote:
> >
> > > Hi Omid,
> > >
> > > If making a TRACE request results in a 501, you can say definitively
> that
> > > the TRACE verb is disabled.
> > >
> > > The reason for the discrepency in the OPTIONS output is that the
OPTIONS
> > > request is not handled by the IIS core. It is handled by WebDAV
(which
> is
> > > actually not even produced by the IIS team) and the WebDAV code
> apparently
> > > does not recognize the registry setting that disables TRACE. Also,
the
> > > functionality to disable TRACE went into the IIS 6 code very late in
the
> > > development cycle, so there would have been no opportunity for the
other
> > > team to modify WebDAV to account for this.
> > >
> > > I hope that this clears up the question for you.
> > >
> > > Thank you,
> > > -Wade A. Hilmo,
> > > -Microsoft
> > >
> > > "Omid" <Omid@discussions.microsoft.com> wrote in message
> > > news:65F1407C-22C4-4BA0-B7DE-FEB4F4A58822@microsoft.com...
> > > > I have alraedy posted this on IIS-Security, and since I have not
> recieved
> > > any
> > > > responses, I am posting it here again:
> > > >
> > > > Hi,
> > > > I am using IIS 6.0 resource kit "Wfetch" utility to check my IIS 6.0
> web
> > > > server for HTTP TRACE verb. If I send a TRACE verb to my web site, I
> > > recieve:
> > > >
> > > > HTTP/1.1 Error 501 - Not Implemented
> > > >
> > > > which based on KB247643 is an indication of TRACE verb being
disabled
> on
> > > my
> > > > site, a good sign for my specific requirement.
> > > >