IIS Informant: Handling Host Headers on Your Web Site

[Editor's Note: Do you have an IIS-related question? Send it to [email protected] and you might see the answer in this column!]

What happens when a server receives a request for a host header­based Web site, but no Web site on the server is defined for that host header?

Host headers are a rock-solid IIS feature. Consequently, if something related to host headers isn't working, a configuration oversight almost certainly caused the problem.

First, let me briefly address the subject of host headers. A Web server configured to require host headers is far more resistant to a script or worm that scans sites by IP address than is an IP-addressable site. If such a script or worm uses an IP address to attempt to contact an IIS server configured with Web sites that all require host headers, the malicious software fails to connect to any of the server's Web sites. You can use host headers on your Web sites to insulate your servers from attacks such as CodeRed and Nimda, even if host headers aren't required. However, keep the following information in mind.

If an IIS server has a Web site with a host header that exactly matches the request's host header field, that Web site responds to the client request. However, if no Web site has a host header that matches the request's host header field, the first Web site that can respond to the IP address in the client request responds. If you configure all of a Web server's Web sites to use host headers, none respond to an IP address-only request. The server returns the message No Web site is configured at this address.

An intruder who receives the message No Web site is configured at this address would be hard pressed to determine the host header required to access any of the Web sites on the server. (Although discovering the IP address of a Web site if you know the DNS name is easy, finding the DNS name of a Web site through its IP address is quite another matter.)

Figure 1 shows a common misconfiguration. If the Web site is configured as Figure 1 shows, the site responds to the IP address, not the host name. Consequently, the host header entry is ineffective. You would never want this configuration, but because the default entry has the IP address only, people often click Add to add the host header entry without removing the IP address­based entry. To correct this situation, inspect your Advanced Multiple Identities window for all your Web sites and make sure that none are configured with an additional entry that doesn't list a host header.