I am getting blown out of the water by a security scanning service because of leaking a private IP address. They direct me to a KnowledgeBase article (Q218180) which gives little help. I am by no means a techy guy when it comes to this kind of stuff. I am running Windows Server 2003, SP2 with all the current security updates installed. Is there a "simple" solution to fix this problem? Even if it's not simple, is there anything out there to step me through a fix?I would appreciate any and all help with this.Thanks!

can youtell a bit more aboutyour problem?http://www.sysadmins.lv

Because we accept credit cards (not online), we are required to be "PCI Compliant", and our credit card clearing provider requires us to have a quarterly scan by a security compliance vendor. Every time we run the scan, we get the following:The Microsoft links don't provide very clear information as to what I need to do to correct this. Test Results Executive Summary Test Result: Fail Date: 2009-11-19 Target IP: 69.66.54.203 Test ID: 1307425 Test Length: 46.02 Minutes DNS Entry: hrln-static-00-0011.dsl.iowatelecom.net Total Risk: 5 Start Time: 07:48:40 Finish Time: 08:34:41 TCP/IP Fingerprint OS Estimate: Microsoft Windows SecurityMetrics has determined that Quality Machine of Iowa, Inc. is NOT COMPLIANT with the PCI scan validation requirement for this computer. The computer fails because a risk of 4 or more was found. You may not use the Security Tested logo until the computer passes. Look in the Security Vulnerabilities section below for instructions to reduce your security risk.Security VulnerabilitiesSecurityMetric scanning tools probe your computer for weaknesses and security vulnerabilities externally, like an attacker would. The following section lists any security vulnerabilities detected on your computer that are serious enough to cause you to receive a failing grade.Vulnerabilities are ranked on a scale of 0 to 9. A risk of 0 is purely informational, while a risk of 9 is an extremely serious vulnerability. Any vulnerability with a risk of 4 or more will cause the test to receive a failing grade. Risk level descriptions. Security Vulnerabilities ProtocolPortProgramRiskSummary TCP 80 http 5 Synopsis : This web server leaks a private IP address through its HTTP headers. Description : This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. There is a known issue with Microsoft IIS 4.0 doing this in its default configuration. This may also affect other web servers, web applications, web proxies, load balancers and through a variety of misconfigurations related to redirection. See also : http://support.microsoft.com/support/kb/ articles/Q218/1/80.ASP See the Bugtraq reference for a full discussion. Solution: None Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE : CVE-2000-0649 BID : 1499 Other references : OSVDB:630 [More]

Oh, PCI compliancy is so much fun. Not sure what you find "unclear" about this microsoft article.Maybe this will help. I see you are using Windows 2003....that is IIS 6.0. At the bottom on your article they refer you here http://support.microsoft.com/kb/834141/for IIS 6.0Skip the section about the Service Pack....your at SP2, so you are good.The simple solution is Method 1..here is what is says, with some modifications to it for help. Option 1: Set the UseHostName property To set the UseHostName property, follow these steps: Click Start, click Run, type cmd, and then click OK to open a command prompt. Change to the folder where the Adsutil.vbs tool is located. By default, this folder is the following: %SYSTEMROOT%\Inetpub\AdminScriptsThis really means type the following in the command promptType CD /D C:\Inetpub\AdminScipts Type the following command, where x is your site identifier: cscript adsutil.vbs set w3svc/x/UseHostName trueTo get the Site Identifier open the IIS Adminsitrative toolStart...Programs....Administrative Tools....Internet Information Services (IIS) ManagerOn the Left Select Web Sites folder, then on the Right view the IDENTIFIER Column. For each number shown run the following commandcscript adsutil.vbs set w3svc/#####/UseHostName trueWhere ### is the IdentifiereRun these commands to complete the changes. net stop iisadmin /yNet start w3svc

Thank you. I especially appreciate your additional help and modifications. I followed your instructions andhave re-run the scan - it passed this time.Thank you very much!!