Microsoft IIS

• Internet Information Services (IIS) (Microsoft) – for EOL
• HTTP Request Smuggling in Microsoft IIS Server (Microsoft)

Default web server configuration (IIS Start Page)

The default IIS start page is located at “http://<URL>/iisstart.htm”. When found, report it at severity “Info”.

• Description: Default IIS start page is accessible. It discloses that IIS is used and the version is also disclosed in HTTP headers. This also raises concern on if other default configurations are currently in place.
• Fix: It is recommended to remove default pages and review the web server configurations for any default configuration.