I was working on SCCM server vulnerabilities in terms of OS and application installed on it.
There are four specific HTTP header attacks which your IT security team ask you to fix on those SCCM server where IIS is running.
Normally below four HTTP headers are important to add and set with value(value may differ as per the requirement) in your SCCM server with IIS not added earlier.
There are four specific HTTP header attacks which your IT security team ask you to fix on those SCCM server where IIS is running.Normally below four HTTP headers are important to add and set with value(value may differ as per the requirement) in your SCCM server with IIS not added earlier.
X-XSS-Protection: To prevent XSS(Cross Site Scripting) attack, header name 'X-XSS-Protection' has been set with value '1;mode=block' means XSS filter enabled and prevented rendering the page if attack detected.
X-Frame-Options : To prevent from ClickJacking attack on website, X-Frame-Options' header has been set with value 'SAMEORIGIN' means Frame/iframe of content is only allowed from the same site origin. It not good to set value of 'DENY'.
X-Content-Type-Options : To prevent from MIME attack, header name 'X-Content-Type-Options' has been set with value 'nosniff'' means to prevent content sniffing.
Content-Security-Policy : To prevent from code injection attack, 'Content-Security-Policy' header has been set with value 'default-src 'self'' which means Load everything from defined source.
How to set the header and its value?
1) Open CMD or Open Run and type 'inetmgr' to open the IIS console. In my case, its IIS version 8.
2) Expend the IIS console node at left side and browse to your target website. In my SCCM server case, it was Default Web Site.
3) Click the target website.
4) Go to 'HTTP Response Headers' option(at middle) and double click to open it.
5) Click “Add” under Actions.
6) Enter Name, Value(as mentioned above) and click OK to apply.
7) Restart the IIS.
Thats it !! Your are done.
