Tags

, , , , , ,

Hi Everyone,

As per best security practices, our CRM servers recently went through the vulnerability assessment scan. One of the critical Issue highlighted was : HTTP Options Method Enabled.

 

What is HTTP OPTIONS ?

The OPTIONS method provides a list of methods that are supported by the web server. Although this might seems beneficial sometimes, but it also provides useful information to an attacker. Hence it is recommended to disable the OPTIONS method.

 

How to Disable the HTTP OPTIONS?

HTTP OPTIONS can be disabled by denying the verb “OPTIONS” from the request filtering rules (HTTP Verbs Tab) in IIS.

a. Open IIS manager

b. Select the Website: Microsoft Dynamics CRM

c. Select Request Filtering option

d. Choose the HTTP Verbs tab

 

You might notice the following verbs:

  • OPTIONS = True
  • TRACE = False

HTTP_Options5

 

e. Select the OPTIONS verb and click the button Remove from Actions pane.

f. Following that under the same Action pane, click Deny Verb..

g. Set it to OPTIONS

HTTP_Options6

 

There are few other articles here and here which are worth reading with some additional information on securing the web servers.

 

Hope this would be helpful!

Thanks ! 😀