1

From this article : Disable Trace/Track in IIS | Techstacks HOWTO's, I came to know that you need to install UrlScan Filter to disable TRACE/TRACK requests on IIS 7.5. However, I had trouble installing UrlScan Filter (I'm not a .NET developer) -- Microsoft UrlScan Filter v3.1 Setup Wizard fails with message IIS Metabase is required | Server Fault.

Are there other ways of disabling TRACE/TRACK requests ?

anjanb
  • 151
  • 1
  • 3
  • 13

2 Answers2

2

On IIS 7.0 or later, it didn't rely on UrlScan anymore. You can configure <requestFiltering> to DENY the verb TRACE. For example, in your web.config: 

<configuration>
   <system.webServer>
      <security>
         <requestFiltering>
            <verbs>
               <add verb="TRACE" allowed="false" />
            </verbs>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>

You can find details here: https://docs.microsoft.com/en-us/iis/configuration/system.webServer/security/requestFiltering/verbs/

Chun Liu
  • 426
  • 2
  • 7
1

If anyone is still having difficulty disabling TRACE/TRACK verbs, here are the instructions to do it via IIS Manager:

  1. Go to IIS Manager
  2. Click the website name
  3. Double click “Request Filtering” (If you don’t see Request Filtering icon, please install it)
  4. Go to “HTTP Verbs” tab
  5. Click “Deny Verb” from the Actions menu. Type “TRACE”. Click “OK”
  6. Click “Deny Verb” from the Actions menu. Type “TRACK”. Click “OK”

Please note that TRACK verb is disabled by default after IIS 7. TRACE is disabled as well except IIS 8.5:

enter image description here

For more information on this topic: How to disable HTTP TRACK and TRACE verbs in IIS?

Ned
  • 156
  • 2