Something that has come up in some of our testing recently is that some of our websites have HTTP verbs allowed that probably should be blocked – and with IIS they can be.

To recap, we’re use to the idea of GET or POST requests, but there are a lot more…

Standard Methods

• HEAD
• GET
• POST
• DELETE
• PUT
• CONNECT
• OPTIONS
• TRACE
• PATCH

WebDAV Methods

• PROPFIND
• PROPPATCH
• MOVE
• COPY
• LOCK
• UNLOCK
• MKCOL

Misc. Others

• DEBUG
• TRACK

Basically, the ones in bold I would block, including all the methods used in WebDav. The only reason I can find for allowing methods such as PUT, PATCH or DELETE is if one is implementing a RESTful API.

Otherwise, removing the other verbs reduces your attack surface and seems a sensible idea. Do note that penetration testing can sometimes return warnings about methods such as PUT or DELETE being available.