Something that has come up in some of our testing recently is that some of our websites have HTTP verbs allowed that probably should be blocked – and with IIS they can be.
To recap, we’re use to the idea of GET or POST requests, but there are a lot more…
Basically, the ones in bold I would block, including all the methods used in WebDav. The only reason I can find for allowing methods such as PUT, PATCH or DELETE is if one is implementing a RESTful API.
Otherwise, removing the other verbs reduces your attack surface and seems a sensible idea. Do note that penetration testing can sometimes return warnings about methods such as PUT or DELETE being available.