Penetration tools may alert if IIS server is accepting requests with HTTP OPTIONS method. This is because the response to these requests may reveal what other methods are supported by the web server.
Follow the steps below to disable OPTIONS method.
- Open IIS Manager
- Click the server name
- Double click on Request Filtering
- Go to HTTP Verbs tab
- On the right side, click Deny Verb
- Type OPTIONS. Click OK
If the security scan report shows a vulnerability about IIS default page, check this post out: Vulnerability “Remove the default page or stop/disable the IIS server”