4.10 Ensure 'notListedCgisAllowed' is set to false

Information

The notListedCgisAllowed attribute is a server-level setting that is located in the ApplicationHost.config file in the <isapiCgiRestriction> element of the <system.webServer> section under <security>. This element ensures that malicious users cannot copy unauthorized CGI binaries to the Web server and then run them.

It is recommended that notListedCgisAllowed be set to false.

Rationale:

Restricting this attribute to false will help prevent unlisted CGI extensions, including potentially malicious CGI scripts from being run.

Impact:

Unlisted CGI extensions will not be allowed.

Solution

To set the notListedCgisAllowed attribute to false using IIS Manager:

Open IIS Manager as Administrator

In the Connections pane on the left, select the server to configure

In Features View, select ISAPI and CGI Restrictions; in the Actions pane, select Open Feature

In the Actions pane, select Edit Feature Settings

In the Edit ISAPI and CGI Restrictions Settings dialog, clear the Allow unspecified CGI modules check box

Click OK

Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/isapiCgiRestriction /notListedCgisAllowed:false

OR

Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/security/isapiCgiRestriction' -name 'notListedCgisAllowed' -value 'False'

Default Value:

The default value for notListedCgisAllowed is false.

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-8, CSCv7|18

Plugin: Windows

Control ID: c4060cafb340cbe7babd6b0d3ef05f434e16c0bb90ceeb36038a67195c9baaf1