4.8 Ensure Handler is not granted Write and Script/Execute - Default

Information

Handler mappings can be configured to give permissions to Read, Write, Script, or Execute depending on what the use is for - reading static content, uploading files, executing scripts, etc.

It is recommended to grant a handler either Execute/Script or Write permissions, but not both.

Rationale:

By allowing both Execute/Script and Write permissions, a handler can run malicious code on the target server. Ensuring these two permissions are never together will help lower the risk of malicious code being executed on the server.

Impact:

N/A

Solution

The accessPolicy attribute in the <handlers> section of either the ApplicationHost.config (server-wide) or web.config (site or application) must not have Write present when Script or Execute are present. To resolve this issue for a Web server, the attribute in the <handlers> section of the ApplicationHost.config file for the server must manually be edited. To edit the ApplicationHost.config file by using Notepad, perform the following steps:

Open Notepad as Administrator

Open the ApplicationHost.config file in %systemroot%\system32\inetsrv\config

Edit the <handlers> section accessPolicy attribute so that Write is not present when Script or Execute are present

Enter the following command in AppCmd.exe to configure:

%systemroot%\system32\inetsrv\appcmd set config /section:handlers /accessPolicy:Read,Script

OR

Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/handlers' -name 'accessPolicy' -value 'Read,Script'

Note: This configuration change cannot be made by using IIS Manager.

Default Value:

The default handlers accessPolicy is Read, Script.

See Also

https://workbench.cisecurity.org/benchmarks/13949

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4), CSCv7|18

Plugin: Windows

Control ID: 0600cff99b8b2922881185ec9c80487b0b78af76892760a52e2ac38f1830634f