4.8 Ensure Handler is not granted Write and Script/Execute - Default

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Handler mappings can be configured to give permissions to Read, Write, Script, or Execute depending on what the use is for - reading static content, uploading files, executing scripts, etc. It is recommended to grant a handler either Execute/``Script or Write permissions, but not both.
Rationale:
By allowing both Execute/_Script_ and Write permissions, a handler can run malicious code on the target server. Ensuring these two permissions are never together will help lower the risk of malicious code being executed on the server.

Solution

The accessPolicy attribute in the <handlers> section of either the ApplicationHost.config (server-wide) or web.config (site or application) must not have Write present when Script or Execute are present. To resolve this issue for a Web server, the attribute in the <handlers> section of the ApplicationHost.config file for the server must manually be edited. To edit the ApplicationHost.config file by using Notepad, perform the following steps:
1. Open Notepad as Administrator
2. Open the ApplicationHost.config file in %systemroot%\\system32\\inetsrv\\config
3. Edit the <handlers> section accessPolicy attribute so that Write is not present when Script or Execute are present
To set this Request Filter using an AppCmd.exe command, run the following command at an elevated command prompt:
%systemroot%\system32\inetsrv\appcmd set config /section:handlers /accessPolicy:Read,Script
Note: This configuration change cannot be made by using IIS Manager.
Default Value:
The default handlers accessPolicy is Read, Script.

See Also

https://workbench.cisecurity.org/files/2220

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv7|18

Plugin: Windows

Control ID: 8e04ca2a24c46c98a700f3cf99a832fb7b432a9a3a8911e68fc6daacb6b023e8