4.8 Ensure Handler is not granted Write and Script/Execute - Applications

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Handler mappings can be configured to give permissions to Read, Write, Script, or Execute depending on what the use is for - reading static content, uploading files, executing scripts, etc. It is recommended to grant a handler either Execute/Script or Write permissions, but not both.
Rationale:
By allowing both Execute/Script and Write permissions, a handler can run malicious code on the target server. Ensuring these two permissions are never together will help lower the risk of malicious code being executed on the server.

Solution

The accessPolicy attribute in the <handlers> section of either the ApplicationHost.config (server-wide) or web.config (site or application) must not have Write present when Script or Execute are present. To resolve this issue for a Web server, the attribute in the <handlers> section of the ApplicationHost.config file for the server must manually be edited. To edit the ApplicationHost.config file by using Notepad, perform the following steps:
1. Open Notepad as Administrator
2. Open the ApplicationHost.config file in %systemroot%\system32\inetsrv\config
3. Edit the <handlers> section accessPolicy attribute so that Write is not present when Script or Execute are present
Enter the following command in AppCmd.exe to configure:
%systemroot%\system32\inetsrv\appcmd set config /section:handlers /accessPolicy:Read,Script
OR
Enter the following command in PowerShell to configure:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/handlers' -name 'accessPolicy' -value 'Read,Script'
Note: This configuration change cannot be made by using IIS Manager.
Default Value:
The default handlers accessPolicyis Read, Script.

See Also

https://workbench.cisecurity.org/files/2297