4.9 Ensure 'notListedIsapisAllowed' is set to false

Information

The notListedIsapisAllowed attribute is a server-level setting that is located in the ApplicationHost.config file in the <isapiCgiRestriction> element of the <system.webServer> section under <security>. This element ensures that malicious users cannot copy unauthorized ISAPI binaries to the Web server and then run them. It is recommended that notListedIsapisAllowed be set to false.

Rationale:

Restricting this attribute to false will help prevent potentially malicious ISAPI extensions from being run.

Solution

To use IIS Manager to set the notListedIsapisAllowed attribute to false:

Open IIS Manager as Administrator

In the Connections pane on the left, select server to be configured

In Features View, select ISAPI and CGI Restrictions; in the Actions pane, select Open Feature

In the Actions pane, select Edit Feature Settings

In the Edit ISAPI and CGI Restrictions Settings dialog, clear the Allow unspecified ISAPI modules check box, if checked

Click OK

To set this Request Filter using an AppCmd.exe command, run the following command at an elevated command prompt:

%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/isapiCgiRestriction /notListedIsapisAllowed:false

See Also

https://workbench.cisecurity.org/benchmarks/14293

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18b.

Plugin: Windows

Control ID: ca326e830554431eda0cad203cd8ad1a3e4b99c35ee262fd453e1e315b42086b