4.8 Ensure Handler is not granted Write and Script/Execute - Default

Information

Handler mappings can be configured to give permissions to Read, Write, Script, or Execute depending on what the use is for - reading static content, uploading files, executing scripts, etc. It is recommended to grant a handler either Execute/Script or Write permissions, but not both.

By allowing both Execute/Script and Write permissions, a handler can run malicious code on the target server. Ensuring these two permissions are never together will help lower the risk of malicious code being executed on the server.

Solution

The accessPolicy attribute in the <handlers> section of either the applicationHost.config (server-wide) or web.config (site or application) must not have Write present when Script or Execute are present. To resolve this issue for a Web server, the attribute in the <handlers> section of the applicationHost.config file for the server must manually be edited. To edit the applicationHost.config file by using Notepad, perform the following steps:
1. Open Notepad as Administrator
2. Open the applicationHost.config file in %systemroot%\system32\inetsrv\config
3. Edit the <handlers> section accessPolicy attribute so that Write is not present when Script or Execute are present

Note: This configuration change cannot be made by using IIS Manager.

See Also

https://workbench.cisecurity.org/files/165

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: Windows

Control ID: c3bfaca3d4262c0f6be9da921a410b73d7c2c621fdfb037ab6a014a0eee4e09f