WA000-WI035 - The IISADMPWD directory has not been removed from the Web Server.

Information

Vulnerability Key: V0013698
IA Controls: ECSC-1 Security Configuration Compliance
Categories: 2.2 Least Privilege
Severity: Category I
Ref: WEB SERVER SECURITY TECHNICAL IMPLEMENTATION GUIDE Section 2.1
The IISADMPWD directory is included by default with IIS. It allows users to reset Windows passwords. The use of userid and passwords
is a far less secure solution for controlling user access to web applications than a PKI solution with subscriber certificates.
The capability to be able to change password externally gives potential intruders an easier mechanism to access the system in an
effort to compromise the userids and passwords.

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., Rule-ID|SV-38148r1_rule

Plugin: Windows

Control ID: 31f0b95a56b633a94445409a4b73117c22f0fc63afc7c6086ebea0d081d3548c