WG204 IIS6 - A web server must not be co-hosted with other services

Information

A detailed web server installation and configuration plan should be followed to provide standardization during the installation process. The installation and configuration plan should not support the co-hosting of multiple services such as Domain Name Service (DNS), e-mail, databases, search engines, indexing, or streaming media on the same server providing the web publishing service.

Disallowed or restricted services in the context of this vulnerability apply to services not directly associated with the delivery of web content. An operating system that supports a web server will not provide other services (e.g., domain controller, e-mail server, database server, etc.). Only those services necessary to support the web server and its hosted sites are specifically allowed and may include, but are not limited to, operating system, logging, anti-virus, host intrusion detection, administrative maintenance, or network requirements. Any unnecessary services or protocols should be removed.
NOTE: Review the list of running services to ensure only required services have been started and/or running.

Solution

Move or install additional services and applications to partitions that are not the operating system root or the web document root.

See Also

http://iasecontent.disa.mil/stigs/zip/July2015/U_IIS_6-0_V6R16_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CAT|II, Rule-ID|SV-38196r1_rule, STIG-ID|WG204_IIS6, Vuln-ID|V-6577

Plugin: Windows

Control ID: 2d459fe71fc993bf14dcf5dd6d510783207c1f9ae9cb30fa5015f788464e37b8