WA000-WI030 IIS6 - The IUSR_machinename account must not have read access to the .inc files or their equivalent. - '.inc file permissions'

Information

Owing to the nature of .inc files, which may contain sensitive logic and potentially reveal sensitive information about the architecture of the web server, it is vital that the end user not be able to access and examine code that is included in .inc files. When server side scripting is the preferred method, this is normally not a problem. Nonetheless, there are key files inherent to the process, which can contain information key to the logic, server structure and configuration of the entire application. The include files for many .asp script files are .inc files. If the correct file name is guessed or derived, their contents will be displayed by a browser. The file must be guarded from prying eyes of the anonymous web user. If the site has named their include files with the .asp extension, then the files will be processed as an .asp file, which by the nature of .asp, will prevent that code from being presented. If the files are named with the .inc extension, or equivalent, SAs do not have this advantage.

Java Server Pages, jsp, is another example of a competing technology which the reviewer will also encounter, that are impacted by this issue. The sample principles outlined here will apply to inlcude files used with Java Server Pages.

In addition, there are some additional files that need to be protected, which include the global.asa and global.asax files.
NOTE: This check only searches the 'C:' drive, if the system has multiple drives ensure each drive doesn't contain compilers.
NOTE: If there is nothing reported in the plugin output then Nessus did not find any files named global.asa.
NOTE: If any .inc files were found review the permissions to ensure IUSR_machinename does not have read access and these extensions are mapped to the asp.dll.

Solution

Remove read permissions for the IUSR_machinename account from the .inc files and their equivalent.

See Also

http://iasecontent.disa.mil/stigs/zip/July2015/U_IIS_6-0_V6R16_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CAT|II, Rule-ID|SV-38009r1_rule, STIG-ID|WA000-WI030_IIS6, Vuln-ID|V-2268

Plugin: Windows

Control ID: 34b950032a951e8be28a17d49709851adfa0f6105bb0bd7839c53af75e886a97