WG410 IIS6 - Interactive scripts must have proper access controls. - 'AspScriptTimeout set to 90 or less'

Information

CGI is a 'programming standard' for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does represent a CGI script, but CGI scripts may be written in a number of programming languages (e.g., PERL, C, PHP, and Javascript), each having their own unique file extension.

The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network.
NOTE: Manual verification is required in order to determine if the system's Application Setting 'Execute Permission' is set to 'Script Only'.

Solution

1. Set the ownership of the CGI scripts to system, the service account running the web service, the web author, and/or the SA.
2. Set the CGI script permissions for the anonymous web user account to Read or Read/Execute.
3. Set the Application settings sections Execute permissions to Scripts only.
4. Uncheck the Enable parent paths check box.

See Also

http://iasecontent.disa.mil/stigs/zip/July2015/U_IIS_6-0_V6R16_STIG.zip

Item Details

Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-12, 800-53|SC-5, CAT|II, Rule-ID|SV-28848r1_rule, STIG-ID|WG410_IIS6, Vuln-ID|V-2229

Plugin: Windows

Control ID: f3af528b2d6c14f7b6d294ad01e32eb574417088418b87b0917e6aeecacabf05