Detections
Analytics
WG205 IIS6 - The web document (home) directory must be on a separate partition from the web servers system files.
Information
Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.NOTE: Review each site's path to ensure it is not on the same partition as the system files or a child of the web application's directory.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Change the home directory to a partition other than the partition containing the web server system files.See Also
http://iasecontent.disa.mil/stigs/zip/July2015/U_IIS_6-0_V6R16_STIG.zip
Item Details
Audit Name: DISA STIG IIS 6.0 Site Checklist v6r16
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CAT|II, Rule-ID|SV-30041r1_rule, STIG-ID|WG205_IIS6, Vuln-ID|V-3333
Plugin: Windows
Control ID: 1928781a52316d7a9f9ab4db10a1fa065cbe46183e3a33bbc17006156d94840e