WA000-WI050 IIS6 - Unused and vulnerable script mappings in IIS 6 must be removed. - 'Server Side Includes Disallowed'

Information

IIS file extensions which require server-side processing, but which have been deemed vulnerable, include .htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. Requests to these file types can exploit a stack buffer overflow weakness in the ism.dll, httpodbc.dll, and ssinc.dll.

Solution

Remove unused and vulnerable script mappings.

See Also

http://iasecontent.disa.mil/stigs/zip/July2015/U_IIS_6-0_V6R16_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CAT|I, Rule-ID|SV-16145r2_rule, STIG-ID|WA000-WI050_IIS6, Vuln-ID|V-2267

Plugin: Windows

Control ID: 6b7449ad5ac42ca866d891bd95d944e604c125de3e2049fd3cc2169d56f958e0