WA000-WI035 - The IISADMPWD directory has not been removed from the Web Server.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Vulnerability Key: V0013698
IA Controls: ECSC-1 Security Configuration Compliance
Categories: 2.2 Least Privilege
Severity: Category I
Ref: WEB SERVER SECURITY TECHNICAL IMPLEMENTATION GUIDE Section 2.1
The IISADMPWD directory is included by default with IIS. It allows users to reset Windows passwords. The use of userid and passwords
is a far less secure solution for controlling user access to web applications than a PKI solution with subscriber certificates.
The capability to be able to change password externally gives potential intruders an easier mechanism to access the system in an
effort to compromise the userids and passwords.

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7, CSCv6|9.1

Plugin: Windows

Control ID: 282c92124a0f3bade5d6dc87d458bd87c4de2d20db6645a7725ac6bc692ac222