IISW-SV-000158 - Unspecified file extensions on a production IIS 8.5 web server must be removed.

Information

By allowing unspecified file extensions to execute, the web servers attack surface is significantly increased. This increased risk can be reduced by only allowing specific ISAPI extensions or CGI extensions to run on the web server.

Solution

Open the IIS 8.5 Manager.

Click the IIS 8.5 web server name.

Double-click the 'ISAPI and CGI restrictions' icon.

Click 'Edit Feature Settings'.

Remove the check from the 'Allow unspecified CGI modules' and the 'Allow unspecified ISAPI modules' check boxes.

Click OK.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_8-5_Y23M10_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-214440r879887_rule, STIG-ID|IISW-SV-000158, STIG-Legacy|SV-91465, STIG-Legacy|V-76769, Vuln-ID|V-214440

Plugin: Windows

Control ID: 1db6cf85c7f9990f896d9a5f93eb02ff7b1762d1de746795048161049fdd0cc2