IISW-SI-000216 - The IIS 8.5 website must have resource mappings set to disable the serving of certain file types.

Information

Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client.

By not specifying which files can and which files cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc.

The web server must only allow hosted application file types to be served to a user and all other types must be disabled.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.
Click the site name to review.
Double-click Request Filtering >> File Name Extensions Tab >> Deny File Name Extension.
Add any script file extensions listed on the black list that are not listed.
Select 'Apply' from the 'Actions' pane.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_8-5_Y23M10_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-214456r903089_rule, STIG-ID|IISW-SI-000216, STIG-Legacy|SV-91497, STIG-Legacy|V-76801, Vuln-ID|V-214456

Plugin: Windows

Control ID: 284a80d7b3493fa21c34fb3576ad8bb32735a59eda0de4600326c6246bcbb85e