IIST-SV-000158 - Unspecified file extensions on a production IIS 10.0 web server must be removed.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

By allowing unspecified file extensions to execute, the web servers attack surface is significantly increased. This increased risk can be reduced by only allowing specific ISAPI extensions or CGI extensions to run on the web server.

Solution

Open the IIS 10.0 Manager.

Click the IIS 10.0 web server name.

Double-click the 'ISAPI and CGI restrictions' icon.

Click 'Edit Feature Settings'.

Remove the check from the 'Allow unspecified CGI modules' and the 'Allow unspecified ISAPI modules' check boxes.

Click 'OK'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y24M07_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000366, Rule-ID|SV-218824r961863_rule, STIG-ID|IIST-SV-000158, STIG-Legacy|SV-109287, STIG-Legacy|V-100183, Vuln-ID|V-218824

Plugin: Windows

Control ID: 5532273e3a0fbbd770f2348694364d3daf40e3b2c5c45bc4613126b6dd94d626