IIST-SI-000261 - Interactive scripts on the IIS 10.0 web server must be located in unique and designated folders.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

CGI and ASP scripts represent one of the most common and exploitable means of compromising a web server. All CGI and ASP program files must be segregated into their own unique folder to simplify the protection of these files. ASP scripts must be placed into a unique folder only containing other ASP scripts. JAVA and other technology-specific scripts must also be placed into their own unique folders. The placement of CGI, ASP, or equivalent scripts to special folders gives the Web Manager or the System Administrator (SA) control over what goes into those folders and to facilitate access control at the folder level.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

All interactive programs must be placed in unique designated folders based on CGI or ASP script type.

Open the IIS 10.0 Manager.

Right-click the IIS 10.0 web server name and select 'Explore'.

Search for the listed script extensions.

Move each script type to its unique designated folder.

Set the permissions to the scripts folders as follows:

Administrators: FULL
TrustedInstaller: FULL
SYSTEM: FULL
ApplicationPoolId:READ
Custom Service Account: READ
Users: READ
ALL APPLICATION PACKAGES: READ

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y23M04_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000381, Rule-ID|SV-218779r879587_rule, STIG-ID|IIST-SI-000261, STIG-Legacy|SV-109383, STIG-Legacy|V-100279, Vuln-ID|V-218779

Plugin: Windows

Control ID: 8da820426c6f0bf5f3ff5b35b6de8d687e68b1a5d37e1e77e339bb1d363dd96b