Title

All web server documentation, sample code, example applications, and tutorials must be removed from a production web server. (Cat I impact)

Discussion

Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Delete all directories containing samples and any scripts used to execute the samples.

Check Content

Query the SA to determine if all directories that contain samples and any scripts used to execute the samples have been removed from the server. Each web server has its own list of sample files and folders. These may change with the software versions and features utilized on the web server. The following are some examples of what to look for, and should not be considered the definitive list of sample files and folders. If present, remove the following directories: %systemdrive%\inetpub\AdminScripts %systemdrive%\inetpub\scripts\IISSamples If present, remove the following virtual directories: http://localhost/iissamples http://localhost/IISHelp If any sample files or folders are found on the web server, this is a finding. NOTE: The presence of the AdminScripts directory would not be a finding if the permissions are restricted to administrators and Web Admins.

Fix Text

Remove sample code and documentation from the web server.

Additional Identifiers

Rule ID: SV-38330r1_rule

Vulnerability ID: V-13621

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.