Check: WA000-WI035 IIS6
IIS6 Server:
WA000-WI035 IIS6
(in version v6 r16)
Title
The IISADMPWD directory must be removed from the Web server. (Cat I impact)
Discussion
The IISADMPWD directory is included by default with IIS. It allows users to reset Windows passwords. The use of userid and passwords is a far less secure solution for controlling user access to web applications than a PKI solution with subscriber certificates. The capability to be able to change passwords externally gives potential intruders an easier mechanism to access the system in an effort to compromise user IDs and passwords.
Check Content
1. Select Start > Run. 2. Enter %systemroot%\system32\inetsrv into the run dialog box and press OK. 3. Look for the presence of the iisadmpwd directory. 4. If the directory is present and is capable of being removed, this is a finding. NOTE: If the iisadmpwd directory does not exist, this is NOT a finding and the check procedure can stop here. NOTE: There have been numerous reports of sites not being able to delete this directory without Windows File Protection automatically restoring it. The work around for this will be to ensure the virtual directory is removed from all web sites associated with the server and restrict access to this directory and files to the system and administrators. 5. If the iisadmpwd directory exists on the server due to a technical inability to delete it, review the permissions on this directory and its files. The permissions should be as follows: Administrators - Full Control System - Full Control 6. If any other user or group has permissions to this directory, this is a finding. 7. If the permissions are set correctly, use the IIS Services Manager and review the web sites to see if there is a virtual directory associated with any of the sites pointing to the iisadmpwd directory. A virtual directory will be a child directory to a web site. 8. If any of these directories point to the iisadmpwd directory, this is a finding, even if the permissions are set correctly. NOTE: There is a possibility the automated check will result in a false positive condition. This could occur if the Administrators account has been renamed. If the account causing the finding has access to this directory is in the Administrators group, this would not be a finding.
Fix Text
If possible, ensure the iisadmpwd directory has been removed from the web server. If removal is not possible ensure the virtual directory is removed from all web sites associated with the server, and restrict access to this directory and it files, to the system and administrators. NOTE: There have been numerous reports of sites not being able to delete this directory without Windows File Protection automatically restoring it. The work around for this will be to ensure the virtual directory is removed from all web sites associated with the server and to restrict access for this directory and files to the system and administrators. NOTE: The .dll in the IISADMPWD folder may be able to be deleted by going into safe mode and deleting it. This will not work for the folder. If the IISADMPWD directory cannot be deleted set the permissions as follows: Administrators - Full Control System - Full Control
Additional Identifiers
Rule ID: SV-38148r1_rule
Vulnerability ID: V-13698
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |