Title

The web document (home) directory must be on a separate partition from the web servers system files. (Cat II impact)

Discussion

Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.

Check Content

1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Home Directory tab. 2. Note the path to the web sites home directory. If the directory is on the same partition as the operating systems root directory, this is a finding. If the directory is a child directory to the web application directory, this is a finding.

Fix Text

Change the home directory to a partition other than the partition containing the web server system files.

Additional Identifiers

Rule ID: SV-30041r1_rule

Vulnerability ID: V-3333

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.