Title

The web site must have a unique application pool. (Cat II impact)

Discussion

Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool.

Check Content

1. Open the IIS Manager > Right click on the website being reviewed > Select the Home Directory tab. 2. Review the Application settings area and note the name listed next to Application pool. 3. Ensure this Application pool is not listed as any other sites Application Pool. If there is not a unique application pool configured for the web site being reviewed, this is a finding. NOTE: The default Application Pool is not considered unique and would be a finding if the web site is using this one.

Fix Text

1. Open the IIS Manager > Right click on the website being reviewed > Select the Home Directory tab. 2. Go to the Application settings area > Select the Application pool drop down > Select the unique Application pool for the web site. 3. Press OK.

Additional Identifiers

Rule ID: SV-38137r1_rule

Vulnerability ID: V-13703

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.