Title

The IIS web site permissions "Write" or "Script Source" must not be selected. (Cat I impact)

Discussion

Web site permissions to include Read, Write, and Script Source Access can be set within the IIS Administration tool. Configuration settings made at the Web Server level are inherited by all of the web sites on the server. It can override inheritance by configuring the individual site or site element. These permissions control what users can access from the web site. If Read is selected, then source of the pages can be read, if Write is selected, then pages can be written to or updated. If the Script Source Access is checked, source code for scripts can be viewed. This option is not available if neither Read nor Write is selected. Allowing users' access to the source of the web pages, may provide the user with more information than they are authorized to see. This is especially an issue for the source code for scripts on the web server.

Check Content

1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Home Directory tab. If the IIS web site permissions "Write" or “Script source access” are selected, this is a finding. NOTE: This should be completed for all directories (including sub-directories), virtual directories, and files for the site being reviewed.

Fix Text

1. Open the IIS Manager > Right click on the website (including directories, sub-directories, virtual directories, and files) being reviewed > Select Properties > Select the Home Directory (Directory, Virtual Directory, or File) tab. 2. Uncheck the Write and/or the Script source access permissions.

Additional Identifiers

Rule ID: SV-38020r1_rule

Vulnerability ID: V-13699

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.