Title

Indexing Services must only index web content. (Cat III impact)

Discussion

The indexing service can be used to facilitate a search function for web sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only.

Check Content

1. Open the IIS Manager > Right click on the website being reviewed > Select the Home Directory tab. 2. Verify the status of the Index this resource check box. 3. If the Index this resource check box is checked, open the Services windows (via Administrative Tools in Control panel) and check to see if the Indexing Service is listed. If it is listed, determine if the Startup Type mode is either “Automatic” or “Manual”. NOTE: If the Indexing check box is not checked or the indexing service is not installed or disabled, this is not a finding. 4. With the assistance of the Web Administrator and/or SA, use the MMC to evaluate the Indexing Service using the Index Service snap-in. 5. Review the directories being indexed, ensuring only web content folders are being indexed. NOTE: If unsure it is a web content folder, examine the Home Directory tab within the properties of the web site. This will indicate the path of the content for this web site. If the Index Service is running and directories other than web content directories are being indexed, this is a finding.

Fix Text

Assure that only the web document directories are indexed.

Additional Identifiers

Rule ID: SV-38011r1_rule

Vulnerability ID: V-3963

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.