Check: IIST-SV-000149
Microsoft IIS 10.0 Server STIG:
IIST-SV-000149
(in versions v2 r10 through v1 r1)
Title
The Internet Printing Protocol (IPP) must be disabled on the IIS 10.0 web server. (Cat II impact)
Discussion
The use of IPP on an IIS web server allows client access to shared printers. This privileged access could allow remote code execution by increasing the web servers attack surface. Additionally, since IPP does not support SSL, it is considered a risk and will not be deployed.
Check Content
If the Print Services role and the Internet Printing role are not installed, this check is Not Applicable. Navigate to the following directory: %windir%\web\printers If this folder exists, this is a finding. Determine whether Internet Printing is enabled: Click “Start”, click “Administrative Tools”, and then click “Server Manager”. Expand the roles node, right-click “Print Services”, and then select “Remove Roles Services”. If the Internet Printing option is enabled, this is a finding.
Fix Text
Click “Start”, click “Administrative Tools”, and then click “Server Manager”. Expand the roles node, right-click “Print Services”, and then select “Remove Roles Services”. If the Internet Printing option is checked, clear the check box, click “Next”, and then click “Remove” to complete the wizard.
Additional Identifiers
Rule ID: SV-218818r879756_rule
Vulnerability ID: V-218818
Group Title: SRG-APP-000383-WSR-000175
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001762 |
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure. |
Controls
Number | Title |
---|---|
CM-7 (1) |
Periodic Review |