Title

All IIS 10.0 web server sample code, example applications, and tutorials must be removed from a production IIS 10.0 server. (Cat I impact)

Discussion

Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (i.e., compiled code, scripts, web content, etc.). Delete all directories containing samples and any scripts used to execute the samples.

Check Content

Navigate to the following folders: inetpub\ Program Files\Common Files\System\msadc Program Files (x86)\Common Files\System\msadc If the folder or sub-folders contain any executable sample code, example applications, or tutorials which are not explicitly used by a production website, this is a finding.

Fix Text

Remove any executable sample code, example applications, or tutorials which are not explicitly used by a production website.

Additional Identifiers

Rule ID: SV-218795r879587_rule

Vulnerability ID: V-218795

Group Title: SRG-APP-000141-WSR-000077

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.