Check: IIST-SI-000231
Microsoft IIS 10.0 Site STIG:
IIST-SI-000231
(in versions v2 r9 through v1 r1)
Title
Directory Browsing on the IIS 10.0 website must be disabled. (Cat II impact)
Discussion
Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in IIS, users could receive a web page listing the contents of the directory. If directory browsing is enabled the risk of inadvertently disclosing sensitive content is increased.
Check Content
Follow the procedures below for each site hosted on the IIS 10.0 web server: Click the Site. Double-click the "Directory Browsing" icon. If "Directory Browsing" is not installed, this is Not Applicable. Under the "Actions" pane, verify "Directory Browsing" is "Disabled". If "Directory Browsing" is not "Disabled", this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the Site. Double-click the "Directory Browsing" icon. Under the "Actions" pane, click "Disabled".
Additional Identifiers
Rule ID: SV-218759r879652_rule
Vulnerability ID: V-218759
Group Title: SRG-APP-000251-WSR-000157
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001310 |
The information system checks the validity of organization-defined inputs. |
Controls
| Number | Title |
|---|---|
| SI-10 |
Information Input Validation |