An error occurred:

Check: IIST-SI-000261

Microsoft IIS 10.0 Site STIG: IIST-SI-000261 (in versions v2 r9 through v1 r1)

Title

Interactive scripts on the IIS 10.0 web server must be located in unique and designated folders. (Cat II impact)

Discussion

CGI and ASP scripts represent one of the most common and exploitable means of compromising a web server. All CGI and ASP program files must be segregated into their own unique folder to simplify the protection of these files. ASP scripts must be placed into a unique folder only containing other ASP scripts. JAVA and other technology-specific scripts must also be placed into their own unique folders. The placement of CGI, ASP, or equivalent scripts to special folders gives the Web Manager or the System Administrator (SA) control over what goes into those folders and to facilitate access control at the folder level.

Check Content

Determine whether scripts are used on the web server for the target website. Common file extensions include, but are not limited to: .cgi, .pl, .vbs, .class, .c, .php, and .asp. All interactive programs must be placed in unique designated folders based on CGI or ASP script type. For modular and/or third-party applications, it is permissible to have script files in multiple folders. Open the IIS 10.0 Manager. Right-click the IIS 10.0 web site name and select "Explore". Search for the listed script extensions. Each script type must be in its unique designated folder. If scripts are not segregated from web content and in their own unique folders, this is a finding.

Fix Text

All interactive programs must be placed in unique designated folders based on CGI or ASP script type. Open the IIS 10.0 Manager. Right-click the IIS 10.0 web server name and select "Explore". Search for the listed script extensions. Move each script type to its unique designated folder. Set the permissions to the scripts folders as follows: Administrators: FULL TrustedInstaller: FULL SYSTEM: FULL ApplicationPoolId:READ Custom Service Account: READ Users: READ ALL APPLICATION PACKAGES: READ

Additional Identifiers

Rule ID: SV-218779r879587_rule

Vulnerability ID: V-218779

Group Title: SRG-APP-000141-WSR-000087

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000381

The organization configures the information system to provide only essential capabilities.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-7

Least Functionality