Check: IIST-SI-000233
Microsoft IIS 10.0 Site STIG:
IIST-SI-000233
(in versions v2 r9 through v2 r7)
Title
Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 10.0 website, patches, loaded modules, and directory paths. (Cat II impact)
Discussion
HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote requesters exposes internal configuration information to potential attackers.
Check Content
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name under review. Double-click the "Error Pages" icon. Click each error message and click "Edit Feature" setting from the "Actions" pane. If any error message is not set to "Detailed errors for local requests and custom error pages for remote requests" or "Custom error pages", this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 10.0 web server: Open the IIS 10.0 Manager. Click the site name under review. Double-click the "Error Pages" icon. Click each error message and click "Edit Feature" Setting from the "Actions" pane; set each error message to "Detailed errors for local requests and custom error pages for remote requests" or "Custom error pages".
Additional Identifiers
Rule ID: SV-218760r879655_rule
Vulnerability ID: V-218760
Group Title: SRG-APP-000266-WSR-000159
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001312 |
Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited. |
Controls
Number | Title |
---|---|
SI-11 |
Error Handling |