Title

The Internet Printing Protocol (IPP) must be disabled on the IIS 8.5 web server. (Cat II impact)

Discussion

The use of Internet Printing Protocol (IPP) on an IIS web server allows client’s access to shared printers. This privileged access could allow remote code execution by increasing the web servers attack surface. Additionally, since IPP does not support SSL, it is considered a risk and will not be deployed.

Check Content

If the Print Services role and the Internet Printing role are not installed, this check is Not Applicable. Navigate to the following directory: %windir%\web\printers If this folder exists, this is a finding. Determine whether Internet Printing is enabled: Click “Start”, then click “Administrative Tools”, and then click “Server Manager”. Expand the roles node, then right-click “Print Services”, and then select “Remove Roles Services”. If the Internet Printing option is enabled, this is a finding.

Fix Text

Click “Start”, then click “Administrative Tools”, and then click “Server Manager”. Expand the roles node, then right-click “Print Services”, and then select “Remove Roles Services”. If the Internet Printing option is checked, clear the check box, click “Next”, and then click “Remove” to complete the wizard.

Additional Identifiers

Rule ID: SV-214433r879756_rule

Vulnerability ID: V-214433

Group Title: SRG-APP-000383-WSR-000175

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.