An error occurred:

Check: IISW-SV-000138

Microsoft IIS 8.5 Server STIG: IISW-SV-000138 (in versions v2 r7 through v2 r1)

Title

Directory Browsing on the IIS 8.5 web server must be disabled. (Cat II impact)

Discussion

Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in IIS, users could receive a web page listing the contents of the directory. If directory browsing is enabled the risk of inadvertently disclosing sensitive content is increased.

Check Content

If the Directory Browsing IIS Feature is disabled, this is Not Applicable. Open the IIS 8.5 Manager. Click the IIS 8.5 web server name. Double-click the "Directory Browsing" icon. Under the “Actions” pane verify "Directory Browsing" is disabled. If “Directory Browsing” is not disabled, this is a finding.

Fix Text

If the Directory Browsing IIS Feature is disabled, this is Not Applicable. Open the IIS 8.5 Manager. Click the IIS 8.5 web server name. Double-click the "Directory Browsing" icon. Under the "Actions" pane click "Disabled". Under the "Actions" pane, click "Apply".

Additional Identifiers

Rule ID: SV-214423r879652_rule

Vulnerability ID: V-214423

Group Title: SRG-APP-000251-WSR-000157

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001310

The information system checks the validity of organization-defined inputs.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-10

Information Input Validation