Check: IISW-SI-000233
Microsoft IIS 8.5 Site STIG:
IISW-SI-000233
(in versions v2 r9 through v1 r0.1)
Title
Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 8.5 website, patches, loaded modules, and directory paths. (Cat II impact)
Discussion
HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote requesters exposes internal configuration information to potential attackers.
Check Content
Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name under review. Double-click the "Error Pages" icon. Click each error message and click "Edit Feature" setting from the "Actions" pane. If any error message is not set to “Detailed errors for local requests and custom error pages for remote requests”, this is a finding.
Fix Text
Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name under review. Double-click the "Error Pages" icon. Click each error message and click "Edit Feature" Setting from the "Actions" pane; set each error message to “Detailed errors for local requests and custom error pages for remote requests”.
Additional Identifiers
Rule ID: SV-214472r879655_rule
Vulnerability ID: V-214472
Group Title: SRG-APP-000266-WSR-000159
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001312 |
The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |
Controls
Number | Title |
---|---|
SI-11 |
Error Handling |