Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-2271 | WG440 IIS6 | SV-38331r1_rule | ECAT-1 ECAT-2 ECCD-1 | Medium |
Description |
---|
By their very nature, CGI type files permit the anonymous web user to interact with data and perhaps store data on the web server. In many cases, CGI scripts exercise system-level control over the server’s resources. These files make appealing targets for the malicious user. If these files can be modified or exploited, the web server can be compromised. CGI or equivalent files must be monitored by a security tool alerting the Web Admin of any unauthorized changes. |
STIG | Date |
---|---|
IIS6 Server | 2011-09-26 |
Check Text ( C-37721r1_chk ) |
---|
Request to see the template file or configuration file of the software being used to accomplish this security task. The monitoring program should provide constant monitoring for these files, and instantly alert the Web Admin of any unauthorized changes. Examples of CGI file extensions include, but are not limited to cgi, asp, aspx, class, vb, php, pl, and c. If the monitoring product configuration does not monitor changes to CGI program files, this is a finding. |
Fix Text (F-32968r1_fix) |
---|
Configure the monitoring tool to include CGI type files or equivalent programs directory. |