All web server documentation, sample code, example applications, and tutorials must be removed from a production web server.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-13621 | WG385 IIS6 | SV-38330r1_rule | ECSC-1 | High |
| Description |
|---|
| Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Delete all directories containing samples and any scripts used to execute the samples. |
| STIG | Date |
|---|---|
| IIS6 Server | 2015-06-01 |
Details
| Check Text ( C-37720r1_chk ) |
|---|
| Query the SA to determine if all directories that contain samples and any scripts used to execute the samples have been removed from the server. Each web server has its own list of sample files and folders. These may change with the software versions and features utilized on the web server. The following are some examples of what to look for, and should not be considered the definitive list of sample files and folders. If present, remove the following directories: %systemdrive%\inetpub\AdminScripts %systemdrive%\inetpub\scripts\IISSamples If present, remove the following virtual directories: http://localhost/iissamples http://localhost/IISHelp If any sample files or folders are found on the web server, this is a finding. NOTE: The presence of the AdminScripts directory would not be a finding if the permissions are restricted to administrators and Web Admins. |
| Fix Text (F-32967r1_fix) |
|---|
| Remove sample code and documentation from the web server. |