Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3333 | WG205 IIS6 | SV-30041r2_rule | DCPA-1 | Medium |
Description |
---|
Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion. |
STIG | Date |
---|---|
IIS6 Site | 2011-10-03 |
Check Text ( C-37414r1_chk ) |
---|
1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Home Directory tab. 2. Note the path to the web sites home directory. If the directory is on the same partition as the operating systems root directory, this is a finding. If the directory is a child directory to the web application directory, this is a finding. |
Fix Text (F-32650r1_fix) |
---|
Change the home directory to a partition other than the partition containing the web server system files. |