UCF STIG Viewer Logo

The IIS web site permissions "Write" or "Script Source" must not be selected.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13699 WA000-WI092 IIS6 SV-38020r1_rule ECSC-1 High
Description
Web site permissions to include Read, Write, and Script Source Access can be set within the IIS Administration tool. Configuration settings made at the Web Server level are inherited by all of the web sites on the server. It can override inheritance by configuring the individual site or site element. These permissions control what users can access from the web site. If Read is selected, then source of the pages can be read, if Write is selected, then pages can be written to or updated. If the Script Source Access is checked, source code for scripts can be viewed. This option is not available if neither Read nor Write is selected. Allowing users' access to the source of the web pages, may provide the user with more information than they are authorized to see. This is especially an issue for the source code for scripts on the web server.
STIG Date
IIS6 Site 2014-12-10

Details

Check Text ( C-37372r1_chk )
1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Home Directory tab.

If the IIS web site permissions "Write" or “Script source access” are selected, this is a finding.

NOTE: This should be completed for all directories (including sub-directories), virtual directories, and files for the site being reviewed.
Fix Text (F-32609r1_fix)
1. Open the IIS Manager > Right click on the website (including directories, sub-directories, virtual directories, and files) being reviewed > Select Properties > Select the Home Directory (Directory, Virtual Directory, or File) tab.
2. Uncheck the Write and/or the Script source access permissions.