UCF STIG Viewer Logo

The web document (home) directory must be on a separate partition from the web servers system files.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3333 WG205 IIS6 SV-30041r1_rule DCPA-1 Medium
Description
Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.
STIG Date
IIS6 Site 2014-12-10

Details

Check Text ( C-37414r1_chk )
1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Home Directory tab.
2. Note the path to the web sites home directory.

If the directory is on the same partition as the operating systems root directory, this is a finding. If the directory is a child directory to the web application directory, this is a finding.
Fix Text (F-32650r1_fix)
Change the home directory to a partition other than the partition containing the web server system files.