The web document (home) directory must be on a separate partition from the web servers system files.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3333	WG205 IIS6	SV-30041r1_rule	DCPA-1	Medium

Description
Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.

Description

Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.

STIG	Date
IIS6 Site	2014-12-10

Details

Check Text ( C-37414r1_chk )
1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Home Directory tab. 2. Note the path to the web sites home directory. If the directory is on the same partition as the operating systems root directory, this is a finding. If the directory is a child directory to the web application directory, this is a finding.

Fix Text (F-32650r1_fix)
Change the home directory to a partition other than the partition containing the web server system files.