Web content directories must not be anonymously shared.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2226	WG210 IIS6	SV-38048r2_rule	ECCD-1 ECCD-2	Medium

Description
Anonymously shared directories are exposed to unnecessary risk. Any unnecessary exposure increases the risk that an intruder could exploit the access and compromise the web content or cause web server performance problems.

STIG	Date
IIS6 Site	2015-06-01

Details

Check Text ( C-37415r2_chk )
1. Navigate to the %systemroot%\system32 directory. 2. Right click on the inetsrv directory > Select properties > Select the sharing tab. 3. If any selection other than "Do not share this folder" is selected, this is a finding. 4. Using the IIS Manager right click on the web site being reviewed > Select properties. 5. Select the Home Directory tab > Note the path to the web site’s home directory. 6. Navigate to the parent directory of the directory noted above. 7. Right click on the directory noted above > Select properties > Select the sharing tab. 8. If any selection other than "Do not share this folder" is selected, this is a finding. 9. Select the Web Sharing tab. 10. Select the website being reviewed from the drop down menu. 11. If any entries other than “/” exist under the Aliases window, this is a finding. NOTE: Administrative shares are not exempt from this requirement. NOTE: In the case of a storage area network or file storage network, where partitions on the storage device are dedicated to front end / back end web services, the additional partitions will be mapped to the correct file storage network partition in the web server configuration. This can apply to both web content and web scripts. NOTE: The presence of operating system shares on the web server is not an issue as long as the shares are not part of the web content directories. The use of shares to move content from one environment to another is permitted if the following conditions are met: they are approved by the ISSM/ISSO; the shares are restricted to only allow administrators write access; the use of the shares does not bypass the sites approval process for posting new content to the web server; and developers are only permitted read access to these directories.

Check Text ( C-37415r2_chk )

1. Navigate to the %systemroot%\system32 directory.
2. Right click on the inetsrv directory > Select properties > Select the sharing tab.
3. If any selection other than "Do not share this folder" is selected, this is a finding.
4. Using the IIS Manager right click on the web site being reviewed > Select properties.
5. Select the Home Directory tab > Note the path to the web site’s home directory.
6. Navigate to the parent directory of the directory noted above.
7. Right click on the directory noted above > Select properties > Select the sharing tab.
8. If any selection other than "Do not share this folder" is selected, this is a finding.
9. Select the Web Sharing tab.
10. Select the website being reviewed from the drop down menu.
11. If any entries other than “/” exist under the Aliases window, this is a finding.

NOTE: Administrative shares are not exempt from this requirement.
NOTE: In the case of a storage area network or file storage network, where partitions on the storage device are dedicated to front end / back end web services, the additional partitions will be mapped to the correct file storage network partition in the web server configuration. This can apply to both web content and web scripts.
NOTE: The presence of operating system shares on the web server is not an issue as long as the shares are not part of the web content directories. The use of shares to move content from one environment to another is permitted if the following conditions are met: they are approved by the ISSM/ISSO; the shares are restricted to only allow administrators write access; the use of the shares does not bypass the sites approval process for posting new content to the web server; and developers are only permitted read access to these directories.

Fix Text (F-32651r1_fix)
Remove the shares from the applicable directories.