UCF STIG Viewer Logo

The IUSR_machinename account must not have read access to the .inc files or their equivalent.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2268 WA000-WI030 IIS6 SV-38009r1_rule ECSC-1 Medium
Description
Owing to the nature of .inc files, which may contain sensitive logic and potentially reveal sensitive information about the architecture of the web server, it is vital that the end user not be able to access and examine code that is included in .inc files. When server side scripting is the preferred method, this is normally not a problem. Nonetheless, there are key files inherent to the process, which can contain information key to the logic, server structure and configuration of the entire application. The include files for many .asp script files are .inc files. If the correct file name is guessed or derived, their contents will be displayed by a browser. The file must be guarded from prying eyes of the anonymous web user. If the site has named their include files with the .asp extension, then the files will be processed as an .asp file, which by the nature of .asp, will prevent that code from being presented. If the files are named with the .inc extension, or equivalent, SAs do not have this advantage. Java Server Pages, jsp, is another example of a competing technology which the reviewer will also encounter, that are impacted by this issue. The sample principles outlined here will apply to inlcude files used with Java Server Pages. In addition, there are some additional files that need to be protected, which include the global.asa and global.asax files.
STIG Date
IIS6 Site 2015-06-01

Details

Check Text ( C-37357r1_chk )
1. Open IIS Manager > Right click on the website being reviewed > Select properties > Select the Home directory tab.
2. Under Application setting > Select configuration > Select the Mappings tab.
3. Under Application extensions review the Extension field to see if the following file extensions are mapped to the asp.dll or aspnet_isapi.dll:

.asa
.asax
.inc

NOTE: If these extension are mapped to the asp.dll or aspnet_isapi.dll, this is not a finding and the check procedure can stop here. If they are not mapped to the asp.dll or aspnet_isapi.dll continue with the following procedure to determine if the files are protected via file permissions.

4. Right click on the Start button > Select Search.
5. Under the text box “All or part of the file name” enter the following: global.asa, global.asax, *.inc.

NOTE: All drives utilized for the web site being review should be search.
NOTE: Check using IIS Manager, to determine which directory is associated with the web site. Web Site properties, Home Directory tab.

6. If these files are found and are part of the directories (including virtual directories) for the web site being reviewed, navigate to these files.
7. Right click on the file > select properties > Select the Security tab.
8. Ensure Read permissions do not exist for the IUSR_machinename account (the anonymous web user).

If the IUSR_machinename account has read access to the global.asa, global.asax, or .inc files, and these extensions are not mapped to the asp.dll, this is a finding.
Fix Text (F-32594r1_fix)
Remove read permissions for the IUSR_machinename account from the .inc files and their equivalent.