| 1. Open the IIS Manager. |
2. For the site being reviewed, determine the directories where CGI, PERL, ASP, JS, or JSP scripts are located.
3. Determine if these locations are enabled for FTP access by looking under the FTP Sites folder within IIS Manager.
4. For directories with FTP enabled, right click on the directory > Select Properties > Select Directory Security > Select the Edit button beside Authentication and access control.
If Enable anonymous access is checked, this is a finding.