Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Indexing Services must only index web content.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3963 | WA000-WI070 IIS6 | SV-38011r1_rule | ECSC-1 | Low |
| Description |
|---|
| The indexing service can be used to facilitate a search function for web sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only. |
| STIG | Date |
|---|---|
| IIS6 Site | 2015-06-01 |
Details
| Check Text ( C-37362r1_chk ) |
|---|
| 1. Open the IIS Manager > Right click on the website being reviewed > Select the Home Directory tab. 2. Verify the status of the Index this resource check box. 3. If the Index this resource check box is checked, open the Services windows (via Administrative Tools in Control panel) and check to see if the Indexing Service is listed. If it is listed, determine if the Startup Type mode is either “Automatic” or “Manual”. NOTE: If the Indexing check box is not checked or the indexing service is not installed or disabled, this is not a finding. 4. With the assistance of the Web Administrator and/or SA, use the MMC to evaluate the Indexing Service using the Index Service snap-in. 5. Review the directories being indexed, ensuring only web content folders are being indexed. NOTE: If unsure it is a web content folder, examine the Home Directory tab within the properties of the web site. This will indicate the path of the content for this web site. If the Index Service is running and directories other than web content directories are being indexed, this is a finding. |
| Fix Text (F-32599r1_fix) |
|---|
| Assure that only the web document directories are indexed. |