UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The File System Object component, is not required and is not disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13700 WA000-WI100 SV-14310r1_rule Medium
Description
Some COM components are not required for most applications and should be removed if possible. Most notably, consider disabling the File System Object component; however, this will also remove the Dictionary object. Be aware that some programs may require components you are disabling, so it is highly recommended that this be tested completely before implementing on your production Web servers.
STIG Date
IIS 7.0 Server STIG 2019-03-22

Details

Check Text ( C-10951r1_chk )
Query the SA or Web Manager to determine if the File System Object is required. If it is, the IAO will need to document this requirement.

Check for the existence of the following registry keys. If either of the following keys exist, the FileSystemObject is enabled.

HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}

HKEY_CLASSES_ROOT\Scripting.FileSystemObject

If the File System Object is registered and is not required for operations, this is a finding.

NOTE: This vulnerability can be documented locally by the IAM/IAO if the site is running an application that requires this registration of this object if the site has operational reasons for the us of htis object and if the IAM/IAO has approved this change in writing, this should be marked as Not a Finding.

--------------------
Fix Text (F-13143r1_fix)
Unregister the File System Object using the following command:

regsvr32 scrrun.dll /u