The command shell options are not disabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-13701	WA000-WI110	SV-14311r1_rule		High

Description
The command shell can be used to call arbitrary commands at the Web server from within an HTML page.

STIG	Date
IIS 7.0 Server STIG	2019-03-22

Details

Check Text ( C-10952r1_chk )
Ensure the shell command is disabled. Check the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters For the following value: SSIEnableCmdDirective REG_DWORD 0 If the value is not a REG_DWORD= 0, this is a finding. If the registry key does not exist for IIS 5 or IIS 6, this would not be a finding as it defaults to disabled. Previous versions of IIS should be marked as a finding if the key does not exist. --------------------

Check Text ( C-10952r1_chk )

Ensure the shell command is disabled. Check the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters

For the following value:

SSIEnableCmdDirective REG_DWORD 0

If the value is not a REG_DWORD= 0, this is a finding.

If the registry key does not exist for IIS 5 or IIS 6, this would not be a finding as it defaults to disabled. Previous versions of IIS should be marked as a finding if the key does not exist.

--------------------

Fix Text (F-13146r1_fix)
Ensure the shell command is disabled. Set the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters To the following value: SSIEnableCmdDirective REG_DWORD 0