Unused and vulnerable script mappings in IIS are not removed or set to the 404.dll.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2267	WA000-WI050	SV-2267r1_rule		High

Description
IIS file extensions which require server-side processing, but which have been deemed vulnerable, include .htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. Requests to these file types can exploit a stack buffer overflow weakness in the ism.dll, httpodbc.dll, and ssinc.dll. A widely available exploit exists which allows a malicious user to gain administrative access to Windows NT/Windows 2000 host servers. These mappings have been exploited by malicious users to gain privileged access to web servers.

Description

IIS file extensions which require server-side processing, but which have been deemed vulnerable, include .htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. Requests to these file types can exploit a stack buffer overflow weakness in the ism.dll, httpodbc.dll, and ssinc.dll. A widely available exploit exists which allows a malicious user to gain administrative access to Windows NT/Windows 2000 host servers. These mappings have been exploited by malicious users to gain privileged access to web servers.

STIG	Date
IIS 7.0 Server STIG	2019-03-22

Details

Check Text ( C-2861r1_chk )
From Internet Servicer Manager>> Select the web site to be examined; select Properties option by right clicking; Select the Home Directory tab. On this menu page, select the Configuration button; then App Mappings Tab. Check for the presence of the following: .htr, .htw, .ida .idc, .idq, .printer, .shtml, .shtm, .stm .bat, .cmd If these script mappings are mapped to the 404.dll this satisfies the requirement. If any of the above listed mappings exist and are not mapped to the 404.dll, this is a finding. NOTE: This vulnerability can be documented locally with the IAM/IAO if the site has operational reasons for the use of particular script mappings. If the site has this documentation, this should be marked as Not a Finding. --------------------

Check Text ( C-2861r1_chk )

From Internet Servicer Manager>> Select the web site to be examined; select Properties option by right clicking; Select the Home Directory tab. On this menu page, select the Configuration button; then App Mappings Tab.

Check for the presence of the following:

.htr, .htw, .ida
.idc, .idq, .printer,
.shtml, .shtm, .stm
.bat, .cmd

If these script mappings are mapped to the 404.dll this satisfies the requirement.

If any of the above listed mappings exist and are not mapped to the 404.dll, this is a finding.

NOTE: This vulnerability can be documented locally with the IAM/IAO if the site has operational reasons for the use of particular script mappings. If the site has this documentation, this should be marked as Not a Finding.

--------------------

Fix Text (F-2316r1_fix)
Remove unused and vulnerable script mappings in the web server configuration from a production web server. The following mappings need to be removed: htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. These can also be disabled by mapping these extensions to the 404.dll. The IIS Lockdown utility can be used to correct this problem.