URLScan is not being used on the web server

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3330	WA000-WI040	SV-3330r1_rule		Medium

Description
URL parameter manipulation is an increasingly effective means for malicious users to compromise a web-based service. URLScan is a tool that IIS administrators (Web Managers) may use to help secure the web server. When URLScan is installed, it screens all incoming http requests to the server and filters them based on rules that the administrator has set. Even in its default configuration, this tool significantly improves the security of the server by helping to ensure that the server only responds to valid requests for service. The URLScan tool also produces a log file that records configuration and all HTTP requests which are ‘rejected’ by urlscan. This log file contains entries of potentially harmful http requests and thus provides an excellent means of providing focus on malicious activity directed at the web server.

Description

URL parameter manipulation is an increasingly effective means for malicious users to compromise a web-based service. URLScan is a tool that IIS administrators (Web Managers) may use to help secure the web server. When URLScan is installed, it screens all incoming http requests to the server and filters them based on rules that the administrator has set. Even in its default configuration, this tool significantly improves the security of the server by helping to ensure that the server only responds to valid requests for service. The URLScan tool also produces a log file that records configuration and all HTTP requests which are ‘rejected’ by urlscan. This log file contains entries of potentially harmful http requests and thus provides an excellent means of providing focus on malicious activity directed at the web server.

STIG	Date
IIS 7.0 Server STIG	2019-03-22

Details

Check Text ( C-2858r1_chk )
Start >> Settings >> Control Panel >> Administrative Tools >> Internet Services >> Select web server to be examined; select Properties option by right clicking; Select the WWW Service from the Master Properties pull down. Then click "Edit" Select the ISAPI Filters tab. Locate the URLSCAN in the list. The name may be different, but you can click the edit button to see teh .dll that is in use. The URLSCAN .dll is urlscan.dll. If the URLScan Tool is not installed in the ISAPI filters that are part of the web server, this is a finding. NOTE: In some cases, if the URLSCAN .dll is not included in the ISAPI filters, it may appear to work, but this will only be the case until the www service is restarted. In this situation, this would also be considered a finding. --------------------

Check Text ( C-2858r1_chk )

Start >> Settings >> Control Panel >> Administrative Tools >> Internet Services >>

Select web server to be examined; select Properties option by right clicking;

Select the WWW Service from the Master Properties pull down. Then click "Edit"

Select the ISAPI Filters tab.

Locate the URLSCAN in the list. The name may be different, but you can click the edit button to see teh .dll that is in use. The URLSCAN .dll is urlscan.dll.

If the URLScan Tool is not installed in the ISAPI filters that are part of the web server, this is a finding.

NOTE: In some cases, if the URLSCAN .dll is not included in the ISAPI filters, it may appear to work, but this will only be the case until the www service is restarted. In this situation, this would also be considered a finding.

--------------------

Fix Text (F-3353r1_fix)
Install URLScan or a comparable tool.