The web document (home) directory will be in a separate partition from the web server’s system files.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3333	WG205	SV-3333r1_rule		Medium

Description
Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.

Description

Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.

STIG	Date
IIS 7.0 Server STIG	2019-03-22

Details

Check Text ( C-29342r1_chk )
To view the DocumentRoot value enter the following command: grep "DocumentRoot" /usr/local/apache2/conf/httpd.conf Note the location following the DocumentRoot string, this is the path to the document root directory. If the path is on the same partition as the web server system files or the OS root, this is a finding.

Fix Text (F-26841r1_fix)
Move the web document (normally "htdocs") directory to a separate partition, other than the OS root partition and the web server’s system files.