The IUSR_machinename account has read access to the .inc files or their equivalent.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2268	WA000-WI030	SV-2268r1_rule		Medium

Description
Owing to the nature of .inc files, which may contain sensitive logic and potentially reveal sensitive information about the architecture of the web server, it is vital that the end user not be able to access and examine code that is included in .inc files. When server side scripting is the preferred method, this is normally not a problem. Nonetheless, there are key files inherent to the process, which can contain information key to the logic, server structure and configuration of the entire application. .inc files are the include files for many .asp script files. If the correct file name is guessed or derived, their contents will be displayed by a browser. The file must be guarded from prying eyes of the anonymous web user. If the site has named thier include files with the .asp extension, then the files will be processed as an .asp file, which by the nature of .asp, will prevent that code from being presented. If the files are named with the .inc extension, or equivilent, you do not have this advantage. Java Server Pages, jsp, is another example of a competing technology which the reviewer will also encounter, that are impacted by this issue. The sample principles outlined here will apply to inlcude files used with Java Server Pages. In addition, there are some additional files that need to be protected, which include the global.asa and global.asax files.

Description

Owing to the nature of .inc files, which may contain sensitive logic and potentially reveal sensitive information about the architecture of the web server, it is vital that the end user not be able to access and examine code that is included in .inc files. When server side scripting is the preferred method, this is normally not a problem. Nonetheless, there are key files inherent to the process, which can contain information key to the logic, server structure and configuration of the entire application. .inc files are the include files for many .asp script files. If the correct file name is guessed or derived, their contents will be displayed by a browser. The file must be guarded from prying eyes of the anonymous web user. If the site has named thier include files with the .asp extension, then the files will be processed as an .asp file, which by the nature of .asp, will prevent that code from being presented. If the files are named with the .inc extension, or equivilent, you do not have this advantage. Java Server Pages, jsp, is another example of a competing technology which the reviewer will also encounter, that are impacted by this issue. The sample principles outlined here will apply to inlcude files used with Java Server Pages. In addition, there are some additional files that need to be protected, which include the global.asa and global.asax files.

STIG	Date
IIS 7.0 Site STIG	2019-03-22

Details

Check Text ( C-2848r1_chk )
Using IIS Manager, navigate to the web site you are reviewing, right click and selectt properties. Go to the Home Directory tab, select the Configuration button, then the Mappings tab. Review the following extension to see if they are mapped to the asp.dll: .asa .asax .inc If these extension are mapped to the asp.dll or aspnet_isapi.dll, this would not be a finding and you can stop the check procedure here. If they are not mapped to the asp.dll continue with the following procedure to determine if these files are protected via file permissions. Start >> Search >> Files and Folders >> Search for instances of the following: global.asa global.asax files with the .inc extension. If the files are part of the directories for the web site you are reviewing, move to these files, if found, and right click on them to view their Properties. NOTE: You can check using IIS Manager, to determine which directory is associated with the web site. Web Site properties, Home Directory tab. Read permissions should not exist for the: IUSR_machinename account (the anonymous web user). If the IUSR_machinename account has read access to the global.asa, global.asax, or .inc files, and these extensions are not mapped to the asp.dll (see procedure at the top), this is a finding. --------------------

Check Text ( C-2848r1_chk )

Using IIS Manager, navigate to the web site you are reviewing, right click and selectt properties.

Go to the Home Directory tab, select the Configuration button, then the Mappings tab.

Review the following extension to see if they are mapped to the asp.dll:

.asa
.asax
.inc

If these extension are mapped to the asp.dll or aspnet_isapi.dll, this would not be a finding and you can stop the check procedure here.

If they are not mapped to the asp.dll continue with the following procedure to determine if these files are protected via file permissions.

Start >> Search >> Files and Folders >> Search for instances of the following:

global.asa
global.asax
files with the .inc extension.

If the files are part of the directories for the web site you are reviewing, move to these files, if found, and right click on them to view their Properties.

NOTE: You can check using IIS Manager, to determine which directory is associated with the web site. Web Site properties, Home Directory tab.

Read permissions should not exist for the:

IUSR_machinename account (the anonymous web user).

If the IUSR_machinename account has read access to the global.asa, global.asax, or .inc files, and these extensions are not mapped to the asp.dll (see procedure at the top), this is a finding.

--------------------

Fix Text (F-2317r1_fix)
The IUSR_machinename account will not have read access to the .inc files or their equivalent.