Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-2271 | WG440 IIS7 | SV-32641r1_rule | ECAT-1 ECAT-2 ECCD-1 | Medium |
Description |
---|
By their very nature, CGI type files permit the anonymous web user to interact with data and perhaps store data on the web server. In many cases, CGI scripts exercise system-level control over the server’s resources. These files make appealing targets for the malicious user. If these files can be modified or exploited, the web server can be compromised. CGI or equivalent files must be monitored by a security tool alerting the web administrator of any unauthorized changes. |
STIG | Date |
---|---|
IIS 7.0 WEB SERVER STIG | 2014-01-09 |
Check Text ( C-32951r1_chk ) |
---|
Request to see the template file or configuration file of the software being used to accomplish this security task. The monitoring program should provide constant monitoring for these files, and instantly alert the web administrator of any unauthorized changes. Example CGI file extensions include, but are not limited to, .cgi, .asp, .aspx, .class, .vb, .php, .pl, and .c. If the monitoring product configuration does not monitor changes to CGI program files, this is a finding. |
Fix Text (F-26839r1_fix) |
---|
Configure the monitoring tool to include CGI type files or equivalent programs directory. |