Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3963 | WA000-WI070 IIS7 | SV-32379r1_rule | ECSC-1 | Low |
Description |
---|
The indexing service can be used to facilitate a search function for web-sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only. |
STIG | Date |
---|---|
IIS 7.0 WEB SITE STIG | 2011-08-19 |
Check Text ( C-32769r1_chk ) |
---|
1. Start regedit. 2. Navigate to KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Catalogs\. 3. If this key exists then indexing is enabled; if the key does not exist then this check is N/A. 4. Review the Catalogs keys to determine if directories other than web document directories are being indexed. If so, this is a finding. |
Fix Text (F-29020r1_fix) |
---|
1. Run MMC. 2. Add the Indexing Service snap-in. 3. Edit the indexed directories to only include web document directories. |