STIGQter: STIG Summary: Microsoft IIS 10.0 Site Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Interactive scripts on the IIS 10.0 web server must be located in unique and designated folders.

DISA Rule

SV-218779r558649_rule

Vulnerability Number

V-218779

Group Title

SRG-APP-000141-WSR-000087

Rule Version

IIST-SI-000261

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

All interactive programs must be placed in unique designated folders based on CGI or ASP script type.

Open the IIS 10.0 Manager.

Right-click the IIS 10.0 web server name and select "Explore".

Search for the listed script extensions.

Move each script type to its unique designated folder.

Set the permissions to the scripts folders as follows:

Administrators: FULL
TrustedInstaller: FULL
SYSTEM: FULL
ApplicationPoolId:READ
Custom Service Account: READ
Users: READ
ALL APPLICATION PACKAGES: READ

Check Contents

Determine whether scripts are used on the web server for the target website. Common file extensions include, but are not limited to: .cgi, .pl, .vbs, .class, .c, .php, and .asp.

All interactive programs must be placed in unique designated folders based on CGI or ASP script type. For modular and/or third-party applications, it is permissible to have script files in multiple folders.

Open the IIS 10.0 Manager.

Right-click the IIS 10.0 web site name and select "Explore".

Search for the listed script extensions. Each script type must be in its unique designated folder.

If scripts are not segregated from web content and in their own unique folders, this is a finding.

Vulnerability Number

V-218779

Documentable

False

Rule Version

IIST-SI-000261

Severity Override Guidance

Determine whether scripts are used on the web server for the target website. Common file extensions include, but are not limited to: .cgi, .pl, .vbs, .class, .c, .php, and .asp.

All interactive programs must be placed in unique designated folders based on CGI or ASP script type. For modular and/or third-party applications, it is permissible to have script files in multiple folders.

Open the IIS 10.0 Manager.

Right-click the IIS 10.0 web site name and select "Explore".

Search for the listed script extensions. Each script type must be in its unique designated folder.

If scripts are not segregated from web content and in their own unique folders, this is a finding.

Check Content Reference

M

Target Key

4051

Comments