STIGQter: STIG Summary: Microsoft IIS 10.0 Site Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Interactive scripts on the IIS 10.0 web server must have restrictive access controls.

DISA Rule

SV-218780r558649_rule

Vulnerability Number

V-218780

Group Title

SRG-APP-000141-WSR-000087

Rule Version

IIST-SI-000262

Severity

CAT II

CCI(s)

CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

Fix Recommendation

Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, and .asp.

If the website does not utilize CGI, this finding is NA.

All interactive programs must have restrictive permissions.

Open the IIS 10.0 Manager.

Right-click the IIS 10.0 web server name and select "Explore".

Search for the listed script extensions.

Set the permissions to the CGI scripts as follows:

Administrators: FULL
Web Administrators: FULL
TrustedInstaller: FULL
ALL APPLICATION PACKAGES: Read
ALL RESTRICTED APPLICATION PACKAGES: Read
SYSTEM: FULL
ApplicationPoolId: READ
Custom Service Account: READ
Users: READ

Check Contents

Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, and .asp.

If the website does not utilize CGI, this finding is Not Applicable.

All interactive programs must have restrictive permissions.

Open the IIS 10.0 Manager.

Right-click the IIS 10.0 web site name and select "Explore".

Search for the listed script extensions.

Review the permissions to the CGI scripts and verify only the permissions listed, or more restrictive permissions are assigned.

Administrators: FULL
Web Administrators: FULL
TrustedInstaller: FULL
ALL APPLICATION PACKAGES: Read
ALL RESTRICTED APPLICATION PACKAGES: Read
SYSTEM: FULL
ApplicationPoolId: READ
Custom Service Account: READ
Users: READ

If the permissions are less restrictive than listed above, this is a finding.

Vulnerability Number

V-218780

Documentable

False

Rule Version

IIST-SI-000262

Severity Override Guidance

Determine whether scripts are used on the web server for the subject website. Common file extensions include, but are not limited to: .cgi, .pl, .vb, .class, .c, .php, and .asp.

If the website does not utilize CGI, this finding is Not Applicable.

All interactive programs must have restrictive permissions.

Open the IIS 10.0 Manager.

Right-click the IIS 10.0 web site name and select "Explore".

Search for the listed script extensions.

Review the permissions to the CGI scripts and verify only the permissions listed, or more restrictive permissions are assigned.

Administrators: FULL
Web Administrators: FULL
TrustedInstaller: FULL
ALL APPLICATION PACKAGES: Read
ALL RESTRICTED APPLICATION PACKAGES: Read
SYSTEM: FULL
ApplicationPoolId: READ
Custom Service Account: READ
Users: READ

If the permissions are less restrictive than listed above, this is a finding.

Check Content Reference

Target Key

4051

Interactive scripts on the IIS 10.0 web server must have restrictive access controls.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments