STIGQter STIGQter: STIG Summary: IIS 8.5 Server Security Technical Implementation Guide Version: 1 Release: 9 Benchmark Date: 25 Oct 2019: The IIS 8.5 web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.

DISA Rule

SV-91407r1_rule

Vulnerability Number

V-76711

Group Title

SRG-APP-000141-WSR-000081

Rule Version

IISW-SV-000124

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Open the IIS 8.5 Manager.

Click the IIS 8.5 web server name.

Under IIS, double-click the “MIME Types” icon.

From the "Group by:" drop-down list, select "Content Type".

From the list of extensions under "Application", remove MIME types for OS shell program extensions, to include at a minimum, the following extensions:

.exe
.dll
.com
.bat
.csh

Under the "Actions" pane, click "Apply".

Check Contents

Open the IIS 8.5 Manager.

Click the IIS 8.5 web server name.

Under IIS, double-click the “MIME Types” icon.

From the "Group by:" drop-down list, select "Content Type".

From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions:

.exe
.dll
.com
.bat
.csh

If any OS shell MIME types are configured, this is a finding.

Vulnerability Number

V-76711

Documentable

False

Rule Version

IISW-SV-000124

Severity Override Guidance

Open the IIS 8.5 Manager.

Click the IIS 8.5 web server name.

Under IIS, double-click the “MIME Types” icon.

From the "Group by:" drop-down list, select "Content Type".

From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions:

.exe
.dll
.com
.bat
.csh

If any OS shell MIME types are configured, this is a finding.

Check Content Reference

M

Target Key

2793

Comments