View STIG - IIS6 Server V6R16

b

The web server service password(s) must be entrusted to the SA or Web Manager.

Medium - V-2232 - SV-38188r1_rule

RMF Control

Severity

Medium

CCI

Version

WG050 IIS6

Vuln IDs

V-2232

Rule IDs

SV-38188r1_rule

Normally, a service account is established for the web server. This is because a privileged account is not desirable and the server is designed to run for long uninterrupted periods of time. The SA or Web Manager will need password access to the web server to restart the service in the event of an emergency as the web server is not to restart automatically after an unscheduled interruption. If the password is not entrusted to an SA or web manager the ability to ensure the availability of the web server is compromised.Web AdministratorInformation Assurance OfficerSystem AdministratorIAAC-1

Checks: C-37623r1_chk

The reviewer should make a note of the name of the account being used for the web service. NOTE: There may also be other server services running related to the web server in support of a particular web application, these passwords must be entrusted to the SA or Web Manager as well. Query the SA or Web Manager to determine if they have the web service password(s). If the web services password(s) are not entrusted to the SA or Web Manager, this is a finding. NOTE: For IIS installations that use the LocalSystem account, the password is OS generated. In this case, the SA or Web Manager having an Admin account on the system would meet the intent of this check.

Fix: F-32865r1_fix

Ensure the SA or Web Manager is entrusted with the web service(s) password.

b

Public web server resources must not be shared with private assets.

Medium - V-2234 - SV-38175r1_rule

RMF Control

Severity

Medium

CCI

Version

WG040 IIS6

Vuln IDs

V-2234

Rule IDs

SV-38175r1_rule

It is important to segregate public web server resources from private resources located behind the DoD DMZ in order to protect private assets. When folders, drives or other resources are directly shared between the public web server and private servers the intent of data and resource segregation can be compromised. Resources such as printers, files, and folders/directories must not be shared between public web servers and assets located within the internal network.Web AdministratorSystem AdministratorEBPW-1

Checks: C-37557r1_chk

1. From a command prompt, type "net share" and press Enter to provide a list of available shares (including printers). 2. To display the permissions assigned to the shares type "net share" followed by the share name found in the previous step. If any private assets are assigned permissions to the share, this is a finding. If any printers are shared, this is a finding.

Fix: F-32803r1_fix

Configure the public web server to not have a trusted relationship with any system resource that is not accessible to the public.

b

The service account ID used to run the web service must have its password changed at least annually.

Medium - V-2235 - SV-38189r1_rule

RMF Control

Severity

Medium

CCI

Version

WG060 IIS6

Vuln IDs

V-2235

Rule IDs

SV-38189r1_rule

Normally, a service account is established for the web service to run under rather than permitting it to run as system or root. The password on such accounts must be changed at least annually. It is a fundamental tenet of security that passwords are not to be null and not to be set to never expire.Web AdministratorInformation Assurance OfficerSystem AdministratorIAIA-1, IAIA-2

Checks: C-37627r1_chk

1. Go to Start > Administrative Tools > Services. 2. Right click on service name World Wide Web Publishing Service > Select Properties > Select Log On tab. 3. The username next to “This account” is the web service account ID. 4. Open a command prompt and enter “Net User [service account ID]” > Press Enter 5. Verify the values for Password last set and Password expires to ensure the password has been changed in the past year, and will be required to change within the coming year. If the service account ID is not configured according to the guidelines in step 5, this is a finding. NOTE: For IIS installations that are running as localsystem, the password is changed automatically by the OS every 7 days, so this should be marked as N/A.

Fix: F-32869r1_fix

Configure the service account ID used to run the web site to have its password changed at least annually.

b

A compiler must not be installed on a production web server.

Medium - V-2236 - SV-38190r1_rule

RMF Control

Severity

Medium

CCI

Version

WG080 IIS6

Vuln IDs

V-2236

Rule IDs

SV-38190r1_rule

The presence of a compiler on a production server facilitates the malicious user’s task of creating custom versions of programs and installing Trojan Horses or viruses.System AdministratorECSC-1

Checks: C-37633r1_chk

Using Windows Explorer, search the system for the existence of known compilers such as msc.exe, msvc.exe, Python.exe, javac.exe, Lcc-win32.exe, or equivalent. If a compiler is found on the production server, this is a finding. NOTE: This check does not prohibit the use of the .Net Framework. This does not prohibit the use of the java compiler for Oracle. NOTE: ColdFusion would not be considered a compiler as long as the site is not using the tools for development work.

Fix: F-32874r1_fix

Remove any compiler programs found on the production web server.

b

A public web server, if hosted on the NIPRNet, must be isolated in an accredited DoD DMZ Extension.

Medium - V-2242 - SV-38169r2_rule

RMF Control

Severity

Medium

CCI

Version

WA060 IIS6

Vuln IDs

V-2242

Rule IDs

SV-38169r2_rule

To minimize exposure of private assets to unnecessary risk by attackers, public web servers must be isolated from internal systems. Public web servers are by nature more vulnerable to attack from publically based sources, such as the public Internet. Once compromised, a public web server might be used as a base for further attack on private resources, unless additional layers of protection are implemented. Public web servers must be located in a DoD DMZ Extension, if hosted on the NIPRNet, with carefully controlled access. Failure to isolate resources in this way increase risk that private assets are exposed to attacks from public sources.Information Assurance OfficerSystem AdministratorEBPW-1, ECIC-1

Checks: C-37550r3_chk

Interview the SA or web administrator to see where the public web server is logically located in the data center. Review the site’s network diagram to see how the web server is connected to the LAN. Visually check the web server hardware connections to see if it conforms to the site’s network diagram. An improperly located public web server is a potential threat to the entire network. If the web server is not isolated in an accredited DoD DMZ Extension, this is a finding.

Fix: F-32796r2_fix

Logically relocate the public web server to be isolated from internal systems. In addition, ensure the public web server does not have trusted connections with assets outside the confines of the demilitarized zone (DMZ) other than application and/or database servers that are a part of the same system as the web server.

b

A private web server must be located on a separate controlled access subnet.

Medium - V-2243 - SV-38170r1_rule

RMF Control

Severity

Medium

CCI

Version

WA070 IIS6

Vuln IDs

V-2243

Rule IDs

SV-38170r1_rule

Private web servers, which host sites serving controlled access data, must be protected from outside threats in addition to insider threats. Insider threat may be accidental or intentional but, in either case, can cause a disruption in service of the web server. To protect the private web server from these threats, it must be located on a separate controlled access subnet and must not be a part of the public DMZ that houses the public web servers. It also cannot be located inside the enclave as part of the local general population LAN.Information Assurance OfficerSystem AdministratorEBPW-1

Checks: C-37551r1_chk

Perform a check of the site’s network diagram and a visual check of the web server. The private web server must be located on a separate controlled access subnet and not part of the public DMZ that houses the public web servers. In addition, the private web server needs to be isolated via a controlled access mechanism from the local general population LAN. If the web server is not located inside the premise router, switch, or firewall, and is not isolated via a controlled access mechanism from the general population LAN, this is a finding. NOTE: If there is a Network Reviewer available, they should be able to provide much of the information needed to validate this check.

Fix: F-32797r1_fix

Isolate the private web server from the public DMZ and separate it from the internal general population LAN. This separation must have access control in place to protect the web server from internal threats.

c

The web server must use a vendor-supported version of the web server software.

High - V-2246 - SV-38193r2_rule

RMF Control

Severity

High

CCI

Version

WG190 IIS6

Vuln IDs

V-2246

Rule IDs

SV-38193r2_rule

The web server Software, IIS 6, is no longer supported by Microsoft for security updates and is not evaluated or updated for vulnerabilities, leaving it open to potential attack. Organizations must transition to a supported IIS release to ensure continued support.Web AdministratorSystem AdministratorECSC-1

Checks: C-37643r2_chk

Microsoft IIS 6 mainstream support ended 13 July 2010, and extended support ended 14 July 2015. If Microsoft IIS 6 is installed on a system, this is a finding.

Fix: F-32884r2_fix

Upgrade Microsoft IIS to a supported version.

c

Non-administrators must not be allowed access to the directory tree, the shell, or other operating system functions and utilities.

High - V-2247 - SV-38194r2_rule

RMF Control

Severity

High

CCI

Version

WG200 IIS6

Vuln IDs

V-2247

Rule IDs

SV-38194r2_rule

As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server. This is in addition to the anonymous web user account. The resources to which these accounts have access must also be closely monitored and controlled. Only the SA needs access to all the system’s capabilities, while the web administrator and associated staff require access and control of the web content and web server configuration files. The anonymous web user account must not have access to system resources as that account could then control the server.Web AdministratorSystem AdministratorECLP-1

Checks: C-37648r2_chk

Search all of the system’s hard drives for the command.com and cmd.exe files. The allowed permissions on these files are: System Full Control Administrators Full Control Examine account access and any group membership access to these files. If any non-administrator account, group membership, or service ID has any access to any command.com or cmd.exe files and the access is documented as mission critical, this is not a finding. Examine access to operating system configuration files, scripts, utilities, privileges, and functions. If any non-administrator account, group membership, or service ID has any access to any of these operating system components and the access is documented as mission critical, this is not a finding. If any non-administrator account, group membership, or service ID has undocumented access to any listed file or operating system component, this is a finding. NOTE: Examine the list of user accounts and determine the group affiliations for the user account in question. Verify with the SA, Web Manager or ISSO that the non-administrator accounts are mission essential. If they are mission essential, and this is documented locally, this would not be a finding. NOTE: CREATOR OWNER would not be a finding if the CREATOR OWNER is an administrative account. If it is not, this is a finding.

Fix: F-32889r1_fix

Ensure non-administrators are not allowed access to the directory tree, the shell, or other operating system functions and utilities.

b

Access to web administration tools must be restricted to the Web Manager and the Web Manager’s designees.

Medium - V-2248 - SV-38326r2_rule

RMF Control

Severity

Medium

CCI

Version

WG220 IIS6

Vuln IDs

V-2248

Rule IDs

SV-38326r2_rule

The key web service administrative and configuration tools must only be accessible by the web server staff. All users granted this authority will be documented and approved by the ISSO. Access to the IIS Manager will be limited to authorized users and administrators.Web AdministratorSystem AdministratorECCD-1, ECCD-2, ECLP-1

Checks: C-37716r1_chk

1. Open the Microsoft Management Console (MMC). 2. Expand the applicable policy > Windows Settings > Security Settings > Local Policies 3. Click on User Rights Assignment. 4. Double click Allow log on locally. 5. The Allow log on locally must be limited to accounts owned by the SA, Web Manager, or Web Manager designees. 6. Navigate to %systemroot%\system32\inetsrv\. 7. Right click inetmgr.exe and select properties. 8. Select the security tab. 9. The Internet Services Manager (i.e. inetmgr.exe) must be limited to accounts owned by the SA, Web Manager, or Web Manager’s designees. If accounts other than the System, SA, Web Manager, or Web Manager designees have access to the web administration tool or equivalent, this is a finding.

Fix: F-32963r1_fix

Restrict access to the web administration tool to only the Web Manager and the Web Manager’s designees.

a

Programs and features not necessary for operations must be removed.

Low - V-2251 - SV-38191r2_rule

RMF Control

Severity

Low

CCI

Version

WG130 IIS6

Vuln IDs

V-2251

Rule IDs

SV-38191r2_rule

Just as running unneeded services and protocols increase the attack surface of the web server, running unneeded utilities and programs is also an added risk to the web server.Web AdministratorSystem AdministratorECSC-1

Checks: C-37637r3_chk

Query the Information Systems Security Officer (ISSO), SA, Web Manager, Webmaster, and/or developers to determine if the web server is configured with unnecessary software. Query the SA to determine if processes other than those supporting the web server are loaded and/or run on the web server. Examples of software that should not be on the web server are all web development tools, office suites, (unless the web server is a private web development server) compilers, and utilities that are not part of the web server suite or the basic operating system. 1. Check the directory structure of the server and ensure additional, unintended or unneeded applications are not loaded on the system. 2. Select Start > Control Panel > Add or Remove Programs 3. Check for programs services such as: Front Page (as evident by directories which begin _vti ) MS Access MS Excel MS Money MS Word Third party text editors Graphics editors If, after review of the application on the system, the SA cannot provide justification for the requirement of the identified software, this is a finding. NOTE: If the site requires the use of a particular piece of software, the ISSO will need to maintain documentation identifying this software as necessary for operations and the software will be maintained to meet any and all released security patches. In addition, if the software is unsupported, it is not acceptable for use. If this is the case, this should be marked as not a finding.

Fix: F-32878r1_fix

Install only web support software on the web server. When other processes are supported by the web server, ensure a risk assessment has been performed and documented. If a database server is installed on the same platform as the web server, it must be on a separate drive or partition. Remove all unnecessary applications and programs.

a

Administrative users and groups with access privilege to the web server must be documented.

Low - V-2257 - SV-38171r1_rule

RMF Control

Severity

Low

CCI

Version

WA120 IIS6

Vuln IDs

V-2257

Rule IDs

SV-38171r1_rule

There are typically several individuals and groups involved in running a production web site. In most cases, several types of users on a web server can be identified such as SA's, Web Managers, Auditors, Authors, Developers, and the Clients. Nonetheless, only necessary user and administrative accounts will be allowed on the web server. Accounts will be restricted to those who are necessary to maintain web services, review the server’s operation and the OS. Owing to the sensitivity of web servers, a detailed record of these accounts must be maintained.Web AdministratorInformation Assurance ManagerSystem AdministratorECPA-1

Checks: C-37552r1_chk

1. Using User Manager, User Manager for Domains, or Local Users and Groups examine user accounts. 2. Determine if the local sites documentation matches the accounts with access privileges on the server. If documentation does not exist for users and/or groups with access privileges to the web server, this is a finding.

Fix: F-32798r1_fix

Document the administrative users and groups which have access rights to the web server in the web site SOP or an equivalent document.

b

Web server system files must conform to minimum file permission requirements.

Medium - V-2259 - SV-31321r1_rule

RMF Control

Severity

Medium

CCI

Version

WG300 IIS6

Vuln IDs

V-2259

Rule IDs

SV-31321r1_rule

This check verifies the key web server system configuration files are owned by the SA or Web Manager controlled account. These same files which control the configuration of the web server, and thus its behavior, must also be accessible by the account which runs the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.Web AdministratorSystem AdministratorECCD-1, ECCD-2, ECLP-1

Checks: C-29966r1_chk

IIS: The default server root is %system%\system32\inetsrv. The anonymous web user is IUSR_computername and IWAM_computername, which are created by default when IIS is installed. This account should be part of a group named Guests or WebUsers (IIS Lockdown creates the Web Applications and Web Anonymous Users Groups) and have read and execute permissions only to web content directories. Other permissions are as follows: \inetpub Administrators (Full Control) System (Full Control) Authenticated Users (Read) \inetpub\AdminScripts Administrators (Full Control) System (Full Control) \inetpub\ftproot Administrators (Full Control) System (Full Control) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) \inetpub\ftproot\ftpfiles Administrators (Full Control) System (Full Control) WebAdmins (Modify) Authenticated Users (Read) Web Anonymous Users (Read) Web Applications (Read) IIS_WPG (Read) IIS Permissions: Read and None FTP Uploads (if required) \inetpub\ftproot\dropbox Administrators (Full Control) WebAdmins or FTPAdmins (Read,Write,Delete) SpecifiedUsers (Write) IIS Permissions: Write and None \inetpub\mailroot Administrators (Full Control) System (Full Control) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) \inetpub\wwwroot Administrators (Full Control) System (Full Control) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) \inetpub\wwroot\docs Administrators (Full Control) System (Full Control) WebAdmins (Modify) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) IIS Permissions: Read and None \inetpub\wwwroot\images Administrators (Full Control) System (Full Control) WebAdmins (Modify) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) IIS Permissions: Read and None \inetpub\wwwroot\scripts Administrators (Full Control) System (Full Control) WebAdmins(Modify) IIS_WPG (Traverse Folder/Execute) Web Anonymous Users (Traverse Folder/Execute) Web Applications (Traverse Folder/Execute) IIS Permissions: Script NOTE: There may additional application specific content directories associated with this web server and they should follow the same guidance as the wwwroot and associated sub-directories for permissions. \WINNT\system32\inetsrv Administrators (Full Control) System (Full Control) Users (Read & Execute) \WINNT\system32\inetsrv\data Administrators (Full Control) System (Full Control) Users (Read & Execute) \WINNT\system32\inetsrv\ASP Compiled Templates Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\History Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\iisadmin Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\iisadmpwd Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\inetmgr.exe Administrators (Full Control) System (Full Control) Web Admins (Read & Execute) Web Anonymous Users (Deny ALL) Web Applications (Deny ALL) IIS_WPG (Deny ALL) \WINNT\system32\inetsrv\MetaBack Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\urlscan Administrators (Full Control) System (Full Control) LocalService (Read / Execute) NetworkService (Read/Execute) FILE SPECIFIC PERMISSIONS \WINNT\system32\inetsrv\*.exe \WINNT\system32\inetsrv\*.bat \WINNT\system32\inetsrv\oblt-log.log \WINNT\system32\inetsrv\oblt-rep.log \WINNT\system32\inetsrv\oblt-undo.log \WINNT\system32\inetsrv\oblt-undone.log Administrators (Full Control) System (Full Control) Users (Read & Execute) Web Anonymous Users (Deny ALL) Web Applications (Deny ALL) IIS_WPG (Deny ALL) \WINNT\system32\inetsrv\metabase.bin \WINNT\system32\inetsrv\metabase.xml \WINNT\system32\inetsrv\MBSchema.xml \WINNT\system32\inetsrv\ MBSchema.bin.00000000h Administrators (Full Control) System (Full Control) If the file permissions do not meet the minimum file permissions listed above, this is a finding. More restrictive file permissions would not be a finding. NOTE: If there is a "Windows\SysWOW64\Inetsrv" present on the system, this check applies to that directory as well. NOTE: To check the file permissions, you will need to navigate the directories or files using a tools such as Windows Explorer, right click on the directory or file that you are reviewing, select properties, then the security tab. The permissions will then be displayed for your review. To check the IIS Permissions, you will need to use the Internet Services Manager, navigate to the web site you are reviewing, select properties, select the Home Directory tab. From here you can review the assigned IIS

Fix: F-26831r1_fix

Set file permissions on the web server systems files to meet minimum file permissions requirements.

b

A public web server must limit e-mail to outbound only.

Medium - V-2261 - SV-38328r1_rule

RMF Control

Severity

Medium

CCI

Version

WG330 IIS6

Vuln IDs

V-2261

Rule IDs

SV-38328r1_rule

Incoming e-mails have been known to provide hackers with access to servers. Disabling the incoming mail service prevents this type of attacks. Additionally, e-mail is a specialized application requiring the dedication of server resources. A production web server should only provide hosting services for web sites. Supporting mail services on a web server opens the server to the risk of abuse as an e-mail relay.System AdministratorECSC-1

Checks: C-37718r1_chk

1. Open the Services window > look for the Simple Mail Transfer Protocol (SMTP) service. 2. If the service is running, then this is a finding. 3. Open Add/Remove Programs to see if there are any e-mail programs installed. 4. Search the system to determine if other e-mail programs are running. If there is an e-mail program installed and that program has been configured to accept inbound e-mail, this is a finding. NOTE: If available, telnet to the server under review on port 25. If a response is received, this is a finding.

Fix: F-32965r1_fix

Disable the SMTP service. If other e-mail programs are running, remove them.

b

Wscript.exe and Cscript.exe must not be accessible by users other than the SA and Web Manager.

Medium - V-2264 - SV-38332r1_rule

RMF Control

Severity

Medium

CCI

Version

WG470 IIS6

Vuln IDs

V-2264

Rule IDs

SV-38332r1_rule

Windows Scripting Host (WSH) is installed under either a Typical or Custom installation option of a Microsoft Network Server. This technology permits the execution of powerful script files from the Windows NT command line. This technology is also classified as a Category I Mobile Code. If the access to these files is not tightly controlled, a malicious user could readily compromise the server by using a form to send input to these scripting engines. This is a web-related vulnerability that could exist on any NT / Win 2000 system regardless of the web server software being used on the platform.System AdministratorECCD-1, ECCD-2

Checks: C-37722r1_chk

1. Select Start > Search > Search for instances of Wscript.exe and Cscript.exe. 2. If found, navigate to these files > right click on them to view their properties. 3. Permissions should only exist for the System, the SA, and Web Manager (i.e. Full Control). 4. User accounts with access to these files that are unknown or unintended to the SA or Web Manager should be removed. If these files have permissions for accounts other than the System, SA, or Web Manager, this is a finding.

Fix: F-32969r1_fix

Remove Wscript.exe and Cscript.exe files from the server, or restrict access to these files to the SA, the Web Administrator, and the system account.

b

Monitoring software must include CGI type files or equivalent programs.

Medium - V-2271 - SV-38331r1_rule

RMF Control

Severity

Medium

CCI

Version

WG440 IIS6

Vuln IDs

V-2271

Rule IDs

SV-38331r1_rule

By their very nature, CGI type files permit the anonymous web user to interact with data and perhaps store data on the web server. In many cases, CGI scripts exercise system-level control over the server’s resources. These files make appealing targets for the malicious user. If these files can be modified or exploited, the web server can be compromised. CGI or equivalent files must be monitored by a security tool alerting the Web Admin of any unauthorized changes.System AdministratorECAT-1, ECAT-2, ECCD-1

Checks: C-37721r1_chk

Request to see the template file or configuration file of the software being used to accomplish this security task. The monitoring program should provide constant monitoring for these files, and instantly alert the Web Admin of any unauthorized changes. Examples of CGI file extensions include, but are not limited to cgi, asp, aspx, class, vb, php, pl, and c. If the monitoring product configuration does not monitor changes to CGI program files, this is a finding.

Fix: F-32968r1_fix

Configure the monitoring tool to include CGI type files or equivalent programs directory.

a

Web server content and configuration files must be part of a routine backup program.

Low - V-6485 - SV-38172r2_rule

RMF Control

Severity

Low

CCI

Version

WA140 IIS6

Vuln IDs

V-6485

Rule IDs

SV-38172r2_rule

Backing up web server data and web server application software after upgrades or maintenance ensures that recovery can be accomplished up to the current version. It also provides a means to determine and recover from subsequent unauthorized changes to the software and data. A tested and verifiable backup strategy will be implemented for web server software as well as all web server data files. Backup and recovery procedures will be documented and the Web Manager or SA for the specific application will be responsible for the design, test, and implementation of the procedures. The site will have a contingency processing plan/disaster recovery plan that includes web servers. The contingency plan will be periodically tested in accordance with DoDI 8500.2 requirements. The site will identify an off-site storage facility in accordance with DoDI 8500.2 requirements. Off-site backups will be updated on a regular basis and the frequency will be documented in the contingency plan. Web AdministratorInformation Assurance OfficerSystem AdministratorCODB-1, CODB-2, CODB-3

Checks: C-37554r2_chk

The reviewer should query the Information Systems Security Officer (ISSO), SA, Web Manager, Webmaster or developers as necessary to determine whether or not a tested and verifiable backup strategy has been implemented for web server software as well as all web server data files. Proposed Questions: Who maintains the backup and recovery procedures? Do you have a copy of the backup and recovery procedures? Where is the off-site backup location? Is the contingency plan documented? When was the last time the contingency plan was tested? Are the test dates and results documented? If there is not a backup and recovery process for the web server, this is a finding. NOTE: Backup media containing sensitive data needs to be compliant with DoD Memorandum: "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media", dated 3 Jul 2007.

Fix: F-32800r1_fix

Document the backup procedures.

c

Anonymous access accounts must be restricted.

High - V-6537 - SV-29351r1_rule

RMF Control

Severity

High

CCI

Version

WG195 IIS6

Vuln IDs

V-6537

Rule IDs

SV-29351r1_rule

Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data that are stored on the web server need to be evaluated and a determination made concerning authorized access to information and programs on the server. In most cases, we can identify several types of users on a web server. These are system SAs, web administrators, auditors, authors, developers, and clients (web users, either anonymous or authenticated). Only authorized users and administrative accounts will be allowed on the host server in order to maintain the web server, applications, and review the server operations.Web AdministratorSystem AdministratorECCD-1, ECCD-2, ECLP-1

Checks: C-37646r1_chk

The reviewer should review the privileges assigned to the "IUSR_Account". Any group the IUSR_Account is assigned to must not provide authenticated access to the external users. The use of another group created for anonymous access is the acceptable solution for group assignment. 1. Select Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Users. 2. Double click the IUSR_Account > Select “Member of:” tab. If the IUSR_Account is assigned to any group other than a local anonymous group, this is a finding. NOTE: Any associations with the authenticated users group or everyone group would not make this a finding. NOTE: The group created for the anonymous account needs to be restricted to the web directories, and not have access to the entire system.

Fix: F-32887r1_fix

Remove the anonymous access account from all privileged accounts and all privileged groups.

b

A web server must not be co-hosted with other services

Medium - V-6577 - SV-38196r1_rule

RMF Control

Severity

Medium

CCI

Version

WG204 IIS6

Vuln IDs

V-6577

Rule IDs

SV-38196r1_rule

A detailed web server installation and configuration plan should be followed to provide standardization during the installation process. The installation and configuration plan should not support the co-hosting of multiple services such as Domain Name Service (DNS), e-mail, databases, search engines, indexing, or streaming media on the same server providing the web publishing service. Disallowed or restricted services in the context of this vulnerability apply to services not directly associated with the delivery of web content. An operating system that supports a web server will not provide other services (e.g., domain controller, e-mail server, database server, etc.). Only those services necessary to support the web server and its hosted sites are specifically allowed and may include, but are not limited to, operating system, logging, anti-virus, host intrusion detection, administrative maintenance, or network requirements. Any unnecessary services or protocols should be removed.System AdministratorDCPA-1

Checks: C-37654r1_chk

Request a copy of and review the web server’s installation and configuration plan. Ensure the server is in compliance with this plan. If the server is not in compliance with the plan, this is a finding. Query the SA to ascertain if and where the additional services are installed. Confirm the additional service or application is not installed on the same partition as the operating systems root directory or the web document root. If it is, this is a finding.

Fix: F-32895r1_fix

Move or install additional services and applications to partitions that are not the operating system root or the web document root.

a

Web server and/or operating system information must be protected.

Low - V-6724 - SV-30051r1_rule

RMF Control

Severity

Low

CCI

Version

WG520 IIS6

Vuln IDs

V-6724

Rule IDs

SV-30051r1_rule

The web server response header of an HTTP response can contain several fields of information including the requested HTML page. The information included in this response can be web server type and version, operating system and version, and ports associated with the web server. This provides the malicious user valuable information without the use of extensive tools.Web AdministratorSystem AdministratorECSC-1

Checks: C-11026r1_chk

Query the SA regarding the publishing of the web server or operating system information. The SA should be able to show that the web server is configured to not display the host operating system of the web server. The reviewer should review the following registry key using the registry editor: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader (REG-DWORD) If the value is not set to 1, this is a finding.

Fix: F-13213r1_fix

Set the following registry key to 1: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader (REG_DWORD)

b

The IIS Internet Printing Protocol must be disabled.

Medium - V-6754 - SV-38150r1_rule

RMF Control

Severity

Medium

CCI

Version

WA000-WI080 IIS6

Vuln IDs

V-6754

Rule IDs

SV-38150r1_rule

The use of Internet Printing Protocol (IPP) on an IIS web server allows client’s access to shared printers. This privileged access could allow remote code execution by increasing the web servers attack surface. Additionally, IPP does not support SSL adding to its risk posture.System AdministratorECSC-1

Checks: C-37520r1_chk

1. Open IIS Manager > expand the applicable server > select "Web Service Extensions". 2. In the right pane, the Internet Printing extension should be displayed. 3. If the Internet Printing extension is set to "Allowed", this is a finding.

Fix: F-32768r1_fix

Set the Internet Printing Extension to “Prohibited”.

c

Classified web servers must be afforded physical security commensurate with the classification of its content.

High - V-13591 - SV-38173r2_rule

RMF Control

Severity

High

CCI

Version

WA155 IIS6

Vuln IDs

V-13591

Rule IDs

SV-38173r2_rule

When data of a classified nature is migrated to a web server, fundamental principles applicable to the safeguarding of classified material must be followed. A classified web server needs to be afforded physical security commensurate with the classification of its content to ensure the protection of the data it houses.Information Assurance OfficerSystem AdministratorPECF-2

Checks: C-37555r3_chk

Interview the ISSO, the SA, the Web Administrator, or developers as necessary to determine if a classified web server is afforded physical security commensurate with the classification of its content (i.e., is located in a vault or a room approved for classified storage at the highest classification processed on that system). Ask what the classification of the web server is, and based on the classification, evaluate the location of the web server. Determine if it is approved for storage of that classification level. If there is a traditional reviewer available, work with them to address specific conditions or questions. If the web server is not appropriately physically protected based on its classification, this is a finding.

Fix: F-32801r1_fix

Relocate the web server to a location appropriate to classified devices.

b

The site software used with the web server must have all applicable security patches applied and documented.

Medium - V-13613 - SV-38174r2_rule

RMF Control

Severity

Medium

CCI

Version

WA230 IIS6

Vuln IDs

V-13613

Rule IDs

SV-38174r2_rule

The IAVM process does not address all patches that have been identified for the host operating system or, in this case, the web server software environment. Many vendors have subscription services available to notify users of known security threats. The site needs to be aware of these fixes and make determinations based on local policy and what software features are installed, if these patches need to be applied. In some cases, patches also apply to middleware and database systems. Maintaining the security of web servers requires frequent reviews of security notices. Many security notices mandate the installation of a software patch to overcome security vulnerabilities. SAs and ISSOs should regularly check the vendor support web site for patches and information related to the web server software. All applicable security patches will be applied to the operating system and to the web server software. Security patches are deemed applicable if the product is installed, even if it is not used or is disabled.Information Assurance OfficerECSC-1

Checks: C-37556r1_chk

Query the Web Administrator to determine if the site has a detailed process as part of its configuration management plan to stay compliant with all security-related patches. Proposed Questions: How does the SA stay current with web server vendor patches? How is the SA notified when a new security patch is issued by the vendor? What is the process followed for applying patches to the web server (excluding IAVM)? If the site is not in compliance with all applicable security patches, this is a finding.

Fix: F-32802r1_fix

Establish a detailed process as part of the configuration management plan to stay compliant with all web server security-related patches.

c

All web server documentation, sample code, example applications, and tutorials must be removed from a production web server.

High - V-13621 - SV-38330r1_rule

RMF Control

Severity

High

CCI

Version

WG385 IIS6

Vuln IDs

V-13621

Rule IDs

SV-38330r1_rule

Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (e.g., compiled code, scripts, web-content, etc.). Delete all directories containing samples and any scripts used to execute the samples.Web AdministratorInformation Assurance OfficerSystem AdministratorECSC-1

Checks: C-37720r1_chk

Query the SA to determine if all directories that contain samples and any scripts used to execute the samples have been removed from the server. Each web server has its own list of sample files and folders. These may change with the software versions and features utilized on the web server. The following are some examples of what to look for, and should not be considered the definitive list of sample files and folders. If present, remove the following directories: %systemdrive%\inetpub\AdminScripts %systemdrive%\inetpub\scripts\IISSamples If present, remove the following virtual directories: http://localhost/iissamples http://localhost/IISHelp If any sample files or folders are found on the web server, this is a finding. NOTE: The presence of the AdminScripts directory would not be a finding if the permissions are restricted to administrators and Web Admins.

Fix: F-32967r1_fix

Remove sample code and documentation from the web server.

c

The IISADMPWD directory must be removed from the Web server.

High - V-13698 - SV-38148r1_rule

RMF Control

Severity

High

CCI

Version

WA000-WI035 IIS6

Vuln IDs

V-13698

Rule IDs

SV-38148r1_rule

The IISADMPWD directory is included by default with IIS. It allows users to reset Windows passwords. The use of userid and passwords is a far less secure solution for controlling user access to web applications than a PKI solution with subscriber certificates. The capability to be able to change passwords externally gives potential intruders an easier mechanism to access the system in an effort to compromise user IDs and passwords.Web AdministratorECSC-1

Checks: C-37517r1_chk

1. Select Start > Run. 2. Enter %systemroot%\system32\inetsrv into the run dialog box and press OK. 3. Look for the presence of the iisadmpwd directory. 4. If the directory is present and is capable of being removed, this is a finding. NOTE: If the iisadmpwd directory does not exist, this is NOT a finding and the check procedure can stop here. NOTE: There have been numerous reports of sites not being able to delete this directory without Windows File Protection automatically restoring it. The work around for this will be to ensure the virtual directory is removed from all web sites associated with the server and restrict access to this directory and files to the system and administrators. 5. If the iisadmpwd directory exists on the server due to a technical inability to delete it, review the permissions on this directory and its files. The permissions should be as follows: Administrators - Full Control System - Full Control 6. If any other user or group has permissions to this directory, this is a finding. 7. If the permissions are set correctly, use the IIS Services Manager and review the web sites to see if there is a virtual directory associated with any of the sites pointing to the iisadmpwd directory. A virtual directory will be a child directory to a web site. 8. If any of these directories point to the iisadmpwd directory, this is a finding, even if the permissions are set correctly. NOTE: There is a possibility the automated check will result in a false positive condition. This could occur if the Administrators account has been renamed. If the account causing the finding has access to this directory is in the Administrators group, this would not be a finding.

Fix: F-32766r1_fix

If possible, ensure the iisadmpwd directory has been removed from the web server. If removal is not possible ensure the virtual directory is removed from all web sites associated with the server, and restrict access to this directory and it files, to the system and administrators. NOTE: There have been numerous reports of sites not being able to delete this directory without Windows File Protection automatically restoring it. The work around for this will be to ensure the virtual directory is removed from all web sites associated with the server and to restrict access for this directory and files to the system and administrators. NOTE: The .dll in the IISADMPWD folder may be able to be deleted by going into safe mode and deleting it. This will not work for the folder. If the IISADMPWD directory cannot be deleted set the permissions as follows: Administrators - Full Control System - Full Control

b

The File System Object component, if not required, must be disabled.

Medium - V-13700 - SV-38151r2_rule

RMF Control

Severity

Medium

CCI

Version

WA000-WI100 IIS6

Vuln IDs

V-13700

Rule IDs

SV-38151r2_rule

Some COM components are not required for most applications and should be removed if possible. Most notably, consider disabling the File System Object component; however, this will also remove the Dictionary object. Be aware some programs may require components that are being disabled, so it is highly recommended this be tested completely before implementing on your production Web servers.Web AdministratorECSC-1

Checks: C-37521r4_chk

Query the SA or Web Manager to determine if the File System Object is required. If it is, the ISSO will need to document this requirement. Check for the existence of the following registry keys. If either of the following keys exists, the FileSystemObject is enabled: HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228} HKEY_CLASSES_ROOT\Scripting.FileSystemObject If the File System Object is registered and is not required for operations, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site is running an application requiring the registration of this object if the site has operational reasons for the use of this object and if the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Fix: F-32769r1_fix

Unregister the File System Object using the following command: regsvr32 scrrun.dll /u.

c

The command shell options must be disabled.

High - V-13701 - SV-38159r1_rule

RMF Control

Severity

High

CCI

Version

WA000-WI110 IIS6

Vuln IDs

V-13701

Rule IDs

SV-38159r1_rule

The command shell can be used to call arbitrary commands at the web server from within an HTML page. Web AdministratorECSC-1

Checks: C-37540r1_chk

Check the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters for the following value: SSIEnableCmdDirective REG_DWORD 0. If the key does not exist or if the value is not a REG_DWORD= 0, this is a finding.

Fix: F-32786r1_fix

Set the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters to the following value: SSIEnableCmdDirective REG_DWORD 0

b

The AllowRestrictedChars registry key must be disabled.

Medium - V-13714 - SV-38160r1_rule

RMF Control

Severity

Medium

CCI

Version

WA000-WI6080 IIS6

Vuln IDs

V-13714

Rule IDs

SV-38160r1_rule

IIS6 Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. If the AllowRestrictedChars key is set to a nonzero value, Http.sys accepts hex-escaped chars in request URLs that decode to U+0000 – U+001F and U+007F – U+009F ranges. If this capability is enabled it allows malicious characters to be hex-encoded by an attacker in an attempt to bypass input validation routines.Web AdministratorECSC-1

Checks: C-37541r1_chk

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the AllowRestrictedChars key is set to REG_DWORD 0. If the registry key is not set to 0 or does not exist, this is a finding.

Fix: F-32787r1_fix

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the AllowRestrictedChars key to REG_DWORD 0 or add the key and set it to REG_DWORD 0.

b

The EnableNonUTF8 registry key must be disabled.

Medium - V-13715 - SV-38161r1_rule

RMF Control

Severity

Medium

CCI

Version

WA000-WI6082 IIS6

Vuln IDs

V-13715

Rule IDs

SV-38161r1_rule

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The EnableNonUTF8 registry key expands the amount of character types the web server accepts. Hackers can use this capability to submit content in a URL that can execute in the CPU by means of a buffer overflow.Web AdministratorECSC-1

Checks: C-37542r1_chk

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters EnableNonUTF8. 3. Ensure the value for the EnableNonUTF8 key is REG_DWORD 0. If the registry key is not set to 0 or does not exist, this is a finding.

Fix: F-32788r1_fix

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the EnableNonUTF8 key to REG_DWORD 0 or add the key and set it to REG_DWORD 0.

b

The FavorUTF8 registry key must be set properly.

Medium - V-13716 - SV-38162r1_rule

RMF Control

Severity

Medium

CCI

Version

WA000-WI6084 IIS6

Vuln IDs

V-13716

Rule IDs

SV-38162r1_rule

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The FavorUTF8 registry key allows URLs to be decoded as UTF-8 before any other encoding. Overlong encoding forms have been used to bypass security validations in high profile products including Microsoft's IIS web server. Therefore, great care must be taken to avoid security issues if validation is performed before conversion from UTF-8, and it is generally much simpler to handle overlong forms before any input validation is done. To maintain security in the case of invalid input, there are two options. The first is to decode the UTF-8 before doing any input validation checks. The second is to use a decoder that, in the event of invalid input, returns either an error or text the application considers to be harmless. Another possibility is to avoid conversion out of UTF-8 altogether but this relies on any other software that the data is passed to safely handling the invalid data.Web AdministratorECSC-1

Checks: C-37543r1_chk

To verify this setting, use the registry editor and navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters FavorUTF8 REG_DWORD 1 If the registry value is not set to 1, this is a finding. NOTE: If check WA000-WI6082 is set correctly to 0, this registry key is optional and would not be a finding if it is not present.

Fix: F-32789r1_fix

Use the registry editor and navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters Set the " FavorUTF8" key to REG_DWORD 1, add the key if it does not exist.

b

The MaxFieldLength registry entry must be set properly.

Medium - V-13717 - SV-38163r2_rule

RMF Control

Severity

Medium

CCI

Version

WA000-WI6086 IIS6

Vuln IDs

V-13717

Rule IDs

SV-38163r2_rule

By default, the MaxFieldLength registry entry is not present. This registry entry specifies the maximum size of any individual HTTP client request. Typically, this registry entry is configured together with the MaxRequestBytes registry entry. Setting this value to high, when the application does not require it to operate, may cause performance problems as well as Denial of Service issues for the web server.Web AdministratorECSC-1

Checks: C-37544r2_chk

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the MaxFieldLength key is REG_DWORD 16384 (or less). If the registry value is not set to 16384 (or less) or missing, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Fix: F-32790r1_fix

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the MaxFieldLength key to REG_DWORD 16384 (or less) or add the key and set it to REG_DWORD 16384.

b

The MaxRequestBytes registry entry must be set properly.

Medium - V-13718 - SV-38164r2_rule

RMF Control

Severity

Medium

CCI

Version

WA000-WI6088 IIS6

Vuln IDs

V-13718

Rule IDs

SV-38164r2_rule

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The MaxRequestBytes registry key determines the upper limit for the total size of the HTTP request line and headers. If this value is set too high, performance or Denial of Service conditions may appear.Web AdministratorECSC-1

Checks: C-37545r2_chk

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the MaxRequestBytes key is set to REG_DWORD 16384 (or less). If the registry key is not set to 16384 (or less) or is missing, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Fix: F-32791r1_fix

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the MaxRequestBytes key to REG_DWORD 16384 (or less) or add the key and set it to REG_DWORD 16384.

b

The UrlSegmentMaxLength registry entry must be set properly.

Medium - V-13719 - SV-38165r1_rule

RMF Control

Severity

Medium

CCI

Version

WA000-WI6090 IIS6

Vuln IDs

V-13719

Rule IDs

SV-38165r1_rule

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The UrlSegmentMaxLength key sets the maximum number of characters in a URL path segment (the area between the slashes in the URL). Setting this value too large may cause performance or a Denial of Service condition on the web server.Web AdministratorECSC-1

Checks: C-37546r1_chk

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the UrlSegmentMaxLength key is set to REG_DWORD 260 (or less). If the registry key is not set to 260 (or less) or is missing, this is a finding.

Fix: F-32792r1_fix

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the UrlSegmentMaxLength key to REG_DWORD 260 (or less) or add the key and set it to REG_DWORD 260.

b

The PercentUAllowed registry entry must be set properly.

Medium - V-13720 - SV-38166r1_rule

RMF Control

Severity

Medium

CCI

Version

WA000-WI6092 IIS6

Vuln IDs

V-13720

Rule IDs

SV-38166r1_rule

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The PercentUAllowed key allows the web server to accept Unicode character syntax via ASCII (i.e., through the URL). Allowing this type of notation, opens the web server to encoding attacks.Web AdministratorECSC-1

Checks: C-37547r1_chk

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the PercentUAllowed key is set to REG_DWORD 0. If the registry value is not set to 0 or is missing, this is a finding.

Fix: F-32793r1_fix

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the PercentUAllowed key to REG_DWORD 0 or add the key and set it to REG_DWORD 0.

b

The UriMaxUriBytes registry entry must be set properly.

Medium - V-13721 - SV-38167r1_rule

RMF Control

Severity

Medium

CCI

Version

WA000-WI6094 IIS6

Vuln IDs

V-13721

Rule IDs

SV-38167r1_rule

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The UriMaxUriBytes key is used to set size limits on what is cached in the kernel response cache. Setting this value to large may cause performance or Denial of Service conditions on the web server.Web AdministratorECSC-1

Checks: C-37548r1_chk

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Ensure the value for the UriMaxUriBytes key is set to REG_DWORD 262144 (or less). If the registry value is not set to 262144 (or less) or is missing, this is a finding.

Fix: F-32794r1_fix

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the UriMaxUriBytes key to REG_DWORD 262144 or add the key and set it to REG_DWORD 262144.

b

The UrlSegmentMaxCount registry entry must be set properly.

Medium - V-13722 - SV-38168r1_rule

RMF Control

Severity

Medium

CCI

Version

WA000-WI6096 IIS6

Vuln IDs

V-13722

Rule IDs

SV-38168r1_rule

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The UrlSegmentMaxCount value determines the maximum number of URL path segments accepted by the server. It effectively limits the number of slashes that can be included by the user in a request URL. It is recommended to set fairly stringent limits on this value based on the depth of the web document root tree to protect the server from a file system traversal attack.Web AdministratorECSC-1

Checks: C-37549r1_chk

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the UrlSegmentMaxCount key is set to REG_DWORD 255 (or less). If the registry value is not set to 255 (or less) or is missing, this is a finding.

Fix: F-32795r1_fix

1. Open the registry editor. 2. Navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. 3. Set the value for the UrlSegmentMaxCount key to REG_DWORD 255 (or less) or add the key and set it to REG_DWORD 255.

IIS6 Server

Compare

View

Checks: C-37623r1_chk

Fix: F-32865r1_fix

Generate Mitigation Statement:

Checks: C-37557r1_chk

Fix: F-32803r1_fix

Generate Mitigation Statement:

Checks: C-37627r1_chk

Fix: F-32869r1_fix

Generate Mitigation Statement:

Checks: C-37633r1_chk

Fix: F-32874r1_fix

Generate Mitigation Statement:

Checks: C-37550r3_chk

Fix: F-32796r2_fix

Generate Mitigation Statement:

Checks: C-37551r1_chk

Fix: F-32797r1_fix

Generate Mitigation Statement:

Checks: C-37643r2_chk

Fix: F-32884r2_fix

Generate Mitigation Statement:

Checks: C-37648r2_chk

Fix: F-32889r1_fix

Generate Mitigation Statement:

Checks: C-37716r1_chk

Fix: F-32963r1_fix

Generate Mitigation Statement:

Checks: C-37637r3_chk

Fix: F-32878r1_fix

Generate Mitigation Statement:

Checks: C-37552r1_chk

Fix: F-32798r1_fix

Generate Mitigation Statement:

Checks: C-29966r1_chk

Fix: F-26831r1_fix

Generate Mitigation Statement:

Checks: C-37718r1_chk

Fix: F-32965r1_fix

Generate Mitigation Statement:

Checks: C-37722r1_chk

Fix: F-32969r1_fix

Generate Mitigation Statement:

Checks: C-37721r1_chk

Fix: F-32968r1_fix

Generate Mitigation Statement:

Checks: C-37554r2_chk

Fix: F-32800r1_fix

Generate Mitigation Statement:

Checks: C-37646r1_chk

Fix: F-32887r1_fix

Generate Mitigation Statement:

Checks: C-37654r1_chk

Fix: F-32895r1_fix

Generate Mitigation Statement:

Checks: C-11026r1_chk

Fix: F-13213r1_fix

Generate Mitigation Statement:

Checks: C-37520r1_chk

Fix: F-32768r1_fix

Generate Mitigation Statement:

Checks: C-37555r3_chk

Fix: F-32801r1_fix

Generate Mitigation Statement:

Checks: C-37556r1_chk

Fix: F-32802r1_fix

Generate Mitigation Statement:

Checks: C-37720r1_chk

Fix: F-32967r1_fix

Generate Mitigation Statement:

Checks: C-37517r1_chk

Fix: F-32766r1_fix

Generate Mitigation Statement:

Checks: C-37521r4_chk

Fix: F-32769r1_fix

Generate Mitigation Statement:

Checks: C-37540r1_chk

Fix: F-32786r1_fix