IIS6 Site

U_IIS6_SITE_V6R13_STIG-Manual-xccdf.xml

Details

Version / Release: V6R13

Published: 2011-10-03

Updated At: 2018-09-23 02:53:57

Actions

Download

Filter

Vuln Rule Version CCI Severity Title Description
SV-38048r1_rule WG210 IIS6 MEDIUM Web content directories must not be anonymously shared. Anonymously shared directories are exposed to unnecessary risk. Any unnecessary exposure increases the risk that an intruder could exploit the access and compromise the web content or cause web server performance problems.System AdministratorECCD-1, ECCD-2
SV-28848r2_rule WG410 IIS6 MEDIUM Interactive scripts must have proper access controls. CGI is a ‘programming standard’ for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does represent a CGI script, but CGI scripts may be written in a number of programming languages (e.g., PERL, C, PHP, and Javascript), each having their own unique file extension. The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network.Web AdministratorECLP-1
SV-38084r1_rule WG420 IIS6 LOW Backup interactive scripts must be removed from the web site. Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as the actual script being executed and, as such, are useful to malicious users. Techniques and systems exist today that search web servers for such files and are able to exploit the information contained in them.System AdministratorECSC-1
SV-29997r2_rule WG110 IIS6 MEDIUM Web sites must limit the number of simultaneous requests. Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, which can facilitate a Denial of Service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive.Web AdministratorDCBP-1, ECSC-1
SV-30002r2_rule WG170 IIS6 MEDIUM Each readable web document directory must contain a default, home, index or equivalent file. The goal is to control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server’s directory structure by locating directories with default pages. This practice helps ensure the anonymous web user will not obtain directory browsing information or an error message revealing the server type and version.Web AdministratorECSC-1
SV-30589r3_rule WG230 IIS6 HIGH Web server/site administration must be performed over a secure path. Logging in to a web server via a telnet session or using HTTP or FTP to perform updates and maintenance is a major risk. In all such cases, userids and passwords are passed in the plain text. A secure shell service or HTTPS need to be installed and in use for these purposes. Another alternative is to administer the web server from the console, which implies physical access to the server.System AdministratorEBRU-1
SV-38065r1_rule WG240 IIS6 MEDIUM Logs of web server access and errors must be established and maintained. A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the Web Manager with valuable information.System AdministratorECAT-1, ECAT-2
SV-30017r2_rule WG250 IIS6 MEDIUM Users other than Auditors group must not have greater than read access to log files. A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the Web Manager with valuable information. To ensure the integrity of the log files and protect the SA and Web Manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files.System AdministratorECTP-1
SV-38069r1_rule WG260 IIS6 MEDIUM Only fully reviewed and tested web sites must exist on a production web server. In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files revealing business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security, which is totally avoidable.Web AdministratorECSC-1
SV-30020r2_rule WG290 IIS6 HIGH The web client account access to the content and scripts directories must be limited to read and execute. Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset.System AdministratorECLP-1
SV-38080r1_rule WG350 IIS6 MEDIUM A private web server must have a valid server certificate. This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance that the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.Web AdministratorIATS-1, IATS-2
SV-38118r1_rule WG490 IIS6 LOW Java software installed on the web server must be limited to class files and the JAVA virtual machine. From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application’s logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code.Web AdministratorECSC-1
SV-16145r2_rule WA000-WI050 IIS6 HIGH Unused and vulnerable script mappings in IIS 6 must be removed. IIS file extensions which require server-side processing, but which have been deemed vulnerable, include .htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. Requests to these file types can exploit a stack buffer overflow weakness in the ism.dll, httpodbc.dll, and ssinc.dll.Web AdministratorECSC-1
SV-38009r1_rule WA000-WI030 IIS6 MEDIUM The IUSR_machinename account must not have read access to the .inc files or their equivalent. Owing to the nature of .inc files, which may contain sensitive logic and potentially reveal sensitive information about the architecture of the web server, it is vital that the end user not be able to access and examine code that is included in .inc files. When server side scripting is the preferred method, this is normally not a problem. Nonetheless, there are key files inherent to the process, which can contain information key to the logic, server structure and configuration of the entire application. The include files for many .asp script files are .inc files. If the correct file name is guessed or derived, their contents will be displayed by a browser. The file must be guarded from prying eyes of the anonymous web user. If the site has named their include files with the .asp extension, then the files will be processed as an .asp file, which by the nature of .asp, will prevent that code from being presented. If the files are named with the .inc extension, or equivalent, SAs do not have this advantage. Java Server Pages, jsp, is another example of a competing technology which the reviewer will also encounter, that are impacted by this issue. The sample principles outlined here will apply to inlcude files used with Java Server Pages. In addition, there are some additional files that need to be protected, which include the global.asa and global.asax files.Web AdministratorECSC-1
SV-38111r1_rule WG430 IIS6 MEDIUM Anonymous FTP users must not have access to interactive scripts. The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories containing scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon user-provided input). Such scripts contain information that could be used to compromise a web service, access system resources, or deface a web site.System AdministratorECCD-1, ECCD-2
SV-38114r1_rule WG460 IIS6 MEDIUM PERL scripts must use the TAINT option. PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation. Consequently, the founders of PERL have developed a mechanism named TAINT that protects the system from malicious input sent from outside the program. When the data is tainted, it cannot be used in programs or functions such as eval(), system(), exec(), pipes, or popen(). The script will exit with a warning message.Web AdministratorECSC-1
SV-30041r2_rule WG205 IIS6 MEDIUM The web document (home) directory must be on a separate partition from the web servers system files. Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.System AdministratorDCPA-1
SV-38011r1_rule WA000-WI070 IIS6 LOW Indexing Services must only index web content. The indexing service can be used to facilitate a search function for web sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only.System AdministratorECSC-1
SV-30046r2_rule WG140 IIS6 MEDIUM A private web sites authentication mechanism must use client certificates. A DoD private web site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private web sites.Web AdministratorIATS-1, IATS-2
SV-38016r1_rule WA000-WI090 IIS6 MEDIUM Directory browsing must be disabled. This ensures the directory structure, filenames, and web publishing features are not accessible. Such information and the contents of files listed are normally readable by the anonymous web user, yet are not intended to be viewed as they often contain information relevant to the configuration and security of the web service. The Directory Browsing feature can be used to facilitate a directory traversal and subsequent directory traversal exploits.Web AdministratorECSC-1
SV-40028r1_rule WG235 IIS6 HIGH Web Administrators must secure encrypted connections for Document Root directory uploads. Logging in to a web server via a telnet session or using HTTP or FTP in order to upload documents to the web site is a risk if proper encryption is not utilized to protect the data being transmitted. A secure shell service or HTTPS needs to be installed and in use for these purposes.Web AdministratorEBRP-1, EBRU-1
SV-28653r2_rule WG242 IIS6 MEDIUM Log file data must contain required data elements. The use of log files is a critical component of the operation of the Information Systems (IS) used within the DoD, and they can provide invaluable assistance with regard to damage assessment, causation, and the recovery of both affected components and data. They may be used to monitor accidental or intentional misuse of the (IS) and may be used by law enforcement for criminal prosecutions. The use of log files is a requirement within the DoD.System AdministratorECAR-1, ECAR-2, ECAR-3
SV-29398r2_rule WG255 IIS6 MEDIUM Access to the web site log files must be restricted. A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Failure to protect log files could enable an attacker to modify the log file data or falsify events to mask an attacker's activity.System AdministratorECCD-1, ECCD-2, ECTP-1
SV-28566r2_rule WG342 IIS6 MEDIUM Public web servers must use TLS if authentication is required. TLS encryption is optional for a public web server. However, if authentication and encryption are used, then the use of TLS is required. Transactions encrypted with trusted certificates are necessary when the information being transferred is not intended to be accessed by all parties on the network. To the extent this standard applies, this check is valid for the SIPRNet also. FIPS 140-2 compliance includes: TLS V1.0 or greater TLS must be enabled, the use of SSL disabled Configuration of required cryptographic modules as specified by NIST CVMPSystem AdministratorECCT-1, ECCT-2
SV-38020r1_rule WA000-WI092 IIS6 HIGH The IIS web site permissions "Write" or "Script Source" must not be selected. Web site permissions to include Read, Write, and Script Source Access can be set within the IIS Administration tool. Configuration settings made at the Web Server level are inherited by all of the web sites on the server. It can override inheritance by configuring the individual site or site element. These permissions control what users can access from the web site. If Read is selected, then source of the pages can be read, if Write is selected, then pages can be written to or updated. If the Script Source Access is checked, source code for scripts can be viewed. This option is not available if neither Read nor Write is selected. Allowing users' access to the source of the web pages, may provide the user with more information than they are authorized to see. This is especially an issue for the source code for scripts on the web server.Web AdministratorECSC-1
SV-38136r1_rule WA000-WI120 IIS6 LOW The Content Location header must not contain proprietary IP addresses. When IIS receives a GET request without a host header, the web server may reveal the IP address of the server in the content-location field or the location field in the TCP header. This information could provide an attacker with valuable information aiding in a successful attack against the web server. See Microsoft support article ID: 834141.Web AdministratorECSC-1
SV-38137r1_rule WA000-WI6010 IIS6 MEDIUM The web site must have a unique application pool. Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool.Web AdministratorECSC-1
SV-38134r1_rule WA000-WI6020 IIS6 MEDIUM The Recycle Worker processes in minutes monitor must be set properly. A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
SV-38132r1_rule WA000-WI6022 IIS6 MEDIUM The maximum number of requests an application pool can process must be set. A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
SV-38033r1_rule WA000-WI6024 IIS6 MEDIUM The maximum virtual memory monitor must be enabled. A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
SV-38130r1_rule WA000-WI6026 IIS6 MEDIUM The maximum used memory monitor must be enabled. A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
SV-38125r1_rule WA000-WI6028 IIS6 MEDIUM The Shutdown worker processes Idle Timeout monitor must be enabled. A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure, options such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
SV-38123r1_rule WA000-WI6030 IIS6 MEDIUM The Limit the kernel request queue monitor must be enabled A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
SV-38043r1_rule WA000-WI6032 IIS6 MEDIUM The Enable pinging monitor must be enabled. A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
SV-38044r1_rule WA000-WI6034 IIS6 MEDIUM The Enable rapid-fail protection monitor must be enabled. A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
SV-38045r1_rule WA000-WI6036 IIS6 MEDIUM The Enable rapid-fail time period monitor must be enabled. A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
SV-38046r1_rule WA000-WI6040 IIS6 HIGH A unique non-privileged account must be used to run Worker Process Identities. The Worker Process Identity is the user defined to run an Application Pool. The IIS 6 worker processes, by default, run under the NetworkService account. Creating a custom identity for each Application Pool better track issues occurring within each web site. When a custom identity is used, the rights and privileges must not exceed those associated with the NetworkService security principal.Web AdministratorECSC-1
SV-38047r1_rule WA000-WI6098 IIS6 MEDIUM The MaxRequestEntityAllowed metabase value must be defined. IIS 6.0 limits the size of requests directly from the settings in the metabase with the metabase entry MaxRequestEntityAllowed. This entry is similar to the MaxRequest EntityAllowed and MaxAllowedContentLength settings configured in the UrlScan tool. The MaxRequestEntityAllowed property specifies the maximum number of bytes allowed in the entity body of a request. If a Content-Length header is present and specifies an amount of data greater than the value of MaxRequestEntityAllowed, IIS sends a 403 error response.Web AdministratorECSC-1
SV-28797r2_rule WG310 IIS6 MEDIUM A Private web server must not respond to requests from public search engines. Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web site content. In turn, these search engines make the content they obtain and catalog available to any public web user. Such information in the public domain defeats the purpose of a Limited or Certificate-based web server, provides information to those not authorized access to the web site, and could provide clues of the site’s architecture to malicious parties.Web AdministratorECLP-1
SV-28468r2_rule WG340 IIS6 MEDIUM A private web server must utilize TLS v 1.0 or greater. TLS encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring its confidentiality. If private information is not encrypted, it could be intercepted and easily read by an unauthorized party.Web AdministratorECCT-1, ECCT-2, ECSC-1
SV-38071r1_rule WG265 IIS6 LOW The required DoD banner page must be displayed to authenticated users accessing a DoD private web site. A consent banner will be in place to make prospective entrants aware that the web site they are about to enter is a DoD web site and their activity is subject to monitoring. The May 9, 2008 policy on "Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement", establishes interim policy on the use of DoD information systems (http://www.dtic.mil/whs/directives/corres/pdf/DTM-08-060.pdf). The banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. The banner is required for web sites with security and access controls. If the web site does not require authentication / authorization for use, then the banner does not need to be present.Web AdministratorECWM-1
SV-14206r3_rule WG355 IIS6 MEDIUM A private web site must utilize certificates from a trusted DoD CA. The use of a DoD PKI certificate ensures clients that the private web site they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.System AdministratorIATS-1, IATS-2
SV-28796r2_rule WG145 IIS6 MEDIUM The private web server must use an approved DoD certificate validation process. Without the use of a certificate validation process, the site is vulnerable to accepting expired or revoked certificates. This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process.System AdministratorIATS-1, IATS-2