Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

IIS6 Site

V6R13 · · · Released 28 Oct 2011 · 43 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

Sort by
b
Web content directories must not be anonymously shared.
Medium - V-2226 - SV-38048r1_rule
RMF Control
Severity
M
CCI
Version
WG210 IIS6
Vuln IDs
  • V-2226
Rule IDs
  • SV-38048r1_rule
Anonymously shared directories are exposed to unnecessary risk. Any unnecessary exposure increases the risk that an intruder could exploit the access and compromise the web content or cause web server performance problems.System AdministratorECCD-1, ECCD-2
Checks: C-37415r1_chk

1. Navigate to the %systemroot%\system32 directory. 2. Right click on the inetsrv directory > Select properties > Select the sharing tab. 3. If any selection other than "Do not share this folder" is selected, this is a finding. 4. Using the IIS Manager right click on the web site being reviewed > Select properties. 5. Select the Home Directory tab > Note the path to the web site’s home directory. 6. Navigate to the parent directory of the directory noted above. 7. Right click on the directory noted above > Select properties > Select the sharing tab. 8. If any selection other than "Do not share this folder" is selected, this is a finding. 9. Select the Web Sharing tab. 10. Select the website being reviewed from the drop down menu. 11. If any entries other than “/” exist under the Aliases window, this is a finding. NOTE: Administrative shares are not exempt from this requirement. NOTE: In the case of a storage area network or file storage network, where partitions on the storage device are dedicated to front end / back end web services, the additional partitions will be mapped to the correct file storage network partition in the web server configuration. This can apply to both web content and web scripts. NOTE: The presence of operating system shares on the web server is not an issue as long as the shares are not part of the web content directories. The use of shares to move content from one environment to another is permitted if the following conditions are met: they are approved by the IAM/IAO; the shares are restricted to only allow administrators write access; the use of the shares does not bypass the sites approval process for posting new content to the web server; and developers are only permitted read access to these directories.

Fix: F-32651r1_fix

Remove the shares from the applicable directories.

b
Interactive scripts must have proper access controls.
Medium - V-2229 - SV-28848r2_rule
RMF Control
Severity
M
CCI
Version
WG410 IIS6
Vuln IDs
  • V-2229
Rule IDs
  • SV-28848r2_rule
CGI is a ‘programming standard’ for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does represent a CGI script, but CGI scripts may be written in a number of programming languages (e.g., PERL, C, PHP, and Javascript), each having their own unique file extension. The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network.Web AdministratorECLP-1
Checks: C-37457r1_chk

1. Query the SA to determine if CGI scripts are used on the server. 2. If CGI scripts are being used, ensure they are owned by system, the service account running the web service, the web author, and/or the SA. 3. If CGI scripts are owned by any accounts other than system, the service account running the web service, the web author, and/or the SA, this is a finding. 4. Ensure the anonymous web user account has Read or Read/Execute permissions to the CGI scripts. 5. If the anonymous web user account has CGI script permissions beyond Read or Read/Execute, this is a finding. 6. Using Microsoft Internet Information Services Manager > Right click on the web site to be examined 7. Select the Properties option > Select the Home Directory tab. 8. In the Application settings section verify the Execute permissions states Scripts only. 9. If the Application settings sections Execute permissions states anything but Scripts only, this is a finding. 10. Select the Configuration button > Select the Options tab. 11. Verify the Enable parent paths check box is NOT checked. 12. If the Enable parent paths check box is checked, this is a finding. NOTE: Verify these settings on virtual directories as well. The name of the tab for the virtual directories is "Virtual Directory". The configuration button may not be enabled if it is using the setting from the parent web site. If it is enabled, then validate the settings identified in the manual procedures.

Fix: F-32703r1_fix

1. Set the ownership of the CGI scripts to system, the service account running the web service, the web author, and/or the SA. 2. Set the CGI script permissions for the anonymous web user account to Read or Read/Execute. 3. Set the Application settings sections Execute permissions to Scripts only. 4. Uncheck the Enable parent paths check box.

a
Backup interactive scripts must be removed from the web site.
Low - V-2230 - SV-38084r1_rule
RMF Control
Severity
L
CCI
Version
WG420 IIS6
Vuln IDs
  • V-2230
Rule IDs
  • SV-38084r1_rule
Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as the actual script being executed and, as such, are useful to malicious users. Techniques and systems exist today that search web servers for such files and are able to exploit the information contained in them.System AdministratorECSC-1
Checks: C-37458r1_chk

This check is limited to CGI/interactive content and not static HTML. Search for the following files: *.bak, *.old, *.temp, *.tmp, *.backup, or ‘copy of...’. If files with these extensions are found, this is a finding.

Fix: F-32704r1_fix

Remove the backup scripts from the web server.

b
Web sites must limit the number of simultaneous requests.
Medium - V-2240 - SV-29997r2_rule
RMF Control
Severity
M
CCI
Version
WG110 IIS6
Vuln IDs
  • V-2240
Rule IDs
  • SV-29997r2_rule
Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, which can facilitate a Denial of Service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive.Web AdministratorDCBP-1, ECSC-1
Checks: C-37410r1_chk

1. Open the Internet Information Services Manager. 2. Right click on the web site for review > Select properties > Select the performance tab. 3. Under web site connections ensure unlimited is NOT selected. If unlimited is selected, this is a finding.

Fix: F-32646r1_fix

1. Open the Internet Information Services Manager. 2. Right click on the web site for review > Select properties > Select the performance tab. 3. Under web site connections select the Connections limited to radio button and enter the desired number of simultaneous connections.

b
Each readable web document directory must contain a default, home, index or equivalent file.
Medium - V-2245 - SV-30002r2_rule
RMF Control
Severity
M
CCI
Version
WG170 IIS6
Vuln IDs
  • V-2245
Rule IDs
  • SV-30002r2_rule
The goal is to control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server’s directory structure by locating directories with default pages. This practice helps ensure the anonymous web user will not obtain directory browsing information or an error message revealing the server type and version.Web AdministratorECSC-1
Checks: C-37413r1_chk

1. Open the Internet Information Services Manager. 2. Right click on the web site for review > Select properties > Select the Documents tab. 3. Ensure the check box Enable default content page is checked and one file name is present. 4. Navigate to the home directory and virtual directories for the site being reviewed and verify the presence of the file(s) named in step 3. If the Enable default content page is not checked or at least one file name is not present, this is a finding. If the file does not exist, this is a finding. NOTE: If the site has directory browsing disabled for the site or virtual directory, this would not be a finding if a default page does not exist.

Fix: F-32649r1_fix

Add a default document to the applicable directories or disable directory browsing.

c
Web server/site administration must be performed over a secure path.
High - V-2249 - SV-30589r3_rule
RMF Control
Severity
H
CCI
Version
WG230 IIS6
Vuln IDs
  • V-2249
Rule IDs
  • SV-30589r3_rule
Logging in to a web server via a telnet session or using HTTP or FTP to perform updates and maintenance is a major risk. In all such cases, userids and passwords are passed in the plain text. A secure shell service or HTTPS need to be installed and in use for these purposes. Another alternative is to administer the web server from the console, which implies physical access to the server.System AdministratorEBRU-1
Checks: C-37416r1_chk

NOTE: Standalone member server administration could be accomplished securely via the MMC at the host console. It is recommended to limit any server administration to the local host using the MMC or the ISM. This would NOT be considered a finding. NOTE: Server administration could be accomplished via the MMC in a domain environment. This is performed by creating a remote MMC session with the target computer. User authentication relies on the host domain environment. Only SAs or Web Administrators should have access to this resource. This would not be considered a finding. If the site is using the IIS Remote Administration (HTML) Tool: 1. Open the Internet Information Services Manager. 2. Expand the Web Sites directory > Right click Administration > Select the Directory Security tab. 3. Under Secure communications ensure both Require Secure Communication and Require 128-bit encryption is selected. If a site is using the IIS Remote Administration (HTML) Tool and these are not selected, this is a finding. If using terminal services: 1. Open the Terminal Services Configuration application. 2. Select the Connections directory. 3. In the right hand pane double click on the desired connection. 4. Select the general tab. 5. Under the Security area ensure the Security Layer drop down is set to SSL and the Encryption level is set to FIPS Compliant. If a site is using terminal services and Security Layer drop down is not set to SSL or the Encryption level is not set to FIPS Compliant, this is a finding. NOTE: If other forms of Windows compatible SSH are used (i.e., F-Secure SSH Tunnel, SecureCRT, NT sshd, and Tera Term with TTSSH) ensure they are using TLS. If it is found that the web server or web site is administered via an insecure path, this is a finding.

Fix: F-32652r1_fix

Ensure the web server and web site administration is performed over a secure path.

b
Logs of web server access and errors must be established and maintained.
Medium - V-2250 - SV-38065r1_rule
RMF Control
Severity
M
CCI
Version
WG240 IIS6
Vuln IDs
  • V-2250
Rule IDs
  • SV-38065r1_rule
A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the Web Manager with valuable information.System AdministratorECAT-1, ECAT-2
Checks: C-37429r1_chk

1. Open the Internet Information Services Manager. 2. Right click on the web site being reviewed > Select properties > Select the Web Site tab. 3. Ensure the Enable logging check box is checked. 4. Select the Home Directory Tab. 5. Ensure the Log visits check box is checked. If either the Enable logging check box or the Log visits check box is not checked, this is a finding.

Fix: F-32669r1_fix

1. Open the Internet Information Services Manager. 2. Right click on the web site being reviewed > Select properties > Select the Web Site tab. 3. Check the Enable logging check box. 4. Select the Home Directory Tab. 5. Check the Log visits check box. 6. Select OK.

b
Users other than Auditors group must not have greater than read access to log files.
Medium - V-2252 - SV-30017r2_rule
RMF Control
Severity
M
CCI
Version
WG250 IIS6
Vuln IDs
  • V-2252
Rule IDs
  • SV-30017r2_rule
A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the Web Manager with valuable information. To ensure the integrity of the log files and protect the SA and Web Manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files.System AdministratorECTP-1
Checks: C-29939r2_chk

1. Open the IIS Manager > Expand the Web Sites directory > Right click on the site being reviewed and select properties. 2. Select the Web Site tab > Click on the properties button beside the log format dropdown. 3. Note the log file path under Log file directory. 4. Navigate to this location. 5. Right click on the directories and files in this location > Select properties > Select the Security tab. 6. Ensure only the System, Administrators, and Auditors group have greater than Read permission. If any users or groups, other than System, Administrators, or Auditors, have greater than read permission to the log directories and files, this is a finding. NOTE: The Auditor group does not have to have the name Auditors, but the site will need to identify the group containing the auditors.

Fix: F-32675r1_fix

Ensure only the System, Administrators, and Auditors group has greater than read permission to the log files.

b
Only fully reviewed and tested web sites must exist on a production web server.
Medium - V-2254 - SV-38069r1_rule
RMF Control
Severity
M
CCI
Version
WG260 IIS6
Vuln IDs
  • V-2254
Rule IDs
  • SV-38069r1_rule
In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files revealing business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security, which is totally avoidable.Web AdministratorECSC-1
Checks: C-37435r1_chk

The reviewer should query the IAO, SA, and Web Manager to find out if development web sites are being housed on production web servers. Definition: A production web server is any web server connected to a production network, regardless of its role. Proposed Questions: Do you have development sites on your production web server? What is your process to get development web sites / content posted to the production server? Do you use under construction notices on production web pages? A manual cehck can be completed by navigating to the web site via a browser and confirm the information provided by the web staff. If development web content is discovered on the production web server, this is a finding.

Fix: F-32679r1_fix

Ensure any pages in development are not installed on a production web server.

c
The web client account access to the content and scripts directories must be limited to read and execute.
High - V-2258 - SV-30020r2_rule
RMF Control
Severity
H
CCI
Version
WG290 IIS6
Vuln IDs
  • V-2258
Rule IDs
  • SV-30020r2_rule
Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset.System AdministratorECLP-1
Checks: C-29955r2_chk

1. Determine the web client account (anonymous account) for the web server. 2. Note the group memberships of this account found under the Member Of tab. 3. Open the IIS Manager > Right click on the web site for review > Select properties > Select the Home Directory tab. 4. Note the Local path entry, this will be used later. 5. Ensure the Script source access, Write, and Directory browsing check boxes are unchecked. 6. Repeat step 2 for all sub directories (including virtual directories) and files of the web site being reviewed (Directory and File tabs, respectively). 7. Note the Local path entry for the virtual directories. 8. Navigate to the local paths found in steps 4 & 7 via Windows Explorer, or equivalent, and verify the permissions assigned to the anonymous account (normally IUSR_computername). If the any of the web sites, their sub-directories (including virtual directories), or files has Script source access, Write, or Directory browsing enabled, this is a finding. If the anonymous account is assigned greater than read & execute permissions to any of the local paths (including their content), this is a finding. NOTE: If the Microsoft ‘everyone’ account has access to these directories, this is a finding.

Fix: F-32683r1_fix

Disable Script source access, Write, and Directory browsing permissions on the web site, its sub-directories (including virtual directories), and files. Limit the anonymous account permissions to read & execute or less for the local paths (including their content).

b
A private web server must have a valid server certificate.
Medium - V-2263 - SV-38080r1_rule
RMF Control
Severity
M
CCI
Version
WG350 IIS6
Vuln IDs
  • V-2263
Rule IDs
  • SV-38080r1_rule
This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance that the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.Web AdministratorIATS-1, IATS-2
Checks: C-37452r1_chk

1. Open the IIS Manager > Right click on the web site being reviewed > Select Properties > Select the Directory Security Tab. 2. Under the Secure communications section > Select View Certificate. 3. Select the Details tab > Select the Issuer field. 4. View the lower window and ensure the certificate contains the following: CN = DOD CLASS 3 CA-3 OU = PKI OU = DoD O = U.S. Government C = US If the credentials listed above are not found, this is a finding. NOTE: It is also acceptable to open browser window and browse to the appropriate site. Before entry to the site the servers DOD PKI credentials should be presented. Review these credentials for authenticity. NOTE: If the server is running as a public web server this finding should be not applicable. NOTE: In some cases the web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the SSL certificated for the web sites may be installed on the content switch vs. the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. We do not want users to have the ability to bypass the content switch to access the web sites.

Fix: F-32698r1_fix

Configure the private web site to use a valid DoD certificate.

a
Java software installed on the web server must be limited to class files and the JAVA virtual machine.
Low - V-2265 - SV-38118r1_rule
RMF Control
Severity
L
CCI
Version
WG490 IIS6
Vuln IDs
  • V-2265
Rule IDs
  • SV-38118r1_rule
From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application’s logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code.Web AdministratorECSC-1
Checks: C-37492r1_chk

1. Right click on the Start button > Select Search > enter “*.java, *.jpp” in the box titled All or part of the file name. 2. Press Search. NOTE: This search must be completed on all active drives the web server utilizes. NOTE: Files with the extension .class, .jre and .jvm are acceptable. Executables such as java.exe, jre.exe, and jrew.exe are permitted. If files with the extension .java or .jpp are found, this is a finding.

Fix: F-32740r1_fix

Remove all files from the web server with the following extensions: .java and .jpp.

c
Unused and vulnerable script mappings in IIS 6 must be removed.
High - V-2267 - SV-16145r2_rule
RMF Control
Severity
H
CCI
Version
WA000-WI050 IIS6
Vuln IDs
  • V-2267
Rule IDs
  • SV-16145r2_rule
IIS file extensions which require server-side processing, but which have been deemed vulnerable, include .htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. Requests to these file types can exploit a stack buffer overflow weakness in the ism.dll, httpodbc.dll, and ssinc.dll.Web AdministratorECSC-1
Checks: C-13982r2_chk

1. Open the IIS Manager > Click on the Web Service Extensions directory. 2. In the right hand pane look for the following web service extensions: Server side includes Internet Data Connector Index Server Web Interface Internet printing .HTR scripting 3. If any of the above service extensions exist and are set to Allowed, right click on it > Select properties > Select the required files. NOTE: If a web service extension is set to Prohibit, this meets the intent of this check. 4. Record the files listed. 5. Right click on the website being review > Select properties > Select Home Directory. 6. Under Application settings select Configuration. 7. Under Application extensions find the file extensions listed below > Select Edit > Ensure the file extension is not mapped to the files noted in step 4 with respect to the specific service extension. Server side includes .shtml, .shtm and .stm Internet Data Connector .idc Index Server Web Interface .htw, .ida and .idq Internet printing .printer .HTR scripting .htr 8. Ensure the following file extensions do not exist under application extensions: .bat, .cmd 9. Query the Web Admin on the listed extensions and the reason for their use. If any of the following Extensions under step 7 match the required files in the allowed status for the respective service extension, this is a finding. If the file extensions .bat or .cmd are present, this is a finding. If a file extension is listed and has no use, this is a finding. NOTE: This vulnerability can be documented locally with the IAM/IAO if the site has operational reasons for the use of particular script mappings. If the site has this documentation, this should be marked as not a finding. NOTE: You may need to perform this check on each sites directory, sub-directories, and virtual direcotries since these can be set at each location.

Fix: F-14946r2_fix

Remove unused and vulnerable script mappings.

b
The IUSR_machinename account must not have read access to the .inc files or their equivalent.
Medium - V-2268 - SV-38009r1_rule
RMF Control
Severity
M
CCI
Version
WA000-WI030 IIS6
Vuln IDs
  • V-2268
Rule IDs
  • SV-38009r1_rule
Owing to the nature of .inc files, which may contain sensitive logic and potentially reveal sensitive information about the architecture of the web server, it is vital that the end user not be able to access and examine code that is included in .inc files. When server side scripting is the preferred method, this is normally not a problem. Nonetheless, there are key files inherent to the process, which can contain information key to the logic, server structure and configuration of the entire application. The include files for many .asp script files are .inc files. If the correct file name is guessed or derived, their contents will be displayed by a browser. The file must be guarded from prying eyes of the anonymous web user. If the site has named their include files with the .asp extension, then the files will be processed as an .asp file, which by the nature of .asp, will prevent that code from being presented. If the files are named with the .inc extension, or equivalent, SAs do not have this advantage. Java Server Pages, jsp, is another example of a competing technology which the reviewer will also encounter, that are impacted by this issue. The sample principles outlined here will apply to inlcude files used with Java Server Pages. In addition, there are some additional files that need to be protected, which include the global.asa and global.asax files.Web AdministratorECSC-1
Checks: C-37357r1_chk

1. Open IIS Manager > Right click on the website being reviewed > Select properties > Select the Home directory tab. 2. Under Application setting > Select configuration > Select the Mappings tab. 3. Under Application extensions review the Extension field to see if the following file extensions are mapped to the asp.dll or aspnet_isapi.dll: .asa .asax .inc NOTE: If these extension are mapped to the asp.dll or aspnet_isapi.dll, this is not a finding and the check procedure can stop here. If they are not mapped to the asp.dll or aspnet_isapi.dll continue with the following procedure to determine if the files are protected via file permissions. 4. Right click on the Start button > Select Search. 5. Under the text box “All or part of the file name” enter the following: global.asa, global.asax, *.inc. NOTE: All drives utilized for the web site being review should be search. NOTE: Check using IIS Manager, to determine which directory is associated with the web site. Web Site properties, Home Directory tab. 6. If these files are found and are part of the directories (including virtual directories) for the web site being reviewed, navigate to these files. 7. Right click on the file > select properties > Select the Security tab. 8. Ensure Read permissions do not exist for the IUSR_machinename account (the anonymous web user). If the IUSR_machinename account has read access to the global.asa, global.asax, or .inc files, and these extensions are not mapped to the asp.dll, this is a finding.

Fix: F-32594r1_fix

Remove read permissions for the IUSR_machinename account from the .inc files and their equivalent.

b
Anonymous FTP users must not have access to interactive scripts.
Medium - V-2270 - SV-38111r1_rule
RMF Control
Severity
M
CCI
Version
WG430 IIS6
Vuln IDs
  • V-2270
Rule IDs
  • SV-38111r1_rule
The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories containing scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon user-provided input). Such scripts contain information that could be used to compromise a web service, access system resources, or deface a web site.System AdministratorECCD-1, ECCD-2
Checks: C-37484r1_chk

1. Open the IIS Manager. 2. For the site being reviewed, determine the directories where CGI, PERL, ASP, JS, or JSP scripts are located. 3. Determine if these locations are enabled for FTP access by looking under the FTP Sites folder within IIS Manager. 4. For directories with FTP enabled, right click on the directory > Select Properties > Select Directory Security > Select the Edit button beside Authentication and access control. If Enable anonymous access is checked, this is a finding.

Fix: F-32732r1_fix

Remove anonymous FTP access from directories where CGI, PERL, ASP, JS, or JSP scripts are located.

b
PERL scripts must use the TAINT option.
Medium - V-2272 - SV-38114r1_rule
RMF Control
Severity
M
CCI
Version
WG460 IIS6
Vuln IDs
  • V-2272
Rule IDs
  • SV-38114r1_rule
PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation. Consequently, the founders of PERL have developed a mechanism named TAINT that protects the system from malicious input sent from outside the program. When the data is tainted, it cannot be used in programs or functions such as eval(), system(), exec(), pipes, or popen(). The script will exit with a warning message.Web AdministratorECSC-1
Checks: C-37487r1_chk

1. Query the Web Admin for the PERL file extension/s on the system. 2. Search the system for PERL files (normally ending in .pl). 3. For those PERL files found within the web site/server content directories open them with Notepad and ensure the first line of the script is as follows: #!/usr/local/bin/perl –T. 4. If the above line is not found verify the application settings for the directory containing the PERL script/s. 5. Right click on the directory > Select properties > Select the Home Directory, Directory, or Virtual Directory tab. 6. Under the Application settings area, select the Configuration button. 7. Browse the Application extensions for the PERL file extension (normally .pl). 8. Verify the executable path for the PERL file extension lists Perl.exe –T. If #!/usr/local/bin/perl –T is not the first line of the PERL script, or the executable path does not list Perl.exe –T, this is a finding. NOTE: This applies to PERL scripts used as part of the web server and not all PERL scripts on the system. NOTE: If the TAINT option cannot be used for any reason, this finding can be mitigated by the use of a third-party input validation mechanism or input validation will be included as part of the script in use. This must be documented.

Fix: F-32735r1_fix

Adjust the PERL scripts to include the appropriate comments enabling the TAINT option.

b
The web document (home) directory must be on a separate partition from the web servers system files.
Medium - V-3333 - SV-30041r2_rule
RMF Control
Severity
M
CCI
Version
WG205 IIS6
Vuln IDs
  • V-3333
Rule IDs
  • SV-30041r2_rule
Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.System AdministratorDCPA-1
Checks: C-37414r1_chk

1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Home Directory tab. 2. Note the path to the web sites home directory. If the directory is on the same partition as the operating systems root directory, this is a finding. If the directory is a child directory to the web application directory, this is a finding.

Fix: F-32650r1_fix

Change the home directory to a partition other than the partition containing the web server system files.

a
Indexing Services must only index web content.
Low - V-3963 - SV-38011r1_rule
RMF Control
Severity
L
CCI
Version
WA000-WI070 IIS6
Vuln IDs
  • V-3963
Rule IDs
  • SV-38011r1_rule
The indexing service can be used to facilitate a search function for web sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only.System AdministratorECSC-1
Checks: C-37362r1_chk

1. Open the IIS Manager > Right click on the website being reviewed > Select the Home Directory tab. 2. Verify the status of the Index this resource check box. 3. If the Index this resource check box is checked, open the Services windows (via Administrative Tools in Control panel) and check to see if the Indexing Service is listed. If it is listed, determine if the Startup Type mode is either “Automatic” or “Manual”. NOTE: If the Indexing check box is not checked or the indexing service is not installed or disabled, this is not a finding. 4. With the assistance of the Web Administrator and/or SA, use the MMC to evaluate the Indexing Service using the Index Service snap-in. 5. Review the directories being indexed, ensuring only web content folders are being indexed. NOTE: If unsure it is a web content folder, examine the Home Directory tab within the properties of the web site. This will indicate the path of the content for this web site. If the Index Service is running and directories other than web content directories are being indexed, this is a finding.

Fix: F-32599r1_fix

Assure that only the web document directories are indexed.

b
A private web sites authentication mechanism must use client certificates.
Medium - V-6531 - SV-30046r2_rule
RMF Control
Severity
M
CCI
Version
WG140 IIS6
Vuln IDs
  • V-6531
Rule IDs
  • SV-30046r2_rule
A DoD private web site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private web sites.Web AdministratorIATS-1, IATS-2
Checks: C-37411r1_chk

1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Directory Security tab. 2. Under the Secure communications area select the Edit button. 3. Ensure Require secure channel (SSL) and Require client certificates are checked. If Require secure channel (SSL) and Require client certificates are not checked, this is a finding.

Fix: F-32647r1_fix

1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Directory Security tab. 2. Under the Secure communications area select the Edit button. 3. Select Require secure channel (SSL) and Require client certificates > Press OK.

b
Directory browsing must be disabled.
Medium - V-6755 - SV-38016r1_rule
RMF Control
Severity
M
CCI
Version
WA000-WI090 IIS6
Vuln IDs
  • V-6755
Rule IDs
  • SV-38016r1_rule
This ensures the directory structure, filenames, and web publishing features are not accessible. Such information and the contents of files listed are normally readable by the anonymous web user, yet are not intended to be viewed as they often contain information relevant to the configuration and security of the web service. The Directory Browsing feature can be used to facilitate a directory traversal and subsequent directory traversal exploits.Web AdministratorECSC-1
Checks: C-37368r1_chk

1. Open the IIS Manager > Right click on the web site under review > Select properties > Select the Home Directory tab. 2. Ensure the Directory browsing check box is not selected. NOTE: This procedure should be complete on all Directories (including Sub-Directories) and Virtual Directories within the site. If the Directory Browsing feature is enabled this is a finding.

Fix: F-32605r1_fix

1. Open the IIS Manager > Right click on the website under review > Select properties > Select the Home Directory tab. 2. Uncheck the Directory browsing check box. NOTE: This procedure should be complete on all Directories (including Sub-Directories) and Virtual Directories within the site.

c
Web Administrators must secure encrypted connections for Document Root directory uploads.
High - V-13686 - SV-40028r1_rule
RMF Control
Severity
H
CCI
Version
WG235 IIS6
Vuln IDs
  • V-13686
Rule IDs
  • SV-40028r1_rule
Logging in to a web server via a telnet session or using HTTP or FTP in order to upload documents to the web site is a risk if proper encryption is not utilized to protect the data being transmitted. A secure shell service or HTTPS needs to be installed and in use for these purposes.Web AdministratorEBRP-1, EBRU-1
Checks: C-37417r1_chk

Query the SA to determine if there is a process for the uploading of files to the web site. This process should include the requirement for the use of a secure encrypted logon and secure encrypted connection. NOTE: See results from WG230 for data that will assist in the validation of this vulnerability. If the remote users are uploading files without utilizing approved encryption methods, this is finding.

Fix: F-32653r1_fix

Use only secure encrypted logons and connections for uploading files to the web site.

b
Log file data must contain required data elements.
Medium - V-13688 - SV-28653r2_rule
RMF Control
Severity
M
CCI
Version
WG242 IIS6
Vuln IDs
  • V-13688
Rule IDs
  • SV-28653r2_rule
The use of log files is a critical component of the operation of the Information Systems (IS) used within the DoD, and they can provide invaluable assistance with regard to damage assessment, causation, and the recovery of both affected components and data. They may be used to monitor accidental or intentional misuse of the (IS) and may be used by law enforcement for criminal prosecutions. The use of log files is a requirement within the DoD.System AdministratorECAR-1, ECAR-2, ECAR-3
Checks: C-30008r2_chk

1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Web Site tab. 2. Ensure Enable logging is selected. 3. Select the Properties button > Select the Advance tab. 4. Under the Extended logging options ensure the following items are checked: Date, Time, Client IP Address, User Name, Method, URI Query, Http Protocol Status and Referrer If the Enable logging checkbox is not selected, this is a finding. If any of the items listed in step 4 are not selected, this is a finding. NOTE: The collection of additional logging information is acceptable.

Fix: F-32673r1_fix

1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Web Site tab. 2. Ensure Enable logging is selected. 3. Select the Properties button > Select the Advance tab. 4. Under the Extended logging options check the following: Date, Time, Client IP Address, User Name, Method, URI Query, Http Protocol Status and Referrer 5. Select OK.

b
Access to the web site log files must be restricted.
Medium - V-13689 - SV-29398r2_rule
RMF Control
Severity
M
CCI
Version
WG255 IIS6
Vuln IDs
  • V-13689
Rule IDs
  • SV-29398r2_rule
A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Failure to protect log files could enable an attacker to modify the log file data or falsify events to mask an attacker's activity.System AdministratorECCD-1, ECCD-2, ECTP-1
Checks: C-30017r2_chk

1. Open the IIS Manager > Right click the website being reviewed > Select Properties > Select the Web Site tab > in the Enable logging box select Properties. 2. Note the path listed under the text Log file directory and the name of the log file beside the text Log file name. 3. Use Explorer to navigate to the log files based on the path and name found in step 2. 4. Right-click on the log file > Select Security. 5. Verify the permissions are as follows: - Auditors & System = Full Control - Administrators & Web Administrators = Read If the permissions are not the same as those listed in step 5, this is a finding. If any account has access to the log files other than those listed in step 5, this is a finding. NOTE: If permission assignment is more restrictive, this is not a finding.

Fix: F-32678r1_fix

1. Open the IIS Manager > Right click the website being reviewed > Select Properties > Select the Web Site tab > In the Enable logging box select Properties. 2. Note the path listed under the text Log file directory and the name of the log file beside the text Log file name. 3. Use Explorer to navigate to the log files based on the path and name found in step 2. 4. Right-click on the log file > Select Security. 5. Set the permissions as follows: - Auditors & System = Full Control - Administrators & Web Administrators = Read

b
Public web servers must use TLS if authentication is required.
Medium - V-13694 - SV-28566r2_rule
RMF Control
Severity
M
CCI
Version
WG342 IIS6
Vuln IDs
  • V-13694
Rule IDs
  • SV-28566r2_rule
TLS encryption is optional for a public web server. However, if authentication and encryption are used, then the use of TLS is required. Transactions encrypted with trusted certificates are necessary when the information being transferred is not intended to be accessed by all parties on the network. To the extent this standard applies, this check is valid for the SIPRNet also. FIPS 140-2 compliance includes: TLS V1.0 or greater TLS must be enabled, the use of SSL disabled Configuration of required cryptographic modules as specified by NIST CVMPSystem AdministratorECCT-1, ECCT-2
Checks: C-28835r2_chk

1. Open the IIS Manager > Right click on the website to be examined > Select properties > Select the Web Site tab > Note the entry for the SSL port (i.e. 443). 2. Select the Directory Security tab > Select the Edit button in the Secure communications section. 3. Ensure the Require secure channel (SSL) and Require 128-bit encryption check boxes are checked. If the Require secure channel (SSL) and Require 128-bit encryption check boxes are not checked, this is a finding. If the site requires SSL and 128-bit encryption, then the version of SSL also needs to be verified. The following registry keys need to exist and be set to not allow anything lower than SSL V3.1 / TLS. This can be accomplished by ensuring the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server If these keys are not set to a DWORD value of 0, this is a finding. If the keys do not contain the value Enabled, this would also be a finding. NOTE: The keys for TLS 1.0 do not require the Enabled value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable SSL V3.1 / TLS. NOTE: In some cases the web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the SSL certificated for the web sites may be installed on the content switch vs. the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. Users should not have the ability to bypass the content switch to access the web sites.

Fix: F-32693r1_fix

1. Obtain and install a server certificate from a .mil Certificate Authority or approved DoD ECA. 2. Open the IIS Manager > Right click on the website to be examined > Select properties > select the Directory Security tab > Select the Edit button in the Secure communications section. 3. Select Require secure channel (SSL) and Require 128-bit encryption check boxes. 4. Set the version SSL by creating and setting the following registry to not allow anything lower than SSL V3.1 / TLS. Ensure the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server The keys for TLS 1.0 do not require the Enabled value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable SSL V3.1 / TLS.

c
The IIS web site permissions "Write" or "Script Source" must not be selected.
High - V-13699 - SV-38020r1_rule
RMF Control
Severity
H
CCI
Version
WA000-WI092 IIS6
Vuln IDs
  • V-13699
Rule IDs
  • SV-38020r1_rule
Web site permissions to include Read, Write, and Script Source Access can be set within the IIS Administration tool. Configuration settings made at the Web Server level are inherited by all of the web sites on the server. It can override inheritance by configuring the individual site or site element. These permissions control what users can access from the web site. If Read is selected, then source of the pages can be read, if Write is selected, then pages can be written to or updated. If the Script Source Access is checked, source code for scripts can be viewed. This option is not available if neither Read nor Write is selected. Allowing users' access to the source of the web pages, may provide the user with more information than they are authorized to see. This is especially an issue for the source code for scripts on the web server.Web AdministratorECSC-1
Checks: C-37372r1_chk

1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Home Directory tab. If the IIS web site permissions "Write" or “Script source access” are selected, this is a finding. NOTE: This should be completed for all directories (including sub-directories), virtual directories, and files for the site being reviewed.

Fix: F-32609r1_fix

1. Open the IIS Manager > Right click on the website (including directories, sub-directories, virtual directories, and files) being reviewed > Select Properties > Select the Home Directory (Directory, Virtual Directory, or File) tab. 2. Uncheck the Write and/or the Script source access permissions.

a
The Content Location header must not contain proprietary IP addresses.
Low - V-13702 - SV-38136r1_rule
RMF Control
Severity
L
CCI
Version
WA000-WI120 IIS6
Vuln IDs
  • V-13702
Rule IDs
  • SV-38136r1_rule
When IIS receives a GET request without a host header, the web server may reveal the IP address of the server in the content-location field or the location field in the TCP header. This information could provide an attacker with valuable information aiding in a successful attack against the web server. See Microsoft support article ID: 834141.Web AdministratorECSC-1
Checks: C-10954r3_chk

1. Open the metabase.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv) 2. Press CNTRL+F > Enter “servercomment” > Select the Find Next button to find the attribute ServerComment=the name of the web site being reviewed. 3. Verify the setting for either the UseHostName or SetHostName attribute. If both settings are specified, this is a finding. If neither setting is specified, this is a finding. If UseHostName is specified and not set to TRUE, this is a finding. If SetHostName is specified and the web servers’ private IP address is used, this is a finding.

Fix: F-13150r2_fix

1. Open the metabase.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv). 2. Press CNTRL+F > enter “servercomment” > Select the Find Next button to find the attribute ServerComment=the name of the website being reviewed. 3. Go to the beginning of the IIsWebServer key for the web site being reviewed (a few lines prior to the servercomment attribute found in step 2). 4. Note the number after W3SVC as it will be used next. 5. From the CLI navigate to the location of the adsutil.vbs script. 6. Enter the following adsutil.vbs set w3svc/number from step 3/UseHostName true. NOTE: The command in step 6 could be substituted with the following: adsutil.vbs set w3svc/number from step 3/SetHostName “name other than your private IP address” NOTE: cscript may have to be input in front of the command adsutil.vbs (i.e., cscript adsutil.vbs set w3svc/1/UseHostName).

b
The web site must have a unique application pool.
Medium - V-13703 - SV-38137r1_rule
RMF Control
Severity
M
CCI
Version
WA000-WI6010 IIS6
Vuln IDs
  • V-13703
Rule IDs
  • SV-38137r1_rule
Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool.Web AdministratorECSC-1
Checks: C-37380r1_chk

1. Open the IIS Manager > Right click on the website being reviewed > Select the Home Directory tab. 2. Review the Application settings area and note the name listed next to Application pool. 3. Ensure this Application pool is not listed as any other sites Application Pool. If there is not a unique application pool configured for the web site being reviewed, this is a finding. NOTE: The default Application Pool is not considered unique and would be a finding if the web site is using this one.

Fix: F-32617r1_fix

1. Open the IIS Manager > Right click on the website being reviewed > Select the Home Directory tab. 2. Go to the Application settings area > Select the Application pool drop down > Select the unique Application pool for the web site. 3. Press OK.

b
The Recycle Worker processes in minutes monitor must be set properly.
Medium - V-13704 - SV-38134r1_rule
RMF Control
Severity
M
CCI
Version
WA000-WI6020 IIS6
Vuln IDs
  • V-13704
Rule IDs
  • SV-38134r1_rule
A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
Checks: C-37384r1_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponds to the website being reviewed > Select Properties > Select the Recycling tab. 2. Ensure the Recycle worker processes (in minutes) check box is checked and the value is set to 1740 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the IAM/IAO if the site has operational reasons for an increased value. If the IAM/IAO has approved this change in writing, this should be marked as not a finding.

Fix: F-32621r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Recycling tab. 2. Ensure the Recycle worker processes (in minutes) check box is checked and set the value to 1740 or less. 3. Press OK.

b
The maximum number of requests an application pool can process must be set.
Medium - V-13705 - SV-38132r1_rule
RMF Control
Severity
M
CCI
Version
WA000-WI6022 IIS6
Vuln IDs
  • V-13705
Rule IDs
  • SV-38132r1_rule
A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
Checks: C-37386r1_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the web site being reviewed > Select Properties > Select the Recycling tab. 2. Ensure the Recycle worker processes (number of requests) is enabled and the value is set to 35000 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the IAM/IAO if the site has operational reasons for an increased value. If the IAM/IAO has approved this change in writing, this should be marked as not a finding.

Fix: F-32622r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Recycling tab. 2. Ensure the Recycle worker processes (number of requests) is enabled and the value is set to 35000 or less.

b
The maximum virtual memory monitor must be enabled.
Medium - V-13706 - SV-38033r1_rule
RMF Control
Severity
M
CCI
Version
WA000-WI6024 IIS6
Vuln IDs
  • V-13706
Rule IDs
  • SV-38033r1_rule
A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
Checks: C-37388r1_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Recycling tab. 2. Ensure the Maximum virtual memory monitor is enabled and the value is set to 792 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the IAM/IAO if the site has operational reasons for an increased value. If the IAM/IAO has approved this change in writing, this should be marked as not a finding.

Fix: F-32625r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Recycling tab. 2. Ensure the maximum virtual memory monitor is enabled and the value is set to 792 or less.

b
The maximum used memory monitor must be enabled.
Medium - V-13707 - SV-38130r1_rule
RMF Control
Severity
M
CCI
Version
WA000-WI6026 IIS6
Vuln IDs
  • V-13707
Rule IDs
  • SV-38130r1_rule
A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
Checks: C-37390r1_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Recycling tab. 2. Ensure the maximum used memory is enabled and the value is set to 192 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the IAM/IAO if the site has operational reasons for an increased value. If the IAM/IAO has approved this change in writing, this should be marked as not a finding.

Fix: F-32627r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Recycling tab. 2. Ensure the maximum used memory is enabled and the value is set to 192 or less.

b
The Shutdown worker processes Idle Timeout monitor must be enabled.
Medium - V-13708 - SV-38125r1_rule
RMF Control
Severity
M
CCI
Version
WA000-WI6028 IIS6
Vuln IDs
  • V-13708
Rule IDs
  • SV-38125r1_rule
A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure, options such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
Checks: C-37403r1_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Performance tab. 2. Ensure the Shutdown worker process idle timeout monitor is enabled and the value is set to 20 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the IAM/IAO if the site has operational reasons for an increased value. If the IAM/IAO has approved this change in writing, this should be marked as not a finding.

Fix: F-32639r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Performance tab. 2. Ensure the Shutdown worker process idle timeout monitor is enabled and the value is set to 20 or less.

b
The Limit the kernel request queue monitor must be enabled
Medium - V-13709 - SV-38123r1_rule
RMF Control
Severity
M
CCI
Version
WA000-WI6030 IIS6
Vuln IDs
  • V-13709
Rule IDs
  • SV-38123r1_rule
A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
Checks: C-37404r1_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Performance tab. 2. Ensure the Limit the kernel request queue monitor is enabled and the value is set to 4000 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the IAM/IAO if the site has operational reasons for an increased value. If the IAM/IAO has approved this change in writing, this should be marked as not a finding.

Fix: F-32640r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Performance tab. 2. Ensure the Limit the kernel request queue monitor is enabled and the value is set to 4000 or less.

b
The Enable pinging monitor must be enabled.
Medium - V-13710 - SV-38043r1_rule
RMF Control
Severity
M
CCI
Version
WA000-WI6032 IIS6
Vuln IDs
  • V-13710
Rule IDs
  • SV-38043r1_rule
A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
Checks: C-37405r1_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Health tab. 2. Ensure the Enable pinging monitor is enabled and the value is set to 30 or more. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the IAM/IAO if the site has operational reasons for a decreased value. If the IAM/IAO has approved this change in writing, this should be marked as not a finding.

Fix: F-32641r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Health tab. 2. Ensure the Enable pinging monitor is enabled and the value is set to 30 or more.

b
The Enable rapid-fail protection monitor must be enabled.
Medium - V-13711 - SV-38044r1_rule
RMF Control
Severity
M
CCI
Version
WA000-WI6034 IIS6
Vuln IDs
  • V-13711
Rule IDs
  • SV-38044r1_rule
A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
Checks: C-37406r1_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Health tab. 2. Ensure the Enable rapid-fail protection monitor is enabled and the value is set to 5 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the IAM/IAO if the site has operational reasons for an increased value. If the IAM/IAO has approved this change in writing, this should be marked as not a finding.

Fix: F-32642r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Health tab. 2. Ensure the Enable rapid-fail protection monitor is enabled and the value is set to 5 or less.

b
The Enable rapid-fail time period monitor must be enabled.
Medium - V-13712 - SV-38045r1_rule
RMF Control
Severity
M
CCI
Version
WA000-WI6036 IIS6
Vuln IDs
  • V-13712
Rule IDs
  • SV-38045r1_rule
A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
Checks: C-37407r1_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Health tab. 2. Ensure the Enable rapid-fail time period monitor is enabled and the value is set to 5 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the IAM/IAO if the site has operational reasons for an increased value. If the IAM/IAO has approved this change in writing, this should be marked as not a finding.

Fix: F-32643r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Health tab. 2. Ensure the Enable rapid-fail time period monitor is enabled and the value is set to 5 or less.

c
A unique non-privileged account must be used to run Worker Process Identities.
High - V-13713 - SV-38046r1_rule
RMF Control
Severity
H
CCI
Version
WA000-WI6040 IIS6
Vuln IDs
  • V-13713
Rule IDs
  • SV-38046r1_rule
The Worker Process Identity is the user defined to run an Application Pool. The IIS 6 worker processes, by default, run under the NetworkService account. Creating a custom identity for each Application Pool better track issues occurring within each web site. When a custom identity is used, the rights and privileges must not exceed those associated with the NetworkService security principal.Web AdministratorECSC-1
Checks: C-37408r1_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Identity tab. 2. Identify the account used to run the process identities. 3. Check the privileges on the account found in step 2 by using Computer Management and opening Users and Groups. 4. The account should be in the IIS_WPG group and not have membership to the Administrators group. If the account used to run the Worker Process Identities is also an Administrator, this is a finding. If the account is set to LocalSystem, this is a finding. NOTE: The "Local Service" or "Network Service" built in accounts are not privileged accounts and would not be a finding. NOTE: This check may be reported as a False Positive by the Gold Disk so a manual verification is recommended if this is an open finding. If this is reported as not a finding, no further checking is necessary.

Fix: F-32644r1_fix

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Identity tab. 2. Enter the desired account information. 3. Check the privileges on the account found in step 2 by using Computer Management and opening Users and Groups. 4. Ensure the account is a member of the IIS_WPG group and does not have membership to the Administrators group.

b
The MaxRequestEntityAllowed metabase value must be defined.
Medium - V-13723 - SV-38047r1_rule
RMF Control
Severity
M
CCI
Version
WA000-WI6098 IIS6
Vuln IDs
  • V-13723
Rule IDs
  • SV-38047r1_rule
IIS 6.0 limits the size of requests directly from the settings in the metabase with the metabase entry MaxRequestEntityAllowed. This entry is similar to the MaxRequest EntityAllowed and MaxAllowedContentLength settings configured in the UrlScan tool. The MaxRequestEntityAllowed property specifies the maximum number of bytes allowed in the entity body of a request. If a Content-Length header is present and specifies an amount of data greater than the value of MaxRequestEntityAllowed, IIS sends a 403 error response.Web AdministratorECSC-1
Checks: C-37409r1_chk

1. Open the MBSchema.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv) 2. Press CNTRL+F > Enter “MaxRequestEntityAllowed” > Select the Find Next button. 3. Ensure the Attributes attribute is set to INHERIT. 4. Open the metabase.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv) 5. Press CNTRL+F > Enter Location= ‘’/LM/W3SVC’’ > Select Find Next. 6. In the search box now enter MaxRequestEntityAllowed > Check Match whole word only & Match case > Press Find Next. 7. Ensure the MaxRequestEntityAllowed attribute is present within the /LM/W3SVC key and set to 30000000 or less. If the MaxRequestEntityAllowed attribute is not set to INHERIT, this is a finding. If the MaxRequestEntityAllowed attribute is not found, this is a finding. If the MaxRequestEntityAllowed attribute is not found within the /LM/W3SVC key, this is a finding. If it is found and has a value greater than 30000000, this is a finding. NOTE: This vulnerability can be documented locally with the IAM/IAO if the site has operational reasons for the use of increased value. If the site has this documentation, this should be marked as not a finding.

Fix: F-32645r1_fix

1. From the CLI navigate to the location of the adsutil.vbs script. 2. Enter the following: adsutil.vbs set w3svc/MaxRequestEntityAllowed 30000000 3. Press Enter. 4. Restart IIS. NOTE: You may have to put cscript in front of the command adsutil.vbs (i.e. cscript adsutil.vbs set w3svc/MaxRequestEntityAllowed 30000000).

b
A Private web server must not respond to requests from public search engines.
Medium - V-2260 - SV-28797r2_rule
RMF Control
Severity
M
CCI
Version
WG310 IIS6
Vuln IDs
  • V-2260
Rule IDs
  • SV-28797r2_rule
Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web site content. In turn, these search engines make the content they obtain and catalog available to any public web user. Such information in the public domain defeats the purpose of a Limited or Certificate-based web server, provides information to those not authorized access to the web site, and could provide clues of the site’s architecture to malicious parties.Web AdministratorECLP-1
Checks: C-30022r2_chk

1. Open the IIS Manager > click on the web site being reviewed. 2. In the right hand pane look for a file named robots.txt. 3. Open the robots.txt file. 4. Ensure the following entry exists in the robots.txt file: User-agent: * Disallow: / If the robots.txt file does not exist or the entry above is not contained in the robots.txt file, this is a finding. NOTE: If other restrictions are in place to limit search engine access to the web site, and it meets the requirement, this would not be considered a finding.

Fix: F-32685r1_fix

Establish a means to restrict search engines on the private web site.

b
A private web server must utilize TLS v 1.0 or greater.
Medium - V-2262 - SV-28468r2_rule
RMF Control
Severity
M
CCI
Version
WG340 IIS6
Vuln IDs
  • V-2262
Rule IDs
  • SV-28468r2_rule
TLS encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring its confidentiality. If private information is not encrypted, it could be intercepted and easily read by an unauthorized party.Web AdministratorECCT-1, ECCT-2, ECSC-1
Checks: C-37443r1_chk

1. Open the IIS Manager > Right click on the web site to be examined > Select properties > Select the Web Site tab > Note the entry for the SSL port (i.e. 443). 2. Select the Directory Security tab > Select the Edit button in the Secure communications section. 3. Ensure the Require secure channel (SSL) and Require 128-bit encryption checkboxes are checked. If the Require secure channel (SSL) and Require 128-bit encryption checkboxes are not checked, this is a finding. If the site requires SSL and 128-bit encryption, then the version of SSL also needs to be verified. The following registry keys need to exist and be set to not allow anything lower than SSL V3.1 / TLS. This can be accomplished by ensuring the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server If these keys are not set to a DWORD value of 0, this is a finding. If the keys do not contain the value "Enabled", this would also be a finding. NOTE: The keys for TLS 1.0 do not require the Enabled value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable SSL V3.1 / TLS. NOTE: In some cases the web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the SSL certificated for the web sites may be installed on the content switch vs. the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. We do not want users to have the ability to bypass the content switch to access the web sites.

Fix: F-32689r1_fix

1. Obtain and install a server certificate from a .mil Certificate Authority or approved DoD ECA. 2. Open the IIS Manager > right click on the website to be examined > select properties > select the Directory Security tab > select the Edit button in the Secure communications section. 3. Select Require secure channel (SSL) and Require 128-bit encryption check boxes. 4. Set the version SSL by creating and setting the following registry to not allow anything lower than SSL V3.1 / TLS. Ensure the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server The keys for TLS 1.0 do not require the Enabled value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable SSL V3.1 / TLS.

a
The required DoD banner page must be displayed to authenticated users accessing a DoD private web site.
Low - V-6373 - SV-38071r1_rule
RMF Control
Severity
L
CCI
Version
WG265 IIS6
Vuln IDs
  • V-6373
Rule IDs
  • SV-38071r1_rule
A consent banner will be in place to make prospective entrants aware that the web site they are about to enter is a DoD web site and their activity is subject to monitoring. The May 9, 2008 policy on "Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement", establishes interim policy on the use of DoD information systems (http://www.dtic.mil/whs/directives/corres/pdf/DTM-08-060.pdf). The banner is mandatory and deviations are not permitted except as authorized in writing by the Deputy Assistant Secretary of Defense for Information and Identity Assurance. The banner is required for web sites with security and access controls. If the web site does not require authentication / authorization for use, then the banner does not need to be present.Web AdministratorECWM-1
Checks: C-37437r1_chk

Query the IAO, the SA, and the Web Administrator to ensure the proper consent banner is being used in accordance with DTM-08-060. Navigation to the web site via a browser can be used to confirm the information provided from interviewing the web staff. The following banner page must be in place: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. OK [B. For Blackberries and other PDAs/PEDs with severe character limitations:] I've read & consent to terms in IS user agreem't. If the access-controlled web site does not display this banner page in accordance with DTM-08-060 before entry, this is a finding.

Fix: F-32681r1_fix

Configure a DoD private web site to display the required DoD banner page when authentication is required for user access.

b
A private web site must utilize certificates from a trusted DoD CA.
Medium - V-13620 - SV-14206r3_rule
RMF Control
Severity
M
CCI
Version
WG355 IIS6
Vuln IDs
  • V-13620
Rule IDs
  • SV-14206r3_rule
The use of a DoD PKI certificate ensures clients that the private web site they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.System AdministratorIATS-1, IATS-2
Checks: C-37455r1_chk

1. Open the IIS Manager > Right click on the site being reviewed > Select Properties > Select the Directory Security tab. 2. Under Secure communications > Select Edit > if the Enable certificate trust list is checked, Select Edit. 3. When prompted by the certificate trust list wizard select Next. If there are trusted CAs in this list that are not DoD, this is a finding. NOTE: There are non DoD roots that must be on the server in order for it to function. Some applications, such as anti-virus programs, require root CAs to function. NOTE: The PKE InstallRoot 3.06 System Administrator Guide (SAG), dated 8 Jul 2008, contains a complete list of DoD, ECA, and IECA CAs.

Fix: F-32701r1_fix

Configure the certificate trust list to trust only DoD-approved PKIs (e.g., DoD PKI, DoD ECA, and DoD-approved external partners).

b
The private web server must use an approved DoD certificate validation process.
Medium - V-13672 - SV-28796r2_rule
RMF Control
Severity
M
CCI
Version
WG145 IIS6
Vuln IDs
  • V-13672
Rule IDs
  • SV-28796r2_rule
Without the use of a certificate validation process, the site is vulnerable to accepting expired or revoked certificates. This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process.System AdministratorIATS-1, IATS-2
Checks: C-37412r1_chk

1. Select Start > Select Run > Enter the path to the Metabase.xml file (default is %systemroot\system32\inetsrv\Metabase.xml) 2. Select Cntrl+F > Enter CertCheckMode. 3. Ensure ServerComment property, a few lines after the CertCheckMode property, contains the name of the web site being reviewed. 3. Verify this property is set to 0. If the value of this property is not set to 0, this is a finding. NOTE: The value for this parameter defaults to 0, which means the CRL checking is enabled. So, if the web site being reviewed is missing this parameter, this would not be a finding. NOTE: If the property exists in both the server location, LM/W3SVC/CertCheckMode, and at the site level, W3SVC/(site name)/CertCheckMode, the value at the site will override the value at the server level. So, in this case, if the server is set to 0, and the site is set to 1, it would be a finding for the site being reviewed.

Fix: F-32648r1_fix

Configure the DoD Private Web Server to conduct certificate revocation checking.