IIS6 Site V6R16

b

Web content directories must not be anonymously shared.

Medium - V-2226 - SV-38048r2_rule

RMF Control

Severity

M

CCI

Version

WG210 IIS6

Vuln IDs

V-2226

Rule IDs

SV-38048r2_rule

Anonymously shared directories are exposed to unnecessary risk. Any unnecessary exposure increases the risk that an intruder could exploit the access and compromise the web content or cause web server performance problems.System AdministratorWeb AdministratorECCD-1, ECCD-2

Checks: C-37415r2_chk

1. Navigate to the %systemroot%\system32 directory. 2. Right click on the inetsrv directory > Select properties > Select the sharing tab. 3. If any selection other than "Do not share this folder" is selected, this is a finding. 4. Using the IIS Manager right click on the web site being reviewed > Select properties. 5. Select the Home Directory tab > Note the path to the web site’s home directory. 6. Navigate to the parent directory of the directory noted above. 7. Right click on the directory noted above > Select properties > Select the sharing tab. 8. If any selection other than "Do not share this folder" is selected, this is a finding. 9. Select the Web Sharing tab. 10. Select the website being reviewed from the drop down menu. 11. If any entries other than “/” exist under the Aliases window, this is a finding. NOTE: Administrative shares are not exempt from this requirement. NOTE: In the case of a storage area network or file storage network, where partitions on the storage device are dedicated to front end / back end web services, the additional partitions will be mapped to the correct file storage network partition in the web server configuration. This can apply to both web content and web scripts. NOTE: The presence of operating system shares on the web server is not an issue as long as the shares are not part of the web content directories. The use of shares to move content from one environment to another is permitted if the following conditions are met: they are approved by the ISSM/ISSO; the shares are restricted to only allow administrators write access; the use of the shares does not bypass the sites approval process for posting new content to the web server; and developers are only permitted read access to these directories.

Fix: F-32651r1_fix

Remove the shares from the applicable directories.

b

Interactive scripts must have proper access controls.

Medium - V-2229 - SV-28848r1_rule

RMF Control

Severity

M

CCI

Version

WG410 IIS6

Vuln IDs

V-2229

Rule IDs

SV-28848r1_rule

CGI is a ‘programming standard’ for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does represent a CGI script, but CGI scripts may be written in a number of programming languages (e.g., PERL, C, PHP, and Javascript), each having their own unique file extension. The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network.Web AdministratorECLP-1

Checks: C-37457r1_chk

1. Query the SA to determine if CGI scripts are used on the server. 2. If CGI scripts are being used, ensure they are owned by system, the service account running the web service, the web author, and/or the SA. 3. If CGI scripts are owned by any accounts other than system, the service account running the web service, the web author, and/or the SA, this is a finding. 4. Ensure the anonymous web user account has Read or Read/Execute permissions to the CGI scripts. 5. If the anonymous web user account has CGI script permissions beyond Read or Read/Execute, this is a finding. 6. Using Microsoft Internet Information Services Manager > Right click on the web site to be examined 7. Select the Properties option > Select the Home Directory tab. 8. In the Application settings section verify the Execute permissions states Scripts only. 9. If the Application settings sections Execute permissions states anything but Scripts only, this is a finding. 10. Select the Configuration button > Select the Options tab. 11. Verify the Enable parent paths check box is NOT checked. 12. If the Enable parent paths check box is checked, this is a finding. NOTE: Verify these settings on virtual directories as well. The name of the tab for the virtual directories is "Virtual Directory". The configuration button may not be enabled if it is using the setting from the parent web site. If it is enabled, then validate the settings identified in the manual procedures.

Fix: F-32703r1_fix

1. Set the ownership of the CGI scripts to system, the service account running the web service, the web author, and/or the SA. 2. Set the CGI script permissions for the anonymous web user account to Read or Read/Execute. 3. Set the Application settings sections Execute permissions to Scripts only. 4. Uncheck the Enable parent paths check box.

a

Backup interactive scripts must be removed from the web site.

Low - V-2230 - SV-38084r1_rule

RMF Control

Severity

L

CCI

Version

WG420 IIS6

Vuln IDs

V-2230

Rule IDs

SV-38084r1_rule

Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as the actual script being executed and, as such, are useful to malicious users. Techniques and systems exist today that search web servers for such files and are able to exploit the information contained in them.System AdministratorWeb AdministratorECSC-1

Checks: C-37458r1_chk

This check is limited to CGI/interactive content and not static HTML. Search for the following files: *.bak, *.old, *.temp, *.tmp, *.backup, or ‘copy of...’. If files with these extensions are found, this is a finding.

Fix: F-32704r1_fix

Remove the backup scripts from the web server.

b

Web sites must limit the number of simultaneous requests.

Medium - V-2240 - SV-29997r1_rule

RMF Control

Severity

M

CCI

Version

WG110 IIS6

Vuln IDs

V-2240

Rule IDs

SV-29997r1_rule

Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, which can facilitate a Denial of Service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive.Web AdministratorECSC-1

Checks: C-37410r1_chk

1. Open the Internet Information Services Manager. 2. Right click on the web site for review > Select properties > Select the performance tab. 3. Under web site connections ensure unlimited is NOT selected. If unlimited is selected, this is a finding.

Fix: F-32646r1_fix

1. Open the Internet Information Services Manager. 2. Right click on the web site for review > Select properties > Select the performance tab. 3. Under web site connections select the Connections limited to radio button and enter the desired number of simultaneous connections.

b

Each readable web document directory must contain a default, home, index or equivalent file.

Medium - V-2245 - SV-30002r1_rule

RMF Control

Severity

M

CCI

Version

WG170 IIS6

Vuln IDs

V-2245

Rule IDs

SV-30002r1_rule

The goal is to control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server’s directory structure by locating directories with default pages. This practice helps ensure the anonymous web user will not obtain directory browsing information or an error message revealing the server type and version.Web AdministratorECAN-1, ECSC-1

Checks: C-37413r1_chk

1. Open the Internet Information Services Manager. 2. Right click on the web site for review > Select properties > Select the Documents tab. 3. Ensure the check box Enable default content page is checked and one file name is present. 4. Navigate to the home directory and virtual directories for the site being reviewed and verify the presence of the file(s) named in step 3. If the Enable default content page is not checked or at least one file name is not present, this is a finding. If the file does not exist, this is a finding. NOTE: If the site has directory browsing disabled for the site or virtual directory, this would not be a finding if a default page does not exist.

Fix: F-32649r1_fix

Add a default document to the applicable directories or disable directory browsing.

b

Logs of web server access and errors must be established and maintained.

Medium - V-2250 - SV-38065r1_rule

RMF Control

Severity

M

CCI

Version

WG240 IIS6

Vuln IDs

V-2250

Rule IDs

SV-38065r1_rule

A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the Web Manager with valuable information.System AdministratorWeb AdministratorECAT-1, ECAT-2

Checks: C-37429r1_chk

1. Open the Internet Information Services Manager. 2. Right click on the web site being reviewed > Select properties > Select the Web Site tab. 3. Ensure the Enable logging check box is checked. 4. Select the Home Directory Tab. 5. Ensure the Log visits check box is checked. If either the Enable logging check box or the Log visits check box is not checked, this is a finding.

Fix: F-32669r1_fix

1. Open the Internet Information Services Manager. 2. Right click on the web site being reviewed > Select properties > Select the Web Site tab. 3. Check the Enable logging check box. 4. Select the Home Directory Tab. 5. Check the Log visits check box. 6. Select OK.

b

Users other than Auditors group must not have greater than read access to log files.

Medium - V-2252 - SV-30017r1_rule

RMF Control

Severity

M

CCI

Version

WG250 IIS6

Vuln IDs

V-2252

Rule IDs

SV-30017r1_rule

A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the Web Manager with valuable information. To ensure the integrity of the log files and protect the SA and Web Manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files.System AdministratorWeb AdministratorECTP-1

Checks: C-29939r1_chk

1. Open the IIS Manager > Expand the Web Sites directory > Right click on the site being reviewed and select properties. 2. Select the Web Site tab > Click on the properties button beside the log format dropdown. 3. Note the log file path under Log file directory. 4. Navigate to this location. 5. Right click on the directories and files in this location > Select properties > Select the Security tab. 6. Ensure only the System, Administrators, and Auditors group have greater than Read permission. If any users or groups, other than System, Administrators, or Auditors, have greater than read permission to the log directories and files, this is a finding. NOTE: The Auditor group does not have to have the name Auditors, but the site will need to identify the group containing the auditors.

Fix: F-32675r1_fix

Ensure only the System, Administrators, and Auditors group has greater than read permission to the log files.

b

Only fully reviewed and tested web sites must exist on a production web server.

Medium - V-2254 - SV-38069r2_rule

RMF Control

Severity

M

CCI

Version

WG260 IIS6

Vuln IDs

V-2254

Rule IDs

SV-38069r2_rule

In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files revealing business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security, which is totally avoidable.Web AdministratorECSC-1

Checks: C-37435r2_chk

The reviewer should query the ISSO, SA, and Web Manager to find out if development web sites are being housed on production web servers. Definition: A production web server is any web server connected to a production network, regardless of its role. Proposed Questions: Do you have development sites on your production web server? What is your process to get development web sites / content posted to the production server? Do you use under construction notices on production web pages? A manual cehck can be completed by navigating to the web site via a browser and confirm the information provided by the web staff. If development web content is discovered on the production web server, this is a finding.

Fix: F-32679r1_fix

Ensure any pages in development are not installed on a production web server.

c

The web client account access to the content and scripts directories must be limited to read and execute.

High - V-2258 - SV-30020r1_rule

RMF Control

Severity

H

CCI

Version

WG290 IIS6

Vuln IDs

V-2258

Rule IDs

SV-30020r1_rule

Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset.System AdministratorWeb AdministratorECLP-1

Checks: C-29955r1_chk

1. Determine the web client account (anonymous account) for the web server. 2. Note the group memberships of this account found under the Member Of tab. 3. Open the IIS Manager > Right click on the web site for review > Select properties > Select the Home Directory tab. 4. Note the Local path entry, this will be used later. 5. Ensure the Script source access, Write, and Directory browsing check boxes are unchecked. 6. Repeat step 2 for all sub directories (including virtual directories) and files of the web site being reviewed (Directory and File tabs, respectively). 7. Note the Local path entry for the virtual directories. 8. Navigate to the local paths found in steps 4 & 7 via Windows Explorer, or equivalent, and verify the permissions assigned to the anonymous account (normally IUSR_computername). If the any of the web sites, their sub-directories (including virtual directories), or files has Script source access, Write, or Directory browsing enabled, this is a finding. If the anonymous account is assigned greater than read & execute permissions to any of the local paths (including their content), this is a finding. NOTE: If the Microsoft ‘everyone’ account has access to these directories, this is a finding.

Fix: F-32683r1_fix

Disable Script source access, Write, and Directory browsing permissions on the web site, its sub-directories (including virtual directories), and files. Limit the anonymous account permissions to read & execute or less for the local paths (including their content).

b

A web site must not contain a robots.txt file.

Medium - V-2260 - SV-28797r2_rule

RMF Control

Severity

M

CCI

Version

WG310 IIS6

Vuln IDs

V-2260

Rule IDs

SV-28797r2_rule

Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In turn, these search engines make the content they obtain and catalog available to any public web user. To request that a well behaved search engine not crawl and catalog a site, the web site may contain a file called robots.txt. This file contains directories and files that the web server SA desires not be crawled or cataloged, but this file can also be used, by an attacker or poorly coded search engine, as a directory and file index to a site. This information may be used to reduce an attacker’s time searching and traversing the web site to find files that might be relevant. If information on the web site needs to be protected from search engines and public view, other methods must be used.Web AdministratorECLP-1

Checks: C-30022r2_chk

1. Open the IIS Manager > click on the web site being reviewed. 2. In the right hand pane look for a file named robots.txt. 3. If the robots.txt file does exist, this is a finding.

Fix: F-32685r2_fix

1. Open the IIS Manager > click on the web site being reviewed. 2. In the right hand pane look for a file named robots.txt. 3. Delete the robots.txt file. NOTE: If there is information on the web site that needs protection from search engines and public view, then other methods must be used to safeguard the data.

b

A private web server must utilize an approved TLS version.

Medium - V-2262 - SV-28468r2_rule

RMF Control

Severity

M

CCI

Version

WG340 IIS6

Vuln IDs

V-2262

Rule IDs

SV-28468r2_rule

Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems. Web AdministratorECSC-1

Checks: C-37443r3_chk

1. Open the IIS Manager > Right click on the web site to be examined > Select properties > Select the Web Site tab > Note the entry for the SSL port (i.e. 443). 2. Select the Directory Security tab > Select the Edit button in the Secure communications section. 3. Ensure the Require secure channel (SSL) and Require 128-bit encryption checkboxes are checked. If the Require secure channel (SSL) and Require 128-bit encryption checkboxes are not checked, this is a finding. If the site requires SSL and 128-bit encryption, then the version of SSL/TLS also needs to be verified. The following registry keys need to exist and be set to not allow anything lower than TLS. This can be accomplished by ensuring the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server If these keys are not set to a DWORD value of 0, this is a finding. If the keys do not contain the value "Enabled", this would also be a finding. The keys for TLS 1.0 do not require the Enabled value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable TLS. If the "Enabled" value is present and set to 0, this is a finding. NOTE: In some cases the web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the SSL certificate for the web sites may be installed on the content switch vs. the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. We do not want users to have the ability to bypass the content switch to access the web sites.

Fix: F-32689r3_fix

1. Obtain and install a server certificate from a .mil Certificate Authority or approved DoD ECA. 2. Open the IIS Manager > right click on the website to be examined > select properties > select the Directory Security tab > select the Edit button in the Secure communications section. 3. Select Require secure channel (SSL) and Require 128-bit encryption check boxes. 4. Set the version of SSL/TLS by creating and setting the following registry to not allow anything lower than TLS. Ensure the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server The keys for TLS 1.0 do not require the Enabled value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable TLS.

b

A private web server must have a valid server certificate.

Medium - V-2263 - SV-38080r1_rule

RMF Control

Severity

M

CCI

Version

WG350 IIS6

Vuln IDs

V-2263

Rule IDs

SV-38080r1_rule

This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance that the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.Web AdministratorIATS-1, IATS-2

Checks: C-37452r1_chk

1. Open the IIS Manager > Right click on the web site being reviewed > Select Properties > Select the Directory Security Tab. 2. Under the Secure communications section > Select View Certificate. 3. Select the Details tab > Select the Issuer field. 4. View the lower window and ensure the certificate contains the following: CN = DOD CLASS 3 CA-3 OU = PKI OU = DoD O = U.S. Government C = US If the credentials listed above are not found, this is a finding. NOTE: It is also acceptable to open browser window and browse to the appropriate site. Before entry to the site the servers DOD PKI credentials should be presented. Review these credentials for authenticity. NOTE: If the server is running as a public web server this finding should be not applicable. NOTE: In some cases the web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the SSL certificated for the web sites may be installed on the content switch vs. the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. We do not want users to have the ability to bypass the content switch to access the web sites.

Fix: F-32698r1_fix

Configure the private web site to use a valid DoD certificate.

a

Java software installed on the web server must be limited to class files and the JAVA virtual machine.

Low - V-2265 - SV-38118r1_rule

RMF Control

Severity

L

CCI

Version

WG490 IIS6

Vuln IDs

V-2265

Rule IDs

SV-38118r1_rule

From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application’s logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code.Web AdministratorECSC-1

Checks: C-37492r1_chk

1. Right click on the Start button > Select Search > enter “*.java, *.jpp” in the box titled All or part of the file name. 2. Press Search. NOTE: This search must be completed on all active drives the web server utilizes. NOTE: Files with the extension .class, .jre and .jvm are acceptable. Executables such as java.exe, jre.exe, and jrew.exe are permitted. If files with the extension .java or .jpp are found, this is a finding.

Fix: F-32740r1_fix

Remove all files from the web server with the following extensions: .java and .jpp.

c

Unused and vulnerable script mappings in IIS 6 must be removed.

High - V-2267 - SV-16145r2_rule

RMF Control

Severity

H

CCI

Version

WA000-WI050 IIS6

Vuln IDs

V-2267

Rule IDs

SV-16145r2_rule

IIS file extensions which require server-side processing, but which have been deemed vulnerable, include .htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. Requests to these file types can exploit a stack buffer overflow weakness in the ism.dll, httpodbc.dll, and ssinc.dll.Web AdministratorECSC-1

Checks: C-13982r2_chk

1. Open the IIS Manager > Click on the Web Service Extensions directory. 2. In the right hand pane look for the following web service extensions: Server side includes Internet Data Connector Index Server Web Interface Internet printing .HTR scripting 3. If any of the above service extensions exist and are set to Allowed, right click on it > Select properties > Select the required files. NOTE: If a web service extension is set to Prohibit, this meets the intent of this check. 4. Record the files listed. 5. Right click on the website being review > Select properties > Select Home Directory. 6. Under Application settings select Configuration. 7. Under Application extensions find the file extensions listed below > Select Edit > Ensure the file extension is not mapped to the files noted in step 4 with respect to the specific service extension. Server side includes .shtml, .shtm and .stm Internet Data Connector .idc Index Server Web Interface .htw, .ida and .idq Internet printing .printer .HTR scripting .htr 8. Ensure the following file extensions do not exist under application extensions: .bat, .cmd 9. Query the Web Admin on the listed extensions and the reason for their use. If any of the following Extensions under step 7 match the required files in the allowed status for the respective service extension, this is a finding. If the file extensions .bat or .cmd are present, this is a finding. If a file extension is listed and has no use, this is a finding. NOTE: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of particular script mappings. If the site has this documentation, this should be marked as not a finding. NOTE: You may need to perform this check on each sites directory, sub-directories, and virtual direcotries since these can be set at each location.

Fix: F-14946r1_fix

Remove unused and vulnerable script mappings.

b

The IUSR_machinename account must not have read access to the .inc files or their equivalent.

Medium - V-2268 - SV-38009r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI030 IIS6

Vuln IDs

V-2268

Rule IDs

SV-38009r1_rule

Owing to the nature of .inc files, which may contain sensitive logic and potentially reveal sensitive information about the architecture of the web server, it is vital that the end user not be able to access and examine code that is included in .inc files. When server side scripting is the preferred method, this is normally not a problem. Nonetheless, there are key files inherent to the process, which can contain information key to the logic, server structure and configuration of the entire application. The include files for many .asp script files are .inc files. If the correct file name is guessed or derived, their contents will be displayed by a browser. The file must be guarded from prying eyes of the anonymous web user. If the site has named their include files with the .asp extension, then the files will be processed as an .asp file, which by the nature of .asp, will prevent that code from being presented. If the files are named with the .inc extension, or equivalent, SAs do not have this advantage. Java Server Pages, jsp, is another example of a competing technology which the reviewer will also encounter, that are impacted by this issue. The sample principles outlined here will apply to inlcude files used with Java Server Pages. In addition, there are some additional files that need to be protected, which include the global.asa and global.asax files.Web AdministratorECSC-1

Checks: C-37357r1_chk

1. Open IIS Manager > Right click on the website being reviewed > Select properties > Select the Home directory tab. 2. Under Application setting > Select configuration > Select the Mappings tab. 3. Under Application extensions review the Extension field to see if the following file extensions are mapped to the asp.dll or aspnet_isapi.dll: .asa .asax .inc NOTE: If these extension are mapped to the asp.dll or aspnet_isapi.dll, this is not a finding and the check procedure can stop here. If they are not mapped to the asp.dll or aspnet_isapi.dll continue with the following procedure to determine if the files are protected via file permissions. 4. Right click on the Start button > Select Search. 5. Under the text box “All or part of the file name” enter the following: global.asa, global.asax, *.inc. NOTE: All drives utilized for the web site being review should be search. NOTE: Check using IIS Manager, to determine which directory is associated with the web site. Web Site properties, Home Directory tab. 6. If these files are found and are part of the directories (including virtual directories) for the web site being reviewed, navigate to these files. 7. Right click on the file > select properties > Select the Security tab. 8. Ensure Read permissions do not exist for the IUSR_machinename account (the anonymous web user). If the IUSR_machinename account has read access to the global.asa, global.asax, or .inc files, and these extensions are not mapped to the asp.dll, this is a finding.

Fix: F-32594r1_fix

Remove read permissions for the IUSR_machinename account from the .inc files and their equivalent.

b

Anonymous FTP users must not have access to interactive scripts.

Medium - V-2270 - SV-38111r1_rule

RMF Control

Severity

M

CCI

Version

WG430 IIS6

Vuln IDs

V-2270

Rule IDs

SV-38111r1_rule

The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories containing scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon user-provided input). Such scripts contain information that could be used to compromise a web service, access system resources, or deface a web site.System AdministratorWeb AdministratorECCD-1, ECCD-2

Checks: C-37484r1_chk

1. Open the IIS Manager. 2. For the site being reviewed, determine the directories where CGI, PERL, ASP, JS, or JSP scripts are located. 3. Determine if these locations are enabled for FTP access by looking under the FTP Sites folder within IIS Manager. 4. For directories with FTP enabled, right click on the directory > Select Properties > Select Directory Security > Select the Edit button beside Authentication and access control. If Enable anonymous access is checked, this is a finding.

Fix: F-32732r1_fix

Remove anonymous FTP access from directories where CGI, PERL, ASP, JS, or JSP scripts are located.

b

PERL scripts must use the TAINT option.

Medium - V-2272 - SV-38114r1_rule

RMF Control

Severity

M

CCI

Version

WG460 IIS6

Vuln IDs

V-2272

Rule IDs

SV-38114r1_rule

PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation. Consequently, the founders of PERL have developed a mechanism named TAINT that protects the system from malicious input sent from outside the program. When the data is tainted, it cannot be used in programs or functions such as eval(), system(), exec(), pipes, or popen(). The script will exit with a warning message.Web AdministratorECSC-1

Checks: C-37487r1_chk

1. Query the Web Admin for the PERL file extension/s on the system. 2. Search the system for PERL files (normally ending in .pl). 3. For those PERL files found within the web site/server content directories open them with Notepad and ensure the first line of the script is as follows: #!/usr/local/bin/perl –T. 4. If the above line is not found verify the application settings for the directory containing the PERL script/s. 5. Right click on the directory > Select properties > Select the Home Directory, Directory, or Virtual Directory tab. 6. Under the Application settings area, select the Configuration button. 7. Browse the Application extensions for the PERL file extension (normally .pl). 8. Verify the executable path for the PERL file extension lists Perl.exe –T. If #!/usr/local/bin/perl –T is not the first line of the PERL script, or the executable path does not list Perl.exe –T, this is a finding. NOTE: This applies to PERL scripts used as part of the web server and not all PERL scripts on the system. NOTE: If the TAINT option cannot be used for any reason, this finding can be mitigated by the use of a third-party input validation mechanism or input validation will be included as part of the script in use. This must be documented.

Fix: F-32735r1_fix

Adjust the PERL scripts to include the appropriate comments enabling the TAINT option.

b

The web document (home) directory must be on a separate partition from the web servers system files.

Medium - V-3333 - SV-30041r1_rule

RMF Control

Severity

M

CCI

Version

WG205 IIS6

Vuln IDs

V-3333

Rule IDs

SV-30041r1_rule

Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.System AdministratorWeb AdministratorDCPA-1

Checks: C-37414r1_chk

1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Home Directory tab. 2. Note the path to the web sites home directory. If the directory is on the same partition as the operating systems root directory, this is a finding. If the directory is a child directory to the web application directory, this is a finding.

Fix: F-32650r1_fix

Change the home directory to a partition other than the partition containing the web server system files.

a

Indexing Services must only index web content.

Low - V-3963 - SV-38011r1_rule

RMF Control

Severity

L

CCI

Version

WA000-WI070 IIS6

Vuln IDs

V-3963

Rule IDs

SV-38011r1_rule

The indexing service can be used to facilitate a search function for web sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only.System AdministratorWeb AdministratorECSC-1

Checks: C-37362r1_chk

1. Open the IIS Manager > Right click on the website being reviewed > Select the Home Directory tab. 2. Verify the status of the Index this resource check box. 3. If the Index this resource check box is checked, open the Services windows (via Administrative Tools in Control panel) and check to see if the Indexing Service is listed. If it is listed, determine if the Startup Type mode is either “Automatic” or “Manual”. NOTE: If the Indexing check box is not checked or the indexing service is not installed or disabled, this is not a finding. 4. With the assistance of the Web Administrator and/or SA, use the MMC to evaluate the Indexing Service using the Index Service snap-in. 5. Review the directories being indexed, ensuring only web content folders are being indexed. NOTE: If unsure it is a web content folder, examine the Home Directory tab within the properties of the web site. This will indicate the path of the content for this web site. If the Index Service is running and directories other than web content directories are being indexed, this is a finding.

Fix: F-32599r1_fix

Assure that only the web document directories are indexed.

a

The required DoD banner page must be displayed to authenticated users accessing a DoD private website.

Low - V-6373 - SV-40022r2_rule

RMF Control

Severity

L

CCI

Version

WG265 IIS6

Vuln IDs

V-6373

Rule IDs

SV-40022r2_rule

A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the website via a browser can be used to confirm the information provided from interviewing the web staff.Web AdministratorECWM-1

Checks: C-37437r3_chk

The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. If a banner is required, the following banner page must be in place: “You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. - At any time, the USG may inspect and seize data stored on this IS. - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - This IS includes security measures (e.g., authentication and access controls) to protect USG interests—not for your personal benefit or privacy. - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.” OR If your system cannot meet the character limits to store this amount of text in the banner, the following is another option for the warning banner: "I've read & consent to terms in IS user agreem't." NOTE: While DoDI 8500.01 does not contain a copy of the banner to be used, it does point to the RMF Knowledge Service for a copy of the required text. It is also noted that the banner is to be displayed only once when the individual enters the site and not for each page. If the access-controlled website does not display this banner page before entry, this is a finding.

Fix: F-32681r2_fix

Configure a DoD private website to display the required DoD banner page when authentication is required for user access.

b

A private web sites authentication mechanism must use client certificates.

Medium - V-6531 - SV-30046r1_rule

RMF Control

Severity

M

CCI

Version

WG140 IIS6

Vuln IDs

V-6531

Rule IDs

SV-30046r1_rule

A DoD private web site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private web sites.Web AdministratorIATS-1, IATS-2

Checks: C-37411r1_chk

1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Directory Security tab. 2. Under the Secure communications area select the Edit button. 3. Ensure Require secure channel (SSL) and Require client certificates are checked. If Require secure channel (SSL) and Require client certificates are not checked, this is a finding.

Fix: F-32647r1_fix

1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Directory Security tab. 2. Under the Secure communications area select the Edit button. 3. Select Require secure channel (SSL) and Require client certificates > Press OK.

b

Directory browsing must be disabled.

Medium - V-6755 - SV-38016r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI090 IIS6

Vuln IDs

V-6755

Rule IDs

SV-38016r1_rule

This ensures the directory structure, filenames, and web publishing features are not accessible. Such information and the contents of files listed are normally readable by the anonymous web user, yet are not intended to be viewed as they often contain information relevant to the configuration and security of the web service. The Directory Browsing feature can be used to facilitate a directory traversal and subsequent directory traversal exploits.Web AdministratorECSC-1

Checks: C-37368r1_chk

1. Open the IIS Manager > Right click on the web site under review > Select properties > Select the Home Directory tab. 2. Ensure the Directory browsing check box is not selected. NOTE: This procedure should be complete on all Directories (including Sub-Directories) and Virtual Directories within the site. If the Directory Browsing feature is enabled this is a finding.

Fix: F-32605r1_fix

1. Open the IIS Manager > Right click on the website under review > Select properties > Select the Home Directory tab. 2. Uncheck the Directory browsing check box. NOTE: This procedure should be complete on all Directories (including Sub-Directories) and Virtual Directories within the site.

b

A private web site must utilize certificates from a trusted DoD CA.

Medium - V-13620 - SV-14206r1_rule

RMF Control

Severity

M

CCI

Version

WG355 IIS6

Vuln IDs

V-13620

Rule IDs

SV-14206r1_rule

The use of a DoD PKI certificate ensures clients that the private web site they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.System AdministratorInformation Assurance OfficerWeb AdministratorIATS-1, IATS-2

Checks: C-37455r1_chk

1. Open the IIS Manager > Right click on the site being reviewed > Select Properties > Select the Directory Security tab. 2. Under Secure communications > Select Edit > if the Enable certificate trust list is checked, Select Edit. 3. When prompted by the certificate trust list wizard select Next. If there are trusted CAs in this list that are not DoD, this is a finding. NOTE: There are non DoD roots that must be on the server in order for it to function. Some applications, such as anti-virus programs, require root CAs to function. NOTE: The PKE InstallRoot 3.06 System Administrator Guide (SAG), dated 8 Jul 2008, contains a complete list of DoD, ECA, and IECA CAs.

Fix: F-32701r1_fix

Configure the certificate trust list to trust only DoD-approved PKIs (e.g., DoD PKI, DoD ECA, and DoD-approved external partners).

b

The private web server must use an approved DoD certificate validation process.

Medium - V-13672 - SV-28796r1_rule

RMF Control

Severity

M

CCI

Version

WG145 IIS6

Vuln IDs

V-13672

Rule IDs

SV-28796r1_rule

Without the use of a certificate validation process, the site is vulnerable to accepting expired or revoked certificates. This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process.System AdministratorWeb AdministratorIATS-1, IATS-2

Checks: C-37412r1_chk

1. Select Start > Select Run > Enter the path to the Metabase.xml file (default is %systemroot\system32\inetsrv\Metabase.xml) 2. Select Cntrl+F > Enter CertCheckMode. 3. Ensure ServerComment property, a few lines after the CertCheckMode property, contains the name of the web site being reviewed. 3. Verify this property is set to 0. If the value of this property is not set to 0, this is a finding. NOTE: The value for this parameter defaults to 0, which means the CRL checking is enabled. So, if the web site being reviewed is missing this parameter, this would not be a finding. NOTE: If the property exists in both the server location, LM/W3SVC/CertCheckMode, and at the site level, W3SVC/(site name)/CertCheckMode, the value at the site will override the value at the server level. So, in this case, if the server is set to 0, and the site is set to 1, it would be a finding for the site being reviewed.

Fix: F-32648r1_fix

Configure the DoD Private Web Server to conduct certificate revocation checking.

c

Web Administrators must secure encrypted connections for Document Root directory uploads.

High - V-13686 - SV-40028r1_rule

RMF Control

Severity

H

CCI

Version

WG235 IIS6

Vuln IDs

V-13686

Rule IDs

SV-40028r1_rule

Logging in to a web server via a telnet session or using HTTP or FTP in order to upload documents to the web site is a risk if proper encryption is not utilized to protect the data being transmitted. A secure shell service or HTTPS needs to be installed and in use for these purposes.Web AdministratorEBRP-1, EBRU-1

Checks: C-37417r1_chk

Query the SA to determine if there is a process for the uploading of files to the web site. This process should include the requirement for the use of a secure encrypted logon and secure encrypted connection. NOTE: See results from WG230 for data that will assist in the validation of this vulnerability. If the remote users are uploading files without utilizing approved encryption methods, this is finding.

Fix: F-32653r1_fix

Use only secure encrypted logons and connections for uploading files to the web site.

b

Log file data must contain required data elements.

Medium - V-13688 - SV-28653r1_rule

RMF Control

Severity

M

CCI

Version

WG242 IIS6

Vuln IDs

V-13688

Rule IDs

SV-28653r1_rule

The use of log files is a critical component of the operation of the Information Systems (IS) used within the DoD, and they can provide invaluable assistance with regard to damage assessment, causation, and the recovery of both affected components and data. They may be used to monitor accidental or intentional misuse of the (IS) and may be used by law enforcement for criminal prosecutions. The use of log files is a requirement within the DoD.System AdministratorWeb AdministratorECAR-1, ECAR-2, ECAR-3

Checks: C-30008r1_chk

1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Web Site tab. 2. Ensure Enable logging is selected. 3. Select the Properties button > Select the Advance tab. 4. Under the Extended logging options ensure the following items are checked: Date, Time, Client IP Address, User Name, Method, URI Query, Http Protocol Status and Referrer If the Enable logging checkbox is not selected, this is a finding. If any of the items listed in step 4 are not selected, this is a finding. NOTE: The collection of additional logging information is acceptable.

Fix: F-32673r1_fix

1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Web Site tab. 2. Ensure Enable logging is selected. 3. Select the Properties button > Select the Advance tab. 4. Under the Extended logging options check the following: Date, Time, Client IP Address, User Name, Method, URI Query, Http Protocol Status and Referrer 5. Select OK.

b

Access to the web site log files must be restricted.

Medium - V-13689 - SV-29398r1_rule

RMF Control

Severity

M

CCI

Version

WG255 IIS6

Vuln IDs

V-13689

Rule IDs

SV-29398r1_rule

A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Failure to protect log files could enable an attacker to modify the log file data or falsify events to mask an attacker's activity.System AdministratorWeb AdministratorECTP-1

Checks: C-30017r1_chk

1. Open the IIS Manager > Right click the website being reviewed > Select Properties > Select the Web Site tab > in the Enable logging box select Properties. 2. Note the path listed under the text Log file directory and the name of the log file beside the text Log file name. 3. Use Explorer to navigate to the log files based on the path and name found in step 2. 4. Right-click on the log file > Select Security. 5. Verify the permissions are as follows: - Auditors & System = Full Control - Administrators & Web Administrators = Read If the permissions are not the same as those listed in step 5, this is a finding. If any account has access to the log files other than those listed in step 5, this is a finding. NOTE: If permission assignment is more restrictive, this is not a finding.

Fix: F-32678r1_fix

1. Open the IIS Manager > Right click the website being reviewed > Select Properties > Select the Web Site tab > In the Enable logging box select Properties. 2. Note the path listed under the text Log file directory and the name of the log file beside the text Log file name. 3. Use Explorer to navigate to the log files based on the path and name found in step 2. 4. Right-click on the log file > Select Security. 5. Set the permissions as follows: - Auditors & System = Full Control - Administrators & Web Administrators = Read

b

Public web servers must use TLS if authentication is required.

Medium - V-13694 - SV-28566r2_rule

RMF Control

Severity

M

CCI

Version

WG342 IIS6

Vuln IDs

V-13694

Rule IDs

SV-28566r2_rule

Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure. Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network. To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems. System AdministratorWeb AdministratorECCT-1, ECCT-2

Checks: C-28835r2_chk

1. Open the IIS Manager > Right click on the website to be examined > Select properties > Select the Web Site tab > Note the entry for the SSL port (i.e. 443). 2. Select the Directory Security tab > Select the Edit button in the Secure communications section. 3. Ensure the Require secure channel (SSL) and Require 128-bit encryption check boxes are checked. If the Require secure channel (SSL) and Require 128-bit encryption check boxes are not checked, this is a finding. If the site requires SSL and 128-bit encryption, then the version of SSL also needs to be verified. The following registry keys need to exist and be set to not allow anything lower than TLS. This can be accomplished by ensuring the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server If these keys are not set to a DWORD value of 0, this is a finding. If the keys do not contain the value Enabled, this would also be a finding. The keys for TLS 1.0 do not require the Enabled value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable TLS. If the Enable value is present and is not set to 1, this is a finding. NOTE: In some cases the web servers are configured in an environment to support load balancing. This configuration most likely utilizes a content switch to control traffic to the various web servers. In this situation, the SSL certificated for the web sites may be installed on the content switch vs. the individual web sites. This solution is acceptable as long as the web servers are isolated from the general population LAN. Users should not have the ability to bypass the content switch to access the web sites.

Fix: F-32693r2_fix

1. Obtain and install a server certificate from a .mil Certificate Authority or approved DoD ECA. 2. Open the IIS Manager > Right click on the website to be examined > Select properties > select the Directory Security tab > Select the Edit button in the Secure communications section. 3. Select Require secure channel (SSL) and Require 128-bit encryption check boxes. 4. Set the version SSL\TLS by creating and setting the following registry to not allow anything lower than TLS. Ensure the following value exists in each of the keys: Enabled REG_DWORD 0 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Client HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server The keys for TLS 1.0 do not require the Enabled value to be present, but if it is, it needs to be set to REG_DWORD 1, to enable TLS.

c

The IIS web site permissions "Write" or "Script Source" must not be selected.

High - V-13699 - SV-38020r1_rule

RMF Control

Severity

H

CCI

Version

WA000-WI092 IIS6

Vuln IDs

V-13699

Rule IDs

SV-38020r1_rule

Web site permissions to include Read, Write, and Script Source Access can be set within the IIS Administration tool. Configuration settings made at the Web Server level are inherited by all of the web sites on the server. It can override inheritance by configuring the individual site or site element. These permissions control what users can access from the web site. If Read is selected, then source of the pages can be read, if Write is selected, then pages can be written to or updated. If the Script Source Access is checked, source code for scripts can be viewed. This option is not available if neither Read nor Write is selected. Allowing users' access to the source of the web pages, may provide the user with more information than they are authorized to see. This is especially an issue for the source code for scripts on the web server.Web AdministratorECSC-1

Checks: C-37372r1_chk

1. Open the IIS Manager > Right click on the website being reviewed > Select Properties > Select the Home Directory tab. If the IIS web site permissions "Write" or “Script source access” are selected, this is a finding. NOTE: This should be completed for all directories (including sub-directories), virtual directories, and files for the site being reviewed.

Fix: F-32609r1_fix

1. Open the IIS Manager > Right click on the website (including directories, sub-directories, virtual directories, and files) being reviewed > Select Properties > Select the Home Directory (Directory, Virtual Directory, or File) tab. 2. Uncheck the Write and/or the Script source access permissions.

a

The Content Location header must not contain proprietary IP addresses.

Low - V-13702 - SV-38025r1_rule

RMF Control

Severity

L

CCI

Version

WA000-WI120 IIS6

Vuln IDs

V-13702

Rule IDs

SV-38025r1_rule

When using static HTML pages, a Content-Location header is added to the response. By default, Internet Information Server (IIS) 4.0 Content-Location references the IP address of the server rather than the FQDN or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses to sending the FQDN instead. The value that needs to be set is the w3svc/UseHostName, and it needs to be set to True. The other option to prevent this from occurring is to use Active Server Pages instead of static HTML pages and create a custom header that sends back a specific Content-Location. For complete instructions on this issue, please refer to Microsoft Knowledge Base article Q218180.Web AdministratorECSC-1

Checks: C-10954r2_chk

1. Open the metabase.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv) 2. Press CNTRL+F > Enter “servercomment” > Select the Find Next button to find the attribute ServerComment=the name of the web site being reviewed. 3. Verify the setting for either the UseHostName or SetHostName attribute. If both settings are specified, this is a finding. If neither setting is specified, this is a finding. If UseHostName is specified and not set to TRUE, this is a finding. If SetHostName is specified and the web servers’ private IP address is used, this is a finding.

Fix: F-13150r1_fix

1. Open the metabase.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv). 2. Press CNTRL+F > enter “servercomment” > Select the Find Next button to find the attribute ServerComment=the name of the website being reviewed. 3. Go to the beginning of the IIsWebServer key for the web site being reviewed (a few lines prior to the servercomment attribute found in step 2). 4. Note the number after W3SVC as it will be used next. 5. From the CLI navigate to the location of the adsutil.vbs script. 6. Enter the following adsutil.vbs set w3svc/number from step 3/UseHostName true. NOTE: The command in step 6 could be substituted with the following: adsutil.vbs set w3svc/number from step 3/SetHostName “name other than your private IP address” NOTE: cscript may have to be input in front of the command adsutil.vbs (i.e., cscript adsutil.vbs set w3svc/1/UseHostName).

b

The web site must have a unique application pool.

Medium - V-13703 - SV-38137r1_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6010 IIS6

Vuln IDs

V-13703

Rule IDs

SV-38137r1_rule

Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool.Web AdministratorECSC-1

Checks: C-37380r2_chk

1. Open the IIS Manager > Right click on the website being reviewed > Select the Home Directory tab. 2. Review the Application settings area and note the name listed next to Application pool. 3. Ensure this Application pool is not listed as any other sites Application Pool. If there is not a unique application pool configured for the web site being reviewed, this is a finding. NOTE: The default Application Pool is not considered unique and would be a finding if the web site is using this one.

Fix: F-32617r1_fix

1. Open the IIS Manager > Right click on the website being reviewed > Select the Home Directory tab. 2. Go to the Application settings area > Select the Application pool drop down > Select the unique Application pool for the web site. 3. Press OK.

b

The Recycle Worker processes in minutes monitor must be set properly.

Medium - V-13704 - SV-38134r2_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6020 IIS6

Vuln IDs

V-13704

Rule IDs

SV-38134r2_rule

A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1

Checks: C-37384r4_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponds to the website being reviewed > Select Properties > Select the Recycling tab. 2. Ensure the Recycle worker processes (in minutes) check box is checked and the value is set to 1740 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Fix: F-32621r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Recycling tab. 2. Ensure the Recycle worker processes (in minutes) check box is checked and set the value to 1740 or less. 3. Press OK.

b

The maximum number of requests an application pool can process must be set.

Medium - V-13705 - SV-38132r2_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6022 IIS6

Vuln IDs

V-13705

Rule IDs

SV-38132r2_rule

A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1

Checks: C-37386r3_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the web site being reviewed > Select Properties > Select the Recycling tab. 2. Ensure the Recycle worker processes (number of requests) is enabled and the value is set to 35000 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Fix: F-32622r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Recycling tab. 2. Ensure the Recycle worker processes (number of requests) is enabled and the value is set to 35000 or less.

b

The maximum virtual memory monitor must be enabled.

Medium - V-13706 - SV-38033r2_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6024 IIS6

Vuln IDs

V-13706

Rule IDs

SV-38033r2_rule

A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1

Checks: C-37388r2_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Recycling tab. 2. Ensure the Maximum virtual memory monitor is enabled and the value is set to 792 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Fix: F-32625r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Recycling tab. 2. Ensure the maximum virtual memory monitor is enabled and the value is set to 792 or less.

b

The maximum used memory monitor must be enabled.

Medium - V-13707 - SV-38130r2_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6026 IIS6

Vuln IDs

V-13707

Rule IDs

SV-38130r2_rule

A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1

Checks: C-37390r3_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Recycling tab. 2. Ensure the maximum used memory is enabled and the value is set to 192 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Fix: F-32627r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Recycling tab. 2. Ensure the maximum used memory is enabled and the value is set to 192 or less.

b

The Shutdown worker processes Idle Timeout monitor must be enabled.

Medium - V-13708 - SV-38041r2_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6028 IIS6

Vuln IDs

V-13708

Rule IDs

SV-38041r2_rule

A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1

Checks: C-37403r3_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Performance tab. 2. Ensure the Shutdown worker process idle timeout monitor is enabled and the value is set to 20 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Fix: F-32639r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Performance tab. 2. Ensure the Shutdown worker process idle timeout monitor is enabled and the value is set to 20 or less.

b

The Limit the kernel request queue monitor must be enabled

Medium - V-13709 - SV-38123r2_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6030 IIS6

Vuln IDs

V-13709

Rule IDs

SV-38123r2_rule

A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1

Checks: C-37404r3_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Performance tab. 2. Ensure the Limit the kernel request queue monitor is enabled and the value is set to 4000 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Fix: F-32640r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Performance tab. 2. Ensure the Limit the kernel request queue monitor is enabled and the value is set to 4000 or less.

b

The Enable pinging monitor must be enabled.

Medium - V-13710 - SV-38043r2_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6032 IIS6

Vuln IDs

V-13710

Rule IDs

SV-38043r2_rule

A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1

Checks: C-37405r2_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Health tab. 2. Ensure the Enable pinging monitor is enabled and the value is set to 30 or more. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for a decreased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Fix: F-32641r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Health tab. 2. Ensure the Enable pinging monitor is enabled and the value is set to 30 or more.

b

The Enable rapid-fail protection monitor must be enabled.

Medium - V-13711 - SV-38044r2_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6034 IIS6

Vuln IDs

V-13711

Rule IDs

SV-38044r2_rule

A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1

Checks: C-37406r2_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Health tab. 2. Ensure the Enable rapid-fail protection monitor is enabled and the value is set to 5 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Fix: F-32642r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Health tab. 2. Ensure the Enable rapid-fail protection monitor is enabled and the value is set to 5 or less.

b

The Enable rapid-fail time period monitor must be enabled.

Medium - V-13712 - SV-38045r2_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6036 IIS6

Vuln IDs

V-13712

Rule IDs

SV-38045r2_rule

A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1

Checks: C-37407r2_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Health tab. 2. Ensure the Enable rapid-fail time period monitor is enabled and the value is set to 5 or less. If the value is not set properly, this is a finding. NOTE: This vulnerability can be documented locally by the ISSM/ISSO if the site has operational reasons for an increased value. If the ISSM/ISSO has approved this change in writing, this should be marked as not a finding.

Fix: F-32643r1_fix

1. Open the IIS Manager > Right click on the desired Application Pool > Select Properties > Select the Health tab. 2. Ensure the Enable rapid-fail time period monitor is enabled and the value is set to 5 or less.

c

A unique non-privileged account must be used to run Worker Process Identities.

High - V-13713 - SV-38046r1_rule

RMF Control

Severity

H

CCI

Version

WA000-WI6040 IIS6

Vuln IDs

V-13713

Rule IDs

SV-38046r1_rule

The Worker Process Identity is the user defined to run an Application Pool. The IIS 6 worker processes, by default, run under the NetworkService account. Creating a custom identity for each Application Pool better track issues occurring within each web site. When a custom identity is used, the rights and privileges must not exceed those associated with the NetworkService security principal.Web AdministratorECSC-1

Checks: C-37408r1_chk

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Identity tab. 2. Identify the account used to run the process identities. 3. Check the privileges on the account found in step 2 by using Computer Management and opening Users and Groups. 4. The account should be in the IIS_WPG group and not have membership to the Administrators group. If the account used to run the Worker Process Identities is also an Administrator, this is a finding. If the account is set to LocalSystem, this is a finding. NOTE: The "Local Service" or "Network Service" built in accounts are not privileged accounts and would not be a finding. NOTE: This check may be reported as a False Positive by the Gold Disk so a manual verification is recommended if this is an open finding. If this is reported as not a finding, no further checking is necessary.

Fix: F-32644r1_fix

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Identity tab. 2. Enter the desired account information. 3. Check the privileges on the account found in step 2 by using Computer Management and opening Users and Groups. 4. Ensure the account is a member of the IIS_WPG group and does not have membership to the Administrators group.

b

The MaxRequestEntityAllowed metabase value must be defined.

Medium - V-13723 - SV-38047r2_rule

RMF Control

Severity

M

CCI

Version

WA000-WI6098 IIS6

Vuln IDs

V-13723

Rule IDs

SV-38047r2_rule

IIS 6.0 limits the size of requests directly from the settings in the metabase with the metabase entry MaxRequestEntityAllowed. This entry is similar to the MaxRequest EntityAllowed and MaxAllowedContentLength settings configured in the UrlScan tool. The MaxRequestEntityAllowed property specifies the maximum number of bytes allowed in the entity body of a request. If a Content-Length header is present and specifies an amount of data greater than the value of MaxRequestEntityAllowed, IIS sends a 403 error response.Web AdministratorECSC-1

Checks: C-37409r2_chk

1. Open the MBSchema.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv) 2. Press CNTRL+F > Enter “MaxRequestEntityAllowed” > Select the Find Next button. 3. Ensure the Attributes attribute is set to INHERIT. 4. Open the metabase.xml file for the web server with notepad or Internet Explorer (default path is %systemroot%\System32\inetsrv) 5. Press CNTRL+F > Enter Location= ‘’/LM/W3SVC’’ > Select Find Next. 6. In the search box now enter MaxRequestEntityAllowed > Check Match whole word only & Match case > Press Find Next. 7. Ensure the MaxRequestEntityAllowed attribute is present within the /LM/W3SVC key and set to 30000000 or less. If the MaxRequestEntityAllowed attribute is not set to INHERIT, this is a finding. If the MaxRequestEntityAllowed attribute is not found, this is a finding. If the MaxRequestEntityAllowed attribute is not found within the /LM/W3SVC key, this is a finding. If it is found and has a value greater than 30000000, this is a finding. NOTE: This vulnerability can be documented locally with the ISSM/ISSO if the site has operational reasons for the use of increased value. If the site has this documentation, this should be marked as not a finding.

Fix: F-32645r1_fix

1. From the CLI navigate to the location of the adsutil.vbs script. 2. Enter the following: adsutil.vbs set w3svc/MaxRequestEntityAllowed 30000000 3. Press Enter. 4. Restart IIS. NOTE: You may have to put cscript in front of the command adsutil.vbs (i.e. cscript adsutil.vbs set w3svc/MaxRequestEntityAllowed 30000000).

Removed rules 1

Content changes 31

Checks: C-37415r2_chk

Fix: F-32651r1_fix

Generate Mitigation Statement:

Checks: C-37457r1_chk

Fix: F-32703r1_fix

Generate Mitigation Statement:

Checks: C-37458r1_chk

Fix: F-32704r1_fix

Generate Mitigation Statement:

Checks: C-37410r1_chk

Fix: F-32646r1_fix

Generate Mitigation Statement:

Checks: C-37413r1_chk

Fix: F-32649r1_fix

Generate Mitigation Statement:

Checks: C-37429r1_chk

Fix: F-32669r1_fix

Generate Mitigation Statement:

Checks: C-29939r1_chk

Fix: F-32675r1_fix

Generate Mitigation Statement:

Checks: C-37435r2_chk

Fix: F-32679r1_fix

Generate Mitigation Statement:

Checks: C-29955r1_chk

Fix: F-32683r1_fix

Generate Mitigation Statement:

Checks: C-30022r2_chk

Fix: F-32685r2_fix

Generate Mitigation Statement:

Checks: C-37443r3_chk

Fix: F-32689r3_fix

Generate Mitigation Statement:

Checks: C-37452r1_chk

Fix: F-32698r1_fix

Generate Mitigation Statement:

Checks: C-37492r1_chk

Fix: F-32740r1_fix

Generate Mitigation Statement:

Checks: C-13982r2_chk

Fix: F-14946r1_fix

Generate Mitigation Statement:

Checks: C-37357r1_chk

Fix: F-32594r1_fix

Generate Mitigation Statement:

Checks: C-37484r1_chk

Fix: F-32732r1_fix

Generate Mitigation Statement:

Checks: C-37487r1_chk

Fix: F-32735r1_fix

Generate Mitigation Statement:

Checks: C-37414r1_chk

Fix: F-32650r1_fix

Generate Mitigation Statement:

Checks: C-37362r1_chk

Fix: F-32599r1_fix

Generate Mitigation Statement:

Checks: C-37437r3_chk

Fix: F-32681r2_fix

Generate Mitigation Statement:

Checks: C-37411r1_chk

Fix: F-32647r1_fix

Generate Mitigation Statement:

Checks: C-37368r1_chk

Fix: F-32605r1_fix

Generate Mitigation Statement:

Checks: C-37455r1_chk

Fix: F-32701r1_fix

Generate Mitigation Statement:

Checks: C-37412r1_chk

Fix: F-32648r1_fix

Generate Mitigation Statement:

Checks: C-37417r1_chk

Fix: F-32653r1_fix

Generate Mitigation Statement:

Checks: C-30008r1_chk

Fix: F-32673r1_fix

Generate Mitigation Statement: