IIS6 Site

U_IIS_6-0_Site_V6R16_Manual-xccdf.xml

Details

Version / Release: V6R16

Published: 2015-06-01

Updated At: 2018-09-23 02:54:06

Download

Filter

Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.
    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-38048r2_rule WG210 IIS6 MEDIUM Web content directories must not be anonymously shared. Anonymously shared directories are exposed to unnecessary risk. Any unnecessary exposure increases the risk that an intruder could exploit the access and compromise the web content or cause web server performance problems.System AdministratorWeb AdministratorECCD-1, ECCD-2
    SV-28848r1_rule WG410 IIS6 MEDIUM Interactive scripts must have proper access controls. CGI is a ‘programming standard’ for interfacing external applications with information servers, such as HTTP or web servers. CGI, represented by all upper case letters, should not be confused with the .cgi file extension. The .cgi file extension does represent a CGI script, but CGI scripts may be written in a number of programming languages (e.g., PERL, C, PHP, and Javascript), each having their own unique file extension. The use of CGI scripts represent one of the most common and exploitable means of compromising a web server. By definition, CGI scripts are executable by the operating system of the host server. While access control is provided via the web service, the execution of CGI programs is not limited unless the SA or the Web Manager takes specific measures. CGI programs can access and alter data files, launch other programs, and use the network.Web AdministratorECLP-1
    SV-38084r1_rule WG420 IIS6 LOW Backup interactive scripts must be removed from the web site. Copies of backup files will not execute on the server, but they can be read by the anonymous user if special precautions are not taken. Such backup copies contain the same sensitive information as the actual script being executed and, as such, are useful to malicious users. Techniques and systems exist today that search web servers for such files and are able to exploit the information contained in them.System AdministratorWeb AdministratorECSC-1
    SV-29997r1_rule WG110 IIS6 MEDIUM Web sites must limit the number of simultaneous requests. Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, which can facilitate a Denial of Service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive.Web AdministratorECSC-1
    SV-30002r1_rule WG170 IIS6 MEDIUM Each readable web document directory must contain a default, home, index or equivalent file. The goal is to control the web users experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an index.html file is a significant factor to accomplish this end. Also, enumeration techniques, such as URL parameter manipulation, rely upon being able to obtain information about the web server’s directory structure by locating directories with default pages. This practice helps ensure the anonymous web user will not obtain directory browsing information or an error message revealing the server type and version.Web AdministratorECAN-1, ECSC-1
    SV-38065r1_rule WG240 IIS6 MEDIUM Logs of web server access and errors must be established and maintained. A major tool in exploring the web site use, attempted use, unusual conditions, and problems are reported in the access and error logs. In the event of a security incident, these logs can provide the SA and the Web Manager with valuable information.System AdministratorWeb AdministratorECAT-1, ECAT-2
    SV-30017r1_rule WG250 IIS6 MEDIUM Users other than Auditors group must not have greater than read access to log files. A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the Web Manager with valuable information. To ensure the integrity of the log files and protect the SA and Web Manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files.System AdministratorWeb AdministratorECTP-1
    SV-38069r2_rule WG260 IIS6 MEDIUM Only fully reviewed and tested web sites must exist on a production web server. In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development web site. The process of developing on a functional production web site entails a degree of trial and error and repeated testing. This process is often accomplished in an environment where debugging, sequencing, and formatting of content are the main goals. The opportunity for a malicious user to obtain files revealing business logic and login schemes is high in this situation. The existence of such immature content on a web server represents a significant security, which is totally avoidable.Web AdministratorECSC-1
    SV-30020r1_rule WG290 IIS6 HIGH The web client account access to the content and scripts directories must be limited to read and execute. Excessive permissions for the anonymous web user account are one of the most common faults contributing to the compromise of a web server. If this user is able to upload and execute files on the web server, the organization or owner of the server will no longer have control of the asset.System AdministratorWeb AdministratorECLP-1
    SV-28797r2_rule WG310 IIS6 MEDIUM A web site must not contain a robots.txt file. Search engines are constantly at work on the Internet. Search engines are augmented by agents, often referred to as spiders or bots, which endeavor to capture and catalog web-site content. In turn, these search engines make the content they obtain and catalog available to any public web user. To request that a well behaved search engine not crawl and catalog a site, the web site may contain a file called robots.txt. This file contains directories and files that the web server SA desires not be crawled or cataloged, but this file can also be used, by an attacker or poorly coded search engine, as a directory and file index to a site. This information may be used to reduce an attacker’s time searching and traversing the web site to find files that might be relevant. If information on the web site needs to be protected from search engines and public view, other methods must be used.Web AdministratorECLP-1
    SV-28468r2_rule WG340 IIS6 MEDIUM A private web server must utilize an approved TLS version. Transport Layer Security (TLS) encryption is a required security setting for a private web server. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. A private web server must use a FIPS 140-2 approved TLS version, and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems. Web AdministratorECSC-1
    SV-38080r1_rule WG350 IIS6 MEDIUM A private web server must have a valid server certificate. This check verifies the server certificate is actually a DoD-issued certificate used by the organization being reviewed. This is used to verify the authenticity of the web site to the user. If the certificate is not issued by the DoD or if the certificate has expired, then there is no assurance that the use of the certificate is valid. The entire purpose of using a certificate is, therefore, compromised.Web AdministratorIATS-1, IATS-2
    SV-38118r1_rule WG490 IIS6 LOW Java software installed on the web server must be limited to class files and the JAVA virtual machine. From the source code in a .java or a .jpp file, the Java compiler produces a binary file with an extension of .class. The .java or .jpp file would, therefore, reveal sensitive information regarding an application’s logic and permissions to resources on the server. By contrast, the .class file, because it is intended to be machine independent, is referred to as bytecode. Bytecodes are run by the Java Virtual Machine (JVM), or the Java Runtime Environment (JRE), via a browser configured to permit Java code.Web AdministratorECSC-1
    SV-16145r2_rule WA000-WI050 IIS6 HIGH Unused and vulnerable script mappings in IIS 6 must be removed. IIS file extensions which require server-side processing, but which have been deemed vulnerable, include .htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. Requests to these file types can exploit a stack buffer overflow weakness in the ism.dll, httpodbc.dll, and ssinc.dll.Web AdministratorECSC-1
    SV-38009r1_rule WA000-WI030 IIS6 MEDIUM The IUSR_machinename account must not have read access to the .inc files or their equivalent. Owing to the nature of .inc files, which may contain sensitive logic and potentially reveal sensitive information about the architecture of the web server, it is vital that the end user not be able to access and examine code that is included in .inc files. When server side scripting is the preferred method, this is normally not a problem. Nonetheless, there are key files inherent to the process, which can contain information key to the logic, server structure and configuration of the entire application. The include files for many .asp script files are .inc files. If the correct file name is guessed or derived, their contents will be displayed by a browser. The file must be guarded from prying eyes of the anonymous web user. If the site has named their include files with the .asp extension, then the files will be processed as an .asp file, which by the nature of .asp, will prevent that code from being presented. If the files are named with the .inc extension, or equivalent, SAs do not have this advantage. Java Server Pages, jsp, is another example of a competing technology which the reviewer will also encounter, that are impacted by this issue. The sample principles outlined here will apply to inlcude files used with Java Server Pages. In addition, there are some additional files that need to be protected, which include the global.asa and global.asax files.Web AdministratorECSC-1
    SV-38111r1_rule WG430 IIS6 MEDIUM Anonymous FTP users must not have access to interactive scripts. The directories containing the CGI scripts, such as PERL, must not be accessible to anonymous users via FTP. This applies to all directories containing scripts that can dynamically produce web pages in an interactive manner (i.e., scripts based upon user-provided input). Such scripts contain information that could be used to compromise a web service, access system resources, or deface a web site.System AdministratorWeb AdministratorECCD-1, ECCD-2
    SV-38114r1_rule WG460 IIS6 MEDIUM PERL scripts must use the TAINT option. PERL (Practical Extraction and Report Language) is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. The language is often used in shell scripting and is intended to be practical, easy to use, and efficient means of generating interactive web pages for the user. Unfortunately, many widely available freeware PERL programs (scripts) are extremely insecure. This is most readily accomplished by a malicious user substituting input to a PERL script during a POST or a GET operation. Consequently, the founders of PERL have developed a mechanism named TAINT that protects the system from malicious input sent from outside the program. When the data is tainted, it cannot be used in programs or functions such as eval(), system(), exec(), pipes, or popen(). The script will exit with a warning message.Web AdministratorECSC-1
    SV-30041r1_rule WG205 IIS6 MEDIUM The web document (home) directory must be on a separate partition from the web servers system files. Web content is accessible to the anonymous web user. For such an account to have access to system files of any type is a major security risk that is entirely avoidable. To obtain such access is the goal of directory traversal and URL manipulation vulnerabilities. To facilitate such access by mis-configuring the web document (home) directory is a serious error. In addition, having the path on the same drive as the system folder compounds potential attacks such as drive space exhaustion.System AdministratorWeb AdministratorDCPA-1
    SV-38011r1_rule WA000-WI070 IIS6 LOW Indexing Services must only index web content. The indexing service can be used to facilitate a search function for web sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only.System AdministratorWeb AdministratorECSC-1
    SV-40022r2_rule WG265 IIS6 LOW The required DoD banner page must be displayed to authenticated users accessing a DoD private website. A consent banner will be in place to make prospective entrants aware that the website they are about to enter is a DoD web site and their activity is subject to monitoring. The document, DoDI 8500.01, establishes the policy on the use of DoD information systems. It requires the use of a standard Notice and Consent Banner and standard text to be included in user agreements. The requirement for the banner is for websites with security and access controls. These are restricted and not publicly accessible. If the website does not require authentication/authorization for use, then the banner does not need to be present. A manual check of the document root directory for a banner page file (such as banner.html) or navigation to the website via a browser can be used to confirm the information provided from interviewing the web staff.Web AdministratorECWM-1
    SV-30046r1_rule WG140 IIS6 MEDIUM A private web sites authentication mechanism must use client certificates. A DoD private web site must utilize PKI as an authentication mechanism for web users. Information systems residing behind web servers requiring authorization based on individual identity shall use the identity provided by certificate-based authentication to support access control decisions. Not using client certificates allows an attacker unauthenticated access to private web sites.Web AdministratorIATS-1, IATS-2
    SV-38016r1_rule WA000-WI090 IIS6 MEDIUM Directory browsing must be disabled. This ensures the directory structure, filenames, and web publishing features are not accessible. Such information and the contents of files listed are normally readable by the anonymous web user, yet are not intended to be viewed as they often contain information relevant to the configuration and security of the web service. The Directory Browsing feature can be used to facilitate a directory traversal and subsequent directory traversal exploits.Web AdministratorECSC-1
    SV-14206r1_rule WG355 IIS6 MEDIUM A private web site must utilize certificates from a trusted DoD CA. The use of a DoD PKI certificate ensures clients that the private web site they are connecting to is legitimate, and is an essential part of the DoD defense-in-depth strategy.System AdministratorInformation Assurance OfficerWeb AdministratorIATS-1, IATS-2
    SV-28796r1_rule WG145 IIS6 MEDIUM The private web server must use an approved DoD certificate validation process. Without the use of a certificate validation process, the site is vulnerable to accepting expired or revoked certificates. This would allow unauthorized individuals access to the web server. This also defeats the purpose of the multi-factor authentication provided by the PKI process.System AdministratorWeb AdministratorIATS-1, IATS-2
    SV-40028r1_rule WG235 IIS6 HIGH Web Administrators must secure encrypted connections for Document Root directory uploads. Logging in to a web server via a telnet session or using HTTP or FTP in order to upload documents to the web site is a risk if proper encryption is not utilized to protect the data being transmitted. A secure shell service or HTTPS needs to be installed and in use for these purposes.Web AdministratorEBRP-1, EBRU-1
    SV-28653r1_rule WG242 IIS6 MEDIUM Log file data must contain required data elements. The use of log files is a critical component of the operation of the Information Systems (IS) used within the DoD, and they can provide invaluable assistance with regard to damage assessment, causation, and the recovery of both affected components and data. They may be used to monitor accidental or intentional misuse of the (IS) and may be used by law enforcement for criminal prosecutions. The use of log files is a requirement within the DoD.System AdministratorWeb AdministratorECAR-1, ECAR-2, ECAR-3
    SV-29398r1_rule WG255 IIS6 MEDIUM Access to the web site log files must be restricted. A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. Failure to protect log files could enable an attacker to modify the log file data or falsify events to mask an attacker's activity.System AdministratorWeb AdministratorECTP-1
    SV-28566r2_rule WG342 IIS6 MEDIUM Public web servers must use TLS if authentication is required. Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would become vulnerable to disclosure. Using TLS along with DoD PKI certificates for encryption of the authentication data protects the information from being accessed by all parties on the network. To further protect the authentication data, the web server must use a FIPS 140-2 approved TLS version and all non-FIPS-approved SSL versions must be disabled. FIPS 140-2 approved TLS versions include TLS V1.0 or greater. NIST SP 800-52 specifies the preferred configurations for government systems. System AdministratorWeb AdministratorECCT-1, ECCT-2
    SV-38020r1_rule WA000-WI092 IIS6 HIGH The IIS web site permissions "Write" or "Script Source" must not be selected. Web site permissions to include Read, Write, and Script Source Access can be set within the IIS Administration tool. Configuration settings made at the Web Server level are inherited by all of the web sites on the server. It can override inheritance by configuring the individual site or site element. These permissions control what users can access from the web site. If Read is selected, then source of the pages can be read, if Write is selected, then pages can be written to or updated. If the Script Source Access is checked, source code for scripts can be viewed. This option is not available if neither Read nor Write is selected. Allowing users' access to the source of the web pages, may provide the user with more information than they are authorized to see. This is especially an issue for the source code for scripts on the web server.Web AdministratorECSC-1
    SV-38025r1_rule WA000-WI120 IIS6 LOW The Content Location header must not contain proprietary IP addresses. When using static HTML pages, a Content-Location header is added to the response. By default, Internet Information Server (IIS) 4.0 Content-Location references the IP address of the server rather than the FQDN or Hostname. This header may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) firewall or proxy server. There is a value that can be modified in the IIS metabase to change the default behavior from exposing IP addresses to sending the FQDN instead. The value that needs to be set is the w3svc/UseHostName, and it needs to be set to True. The other option to prevent this from occurring is to use Active Server Pages instead of static HTML pages and create a custom header that sends back a specific Content-Location. For complete instructions on this issue, please refer to Microsoft Knowledge Base article Q218180.Web AdministratorECSC-1
    SV-38137r1_rule WA000-WI6010 IIS6 MEDIUM The web site must have a unique application pool. Application pools isolate sites and applications to address reliability, availability, and security issues. Sites and applications may be grouped according to configurations, although each site will be associated with a unique application pool.Web AdministratorECSC-1
    SV-38134r2_rule WA000-WI6020 IIS6 MEDIUM The Recycle Worker processes in minutes monitor must be set properly. A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
    SV-38132r2_rule WA000-WI6022 IIS6 MEDIUM The maximum number of requests an application pool can process must be set. A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
    SV-38033r2_rule WA000-WI6024 IIS6 MEDIUM The maximum virtual memory monitor must be enabled. A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
    SV-38130r2_rule WA000-WI6026 IIS6 MEDIUM The maximum used memory monitor must be enabled. A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
    SV-38041r2_rule WA000-WI6028 IIS6 MEDIUM The Shutdown worker processes Idle Timeout monitor must be enabled. A worker process handles all application execution, including authentication and authorization, as well as ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
    SV-38123r2_rule WA000-WI6030 IIS6 MEDIUM The Limit the kernel request queue monitor must be enabled A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
    SV-38043r2_rule WA000-WI6032 IIS6 MEDIUM The Enable pinging monitor must be enabled. A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
    SV-38044r2_rule WA000-WI6034 IIS6 MEDIUM The Enable rapid-fail protection monitor must be enabled. A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
    SV-38045r2_rule WA000-WI6036 IIS6 MEDIUM The Enable rapid-fail time period monitor must be enabled. A worker process handles all application execution, including authentication and authorization, as well as, ISAPI filter and extension loading. This executable process is called W3WP.exe. When acting as the worker process manager, the www service is responsible for controlling the lifetime of all worker processes that are processing requests. The management console allows it to configure options, such as when to start or recycle a worker process, how many requests to serve before recycling, and what to do if the worker becomes blocked or unable to continue processing requests.Web AdministratorECSC-1
    SV-38046r1_rule WA000-WI6040 IIS6 HIGH A unique non-privileged account must be used to run Worker Process Identities. The Worker Process Identity is the user defined to run an Application Pool. The IIS 6 worker processes, by default, run under the NetworkService account. Creating a custom identity for each Application Pool better track issues occurring within each web site. When a custom identity is used, the rights and privileges must not exceed those associated with the NetworkService security principal.Web AdministratorECSC-1
    SV-38047r2_rule WA000-WI6098 IIS6 MEDIUM The MaxRequestEntityAllowed metabase value must be defined. IIS 6.0 limits the size of requests directly from the settings in the metabase with the metabase entry MaxRequestEntityAllowed. This entry is similar to the MaxRequest EntityAllowed and MaxAllowedContentLength settings configured in the UrlScan tool. The MaxRequestEntityAllowed property specifies the maximum number of bytes allowed in the entity body of a request. If a Content-Length header is present and specifies an amount of data greater than the value of MaxRequestEntityAllowed, IIS sends a 403 error response.Web AdministratorECSC-1