UCF STIG Viewer Logo

Unused and vulnerable script mappings in IIS 6 must be removed.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2267 WA000-WI050 IIS6 SV-16145r1_rule ECSC-1 High
Description
IIS file extensions which require server-side processing, but which have been deemed vulnerable, include .htr, .htw, .ida, .idc, .idq, .printer, .shtml, .shtm, .bat, .cmd and .stm. Requests to these file types can exploit a stack buffer overflow weakness in the ism.dll, httpodbc.dll, and ssinc.dll.
STIG Date
IIS6 Site 2014-12-10

Details

Check Text ( C-13982r1_chk )
1. Open the IIS Manager > Click on the Web Service Extensions directory.
2. In the right hand pane look for the following web service extensions:

Server side includes
Internet Data Connector
Index Server Web Interface
Internet printing
.HTR scripting

3. If any of the above service extensions exist and are set to Allowed, right click on it > Select properties > Select the required files.

NOTE: If a web service extension is set to Prohibit, this meets the intent of this check.

4. Record the files listed.
5. Right click on the website being review > Select properties > Select Home Directory.
6. Under Application settings select Configuration.
7. Under Application extensions find the file extensions listed below > Select Edit > Ensure the file extension is not mapped to the files noted in step 4 with respect to the specific service extension.

Server side includes .shtml, .shtm and .stm
Internet Data Connector .idc
Index Server Web Interface .htw, .ida and .idq
Internet printing .printer
.HTR scripting .htr

8. Ensure the following file extensions do not exist under application extensions: .bat, .cmd
9. Query the Web Admin on the listed extensions and the reason for their use.

If any of the following Extensions under step 7 match the required files in the allowed status for the respective service extension, this is a finding.
If the file extensions .bat or .cmd are present, this is a finding.
If a file extension is listed and has no use, this is a finding.

NOTE: This vulnerability can be documented locally with the IAM/IAO if the site has operational reasons for the use of particular script mappings. If the site has this documentation, this should be marked as not a finding.
NOTE: You may need to perform this check on each sites directory, sub-directories, and virtual direcotries since these can be set at each location.
Fix Text (F-14946r1_fix)
Remove unused and vulnerable script mappings.