UCF STIG Viewer Logo

Indexing Services must only index web content.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3963 WA000-WI070 IIS6 SV-38011r1_rule ECSC-1 Low
Description
The indexing service can be used to facilitate a search function for web sites. Enabling indexing may facilitate a directory traversal exploit and reveal unwanted information to a malicious user. Indexing must be limited to web document directories only.
STIG Date
IIS6 Site 2014-12-10

Details

Check Text ( C-37362r1_chk )
1. Open the IIS Manager > Right click on the website being reviewed > Select the Home Directory tab.
2. Verify the status of the Index this resource check box.
3. If the Index this resource check box is checked, open the Services windows (via Administrative Tools in Control panel) and check to see if the Indexing Service is listed. If it is listed, determine if the Startup Type mode is either “Automatic” or “Manual”.

NOTE: If the Indexing check box is not checked or the indexing service is not installed or disabled, this is not a finding.

4. With the assistance of the Web Administrator and/or SA, use the MMC to evaluate the Indexing Service using the Index Service snap-in.
5. Review the directories being indexed, ensuring only web content folders are being indexed.

NOTE: If unsure it is a web content folder, examine the Home Directory tab within the properties of the web site. This will indicate the path of the content for this web site.

If the Index Service is running and directories other than web content directories are being indexed, this is a finding.
Fix Text (F-32599r1_fix)
Assure that only the web document directories are indexed.