All IIS 10.0 web server sample code, example applications, and tutorials must be removed from a production IIS 10.0 server.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-218795 | IIST-SV-000120 | SV-218795r960963_rule | CCI-000381 | high |
| Description | ||||
| Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (i.e., compiled code, scripts, web content, etc.). Delete all directories containing samples and any scripts used to execute the samples. | ||||
| STIG | Date | |||
| Microsoft IIS 10.0 Server Security Technical Implementation Guide | 2025-06-11 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-7
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.4.6
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000381
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-218795r960963_chk)
Navigate to the following folders:
inetpub\
Program Files\Common Files\System\msadc
Program Files (x86)\Common Files\System\msadc
If the folder or sub-folders contain any executable sample code, example applications, or tutorials which are not explicitly used by a production website, this is a finding.
Fix Text (F-20265r310861_fix)
Remove any executable sample code, example applications, or tutorials which are not explicitly used by a production website.