Details

The web document (home) directory is accessed by multiple anonymous users when the web server is in production. By locating the web document (home) directory on the same partition as the web server system file, the risk for unauthorized access to these protected files is increased. Additionally, having the web document (home) directory path on the same drive as the system folders also increases the potential for a drive space exhaustion attack.

Solution

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the site name under review.

Click the ‘Advanced Settings’ from the ‘Actions’ pane.

Change the Physical Path to the new partition and directory location.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y20M10_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.

References

• 800-53|SC-3
• CAT|II
• CCI|CCI-001084
• CSCv6|3.1
• Rule-ID|SV-218752r558649_rule
• STIG-ID|IIST-SI-000224
• STIG-Legacy|SV-109329
• STIG-Legacy|V-100225
• Vuln-ID|V-218752

Source

• Tenable.com/audits