IIST-SV-000120 – All IIS 10.0 web server sample code, example applications, and tutorials must be removed from a production IIS 10.0 server.

Details

Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server. A production web server may only contain components that are operationally necessary (i.e., compiled code, scripts, web content, etc.). Delete all directories containing samples and any scripts used to execute the samples.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Remove any executable sample code, example applications, or tutorials which are not explicitly used by a production website.

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y20M10_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.

References

800-53|CM-7a.
CAT|I
CCI|CCI-000381
Rule-ID|SV-218795r561041_rule
STIG-ID|IIST-SV-000120
STIG-Legacy|SV-109229
STIG-Legacy|V-100125
Vuln-ID|V-218795

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles