IIST-SV-000138 – Directory Browsing on the IIS 10.0 web server must be disabled.

Details

Directory browsing allows the contents of a directory to be displayed upon request from a web client. If directory browsing is enabled for a directory in IIS, users could receive a web page listing the contents of the directory. If directory browsing is enabled, the risk of inadvertently disclosing sensitive content is increased.

Solution

Open the IIS 10.0 Manager.

Click the IIS 10.0 web server name.

Double-click the ‘Directory Browsing’ icon.

Under the ‘Actions’ pane click ‘Disabled’.

Under the ‘Actions’ pane, click ‘Apply’.

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y20M10_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Windows.

References

800-53|SI-10
CAT|II
CCI|CCI-001310
CSCv6|9.1
Rule-ID|SV-218808r561041_rule
STIG-ID|IIST-SV-000138
STIG-Legacy|SV-109255
STIG-Legacy|V-100151
Vuln-ID|V-218808

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles