Details

Handler mappings can be configured to give permissions to Read, Write, Script, or Execute depending on what the use is for – reading static content, uploading files, executing scripts, etc. It is recommended to grant a handler either Execute/Script or Write permissions, but not both.

Rationale:

By allowing both Execute/Script and Write permissions, a handler can run malicious code on the target server. Ensuring these two permissions are never together will help lower the risk of malicious code being executed on the server.

Solution

The accessPolicy attribute in the section of either the ApplicationHost.config (server-wide) or web.config (site or application) must not have Write present when Script or Execute are present. To resolve this issue for a Web server, the attribute in the section of the ApplicationHost.config file for the server must manually be edited. To edit the ApplicationHost.config file by using Notepad, perform the following steps:
1. Open Notepad as Administrator
2. Open the ApplicationHost.config file in %systemroot%system32inetsrvconfig
3. Edit the section accessPolicy attribute so that Write is not present when Script or Execute are present
Enter the following command in AppCmd.exe to configure:
%systemroot%system32inetsrvappcmd set config /section:handlers /accessPolicy:Read,Script
OR
Enter the following command in PowerShell to configure:
Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter ‘system.webServer/handlers’ -name ‘accessPolicy’ -value ‘Read,Script’
Note: This configuration change cannot be made by using IIS Manager.
Default Value:
The default handlers accessPolicyis Read, Script.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2297

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Windows.

References

• 800-53|AC-6
• CSCv7|18

Source

• Tenable.com/audits