IIST-SI-000233 – Warning and error messages displayed to clients must be modified to minimize the identity of the IIS 10.0 website, patches, loaded modules, and directory paths.

Details

HTTP error pages contain information that could enable an attacker to gain access to an information system. Failure to prevent the sending of HTTP error pages with full information to remote requesters exposes internal configuration information to potential attackers.

Solution

Follow the procedures below for each site hosted on the IIS 10.0 web server:

Open the IIS 10.0 Manager.

Click the site name under review.

Double-click the ‘Error Pages’ icon.

Click each error message and click ‘Edit Feature’ Setting from the ‘Actions’ pane; set each error message to ‘Detailed errors for local requests and custom error pages for remote requests’.

Supportive Information

The following resource is also helpful.

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_10-0_Y20M10_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Windows.

References

800-53|SI-11a.
CAT|II
CCI|CCI-001312
Rule-ID|SV-218760r558649_rule
STIG-ID|IIST-SI-000233
STIG-Legacy|SV-109345
STIG-Legacy|V-100241
Vuln-ID|V-218760

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles