Details
Vulnerability Key: V0013698
IA Controls: ECSC-1 Security Configuration Compliance
Categories: 2.2 Least Privilege
Severity: Category I
Ref: WEB SERVER SECURITY TECHNICAL IMPLEMENTATION GUIDE Section 2.1
The IISADMPWD directory is included by default with IIS. It allows users to reset Windows passwords. The use of userid and passwords
is a far less secure solution for controlling user access to web applications than a PKI solution with subscriber certificates.
The capability to be able to change password externally gives potential intruders an easier mechanism to access the system in an
effort to compromise the userids and passwords.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.
References
- 800-53|CM-7b.
- CSCv6|9.1
- Rule-ID|SV-38148r1_rule