Details

Just as running unneeded services and protocols increase the attack surface of the web server, running unneeded utilities and programs is also an added risk to the web server.

Review the list of installed programs to ensure only those that are required for the system to run are listed.

Solution

Install only web support software on the web server. When other processes are supported by the web server, ensure a risk assessment has been performed and documented. If a database server is installed on the same platform as the web server, it must be on a separate drive or partition. Remove all unnecessary applications and programs.

Supportive Information

The following resource is also helpful.

• http://iasecontent.disa.mil/stigs/zip/July2015/U_IIS_6-0_V6R16_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.

References

• 800-53|CM-7(4)
• CAT|III
• Rule-ID|SV-38191r2_rule
• STIG-ID|WG130_IIS6
• Vuln-ID|V-2251

Source

• Tenable.com/audits