STIGQter STIGQter: STIG Summary: Microsoft IIS 10.0 Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.

DISA Rule

SV-218798r561041_rule

Vulnerability Number

V-218798

Group Title

SRG-APP-000141-WSR-000081

Rule Version

IIST-SV-000124

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Open the IIS 10.0 Manager.

Click the IIS 10.0 web server name.

Under IIS, double-click the "MIME Types" icon.

From the "Group by:" drop-down list, select "Content Type".

From the list of extensions under "Application", remove MIME types for OS shell program extensions, to include at a minimum, the following extensions:

.exe
.dll
.com
.bat
.csh

Under the "Actions" pane, click "Apply".

Check Contents

Open the IIS 10.0 Manager.

Click the IIS 10.0 web server name.

Under IIS, double-click the "MIME Types" icon.

From the "Group by:" drop-down list, select "Content Type".

From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions:

.exe
.dll
.com
.bat
.csh

If any OS shell MIME types are configured, this is a finding.

Vulnerability Number

V-218798

Documentable

False

Rule Version

IIST-SV-000124

Severity Override Guidance

Open the IIS 10.0 Manager.

Click the IIS 10.0 web server name.

Under IIS, double-click the "MIME Types" icon.

From the "Group by:" drop-down list, select "Content Type".

From the list of extensions under "Application", verify MIME types for OS shell program extensions have been removed, to include at a minimum, the following extensions:

.exe
.dll
.com
.bat
.csh

If any OS shell MIME types are configured, this is a finding.

Check Content Reference

M

Target Key

4052

Comments