The STG CATI finding for the IISADMPWD directory can be resolved. You do not need to delete the directory.
Simply break inheritance of permissions, and ensure that only the administrators and system account/group have full rights to the folder.
Then, go into IIS and ensure that the IISADMOWD virtual directory does not exist in a sub folder of a website.
I've done this on the interim SharePoint server and everything works properly.
Below additional details / instructions:
Vulnerability Details
A IISADMPWD directory was found in the root:
C:\WINDOWS\system32\inetsrv\
Vulnerability Discussion:
The IISADMPWD directory is included by default with IIS. It allows users to reset Windows passwords. The use of use rid and passwords is a far less secure solution for controlling user access to web applications than a PKI solution with subscriber certificates. The capability to be able to change passwords externally gives potential intruders an easier mechanism to access the system in an effort to compromise use rids and passwords.
Manual Fix Procedures:
If possible, ensure the IISADMPWD directory has been removed from the web server.
NOTE 1:
There have been numerous reports of sites not being able to delete this directory without Windows File Protection automatically restoring it. The work around for this will be to ensure the virtual directory is removed from all web sites associated with the server and to restrict access for this directory and files to the system and administrators.
NOTE 2:
You may be able to delete the .dll in the IISADMOWD folder by going into safe mode and deleting it. This will not work for the folder.
If the IISADMPWD directory cannot be deleted set the permissions as
follows:
Administrators - Full Control
System - Full Control
Also, review all web sites associated with this server and ensure any virtual directories pointing to IISADMPWD are removed.
A virtual directory will be a child directory to a web site.
References and additional information:
WEB SERVER SECURITY TECHNICAL IMPLEMENTATION GUIDE - Section 2.1
IA Controls
ECSC-1 - Security Configuration Compliance
A site devoted mostly to everything related to Information Technology under the sun - among other things.
Subscribe to:
Post Comments (Atom)
Useful Links
- .Net Code Samples
- AJAX for MS Developers
- C# Tutorials
- Channel9
- Code Search Engine
- Douglas Crockford's JavaScript Site
- DZONE
- Google Code
- IBM Developer Works
- IBM Public Skunkworks
- Is This Thing On?
- Java tutorials, hints, tips
- Jon Udell Weblog
- Knowing .Net
- Massive List of Information for Programmers
- MIT Courses
- MSDN
- Simple-Talk
- SUN Java
- That Indigo Girl
- UC Berkeley Lectures
- Yahoo UI Library
Topics
- 3-D Printing (13)
- AI (228)
- Art (95)
- Article (120)
- book (11)
- books (83)
- Business Intelligence (18)
- Careers (72)
- Cloud Computing (19)
- Cognition (13)
- Complexity (8)
- Computer Science (20)
- COVID-19 (1)
- Cyber-security (79)
- Data Analysis (39)
- Data Management (19)
- Data Visualization (30)
- Design Thinking (1)
- Embedded Tools (34)
- Gadgets (74)
- Games (32)
- Google (7)
- Hardware (39)
- High Performance Computing (32)
- History of Mathematics (1)
- Humor (73)
- Inetrview (7)
- Intelligent Transportation (17)
- IoT (15)
- IT as Metaphor (2)
- Magazine Subscription (8)
- Mathematics Tools (4)
- Microsoft Platforms (22)
- Microsoft Tools (63)
- Mobile Computing (2)
- Motto (3)
- Network Tools (12)
- News (121)
- Offshoring (6)
- Open-Source Sofware (7)
- Outsourcing (1)
- Philosophy (5)
- Pictures (143)
- PLM (5)
- Programming Languages (74)
- Quantum Computing (5)
- Reports (52)
- RFID (3)
- Robo (2)
- Robots (103)
- Science (57)
- Scientific Computing (17)
- Search Tools (7)
- Semantic Networks (11)
- Simulations (34)
- Social Computing (25)
- Software Architecture (27)
- Software Development (151)
- Software Testing (4)
- Software Tools (268)
- Some Thoughts (44)
- Speech (6)
- Standards - Telematics (9)
- Transportation (14)
- Video (11)
- Visualization (9)
- Web Site (224)
- Web Site for Science (48)
About Me
- Babak Makkinejad
- I had been a senior software developer working for HP and GM. I am interested in intelligent and scientific computing. I am passionate about computers as enablers for human imagination. The contents of this site are not in any way, shape, or form endorsed, approved, or otherwise authorized by HP, its subsidiaries, or its officers and shareholders.
Blog Archive
- November (11)
- October (10)
- September (7)
- August (11)
- July (6)
- June (11)
- May (12)
- April (7)
- March (5)
- February (1)
- January (3)
- December (1)
- October (2)
- September (4)
- August (1)
- July (3)
- June (2)
- April (2)
- March (2)
- February (2)
- January (10)
- December (1)
- October (1)
- September (1)
- August (4)
- June (1)
- April (6)
- March (2)
- February (4)
- January (3)
- December (1)
- October (1)
- June (3)
- April (1)
- March (1)
- February (1)
- January (6)
- December (8)
- November (3)
- October (5)
- September (2)
- August (3)
- July (6)
- June (2)
- May (7)
- April (19)
- March (22)
- February (6)
- January (5)
- December (4)
- November (4)
- October (9)
- September (3)
- August (7)
- July (3)
- June (2)
- May (6)
- April (4)
- March (8)
- February (5)
- January (18)
- December (6)
- November (10)
- October (6)
- September (7)
- August (2)
- July (4)
- June (5)
- May (8)
- April (5)
- March (9)
- February (3)
- January (7)
- December (2)
- November (1)
- October (3)
- September (5)
- August (10)
- July (8)
- May (5)
- April (8)
- March (9)
- February (6)
- January (11)
- November (6)
- October (9)
- September (5)
- August (13)
- July (9)
- June (9)
- May (8)
- April (4)
- March (2)
- February (8)
- January (9)
- December (3)
- November (7)
- October (9)
- September (7)
- August (4)
- July (2)
- June (4)
- May (7)
- March (4)
- February (2)
- January (1)
- December (2)
- November (1)
- October (6)
- September (1)
- August (1)
- July (4)
- June (1)
- April (1)
- March (1)
- February (1)
- January (2)
- December (5)
- October (4)
- August (2)
- July (3)
- June (8)
- May (7)
- April (5)
- March (9)
- February (3)
- January (7)
- December (4)
- October (7)
- September (5)
- August (5)
- July (8)
- June (6)
- May (9)
- April (5)
- March (4)
- February (5)
- January (6)
- December (12)
- November (7)
- October (5)
- September (4)
- August (19)
- July (12)
- June (4)
- May (8)
- April (5)
- March (15)
- February (5)
- January (9)
- December (14)
- November (6)
- October (12)
- September (2)
- August (10)
- July (8)
- June (8)
- May (11)
- April (10)
- March (10)
- February (9)
- January (20)
- December (16)
- November (9)
- October (25)
- September (24)
- August (12)
- July (18)
- June (20)
- May (13)
- April (29)
- March (26)
- February (14)
- January (17)
- December (17)
- November (9)
- October (32)
- September (27)
- August (27)
- July (11)
- June (22)
- May (25)
- April (33)
- March (33)
- February (28)
- January (38)
- December (12)
- November (39)
- October (28)
- September (29)
- August (29)
- July (18)
- June (27)
- May (17)
- April (23)
- March (40)
- February (31)
- January (6)
No comments:
Post a Comment