default website IIS

Microsofts web application configuration analyser flags it as a severity 1 vulnerability if you dont stop/delete the "default" IIS website. can you elaborate in management freindly risk terms why that is such as high risk security issue?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Prashant ShrivastavaConsultantCommented:
usually they are not configured and open sites that allows anyone to use default settings and hack the system. normally people configure websites under default web page and leave the default running as it is. this needs to be changed and updated so no user should be allowed to use the default setup and hack your system. though hacking is not a simple job but very much possible if they know you have some default settings running on your machine.
Dan McFaddenSystems EngineerCommented:
As mentioned above, the default settings for IIS are well known.  Anyone can research & discover what the default configuration is after doing a plain vanilla installation of IIS.

The presents following risks:
1.  the configuration of the "Default Web Site" is well documented
1a.  this gives the attacker a good point to start probing what the server's capabilities are
1b.  gives the appearance that the Admins may not be aware of how to properly manage a web server
2.  the configuration of the default Application Pools are known
3.  the root of the content directory is known (C:\inetpub\wwwroot)
4.  the allowed Default Document setup is known
5.  http logging may not be installed or enabled (no tracks to cover when probing a site)
6.  maybe the Admins enabled other IIS features that present a increase in the attack surface (i.e.: enabling parent paths)
7.  because of the careless installation of IIS, may lead the attacker to try additional known OS or Windows services attacks

Leaving the default site in place doesn't necessarily make your server hack-able, but if it is used or left in operation, it can present a set of well-known attack vectors.

The best thing to do is install, change those default settings that can be changed, delete the default sites and application pools and start from a clean slate for your deployment.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.