Exchange Noob
asked on
Remove the default IIS files from server
Hi,
I'm doing a pen test remediation and they have flagged up default IIS files present on our Exchange and other servers (see wording below). I've scoured the web but can't find any conclusive guides for a safe way to do this. If i go into IIS on these servers, click on the root and then Default document i can see a list of files. If I remove these will this solve the vulnerability and more importantly will it not break anything?
Any advice would be greatly appreciated. :)
Description
Default files have been found on the server. These may often contain dangerous script examples,
administrative interfaces, or configuration information.
The presence of default Web Server files also indicates that the Web Server hardening procedure needs
improvement, and this could indicate to an attacker that further vulnerabilities may exist due to a
weakness in server management practices.
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:N/A:
Solution
Remove the default files from the server and review server hardening procedures to ensure default files
are removed during the server build.
Information
Default IIS7 files found on 4 externally facing IP addresses
I'm doing a pen test remediation and they have flagged up default IIS files present on our Exchange and other servers (see wording below). I've scoured the web but can't find any conclusive guides for a safe way to do this. If i go into IIS on these servers, click on the root and then Default document i can see a list of files. If I remove these will this solve the vulnerability and more importantly will it not break anything?
Any advice would be greatly appreciated. :)
Description
Default files have been found on the server. These may often contain dangerous script examples,
administrative interfaces, or configuration information.
The presence of default Web Server files also indicates that the Web Server hardening procedure needs
improvement, and this could indicate to an attacker that further vulnerabilities may exist due to a
weakness in server management practices.
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:N/A:
Solution
Remove the default files from the server and review server hardening procedures to ensure default files
are removed during the server build.
Information
Default IIS7 files found on 4 externally facing IP addresses
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Agree with all. You need specifics. But examine it as if you being on the outside and are trying to get into your network. You actually need to think like a hacker to have a better understanding.
Rather then to say remove files, more appropriately (a) disable unnecessary module in IIS and consider (b) shifting Inetpub folder to a different drive. And (c) manage the access control over the file and directories. Lastly (d) remove unnecessary files.
(a) Disable any modules that are not required, to minimise the capacity of potential attacks. Periodically review the modules that are installed and enabled and remove any that are no longer required. You can use IIS Manager to list all the modules that are enabled.
(b) By default IIS 7 and upwards install the Inetpub folder in the system drive. It’s good practice to move the Inetpub folder to a different partition so that the web content is separate from the operating system. This folder can be moved after IIS installation is completed.
(c) Deny write access to the web site root and Content directories for anonymous Internet accounts.
(d) Remove remote IIS administration application (\WINNT\System32; Inetsrv\IISAdmin), resource kit tools, utilities and SDKs, and sample applications (\WINNT\Help\IISHelp, \Inetpub\IISSamples).
(a) Disable any modules that are not required, to minimise the capacity of potential attacks. Periodically review the modules that are installed and enabled and remove any that are no longer required. You can use IIS Manager to list all the modules that are enabled.
(b) By default IIS 7 and upwards install the Inetpub folder in the system drive. It’s good practice to move the Inetpub folder to a different partition so that the web content is separate from the operating system. This folder can be moved after IIS installation is completed.
(c) Deny write access to the web site root and Content directories for anonymous Internet accounts.
(d) Remove remote IIS administration application (\WINNT\System32; Inetsrv\IISAdmin), resource kit tools, utilities and SDKs, and sample applications (\WINNT\Help\IISHelp, \Inetpub\IISSamples).
HI ,
I hope the following document will help you on this
https://docs.microsoft.com/en-us/iis/web-hosting/web-server-for-shared-hosting/default-documents
I hope the following document will help you on this
https://docs.microsoft.com/en-us/iis/web-hosting/web-server-for-shared-hosting/default-documents
For author advice
Certainly most of the files in the IIS folder on an Exchange server would not be "default" and I wouldn't just go around deleting things for that generic reason.