Best practice for systems running IIS, part of Hardening IIS:

Execute the following command to ensure no virtual directories are mapped to the system
drive:

%systemroot%\system32\inetsrv\appcmd list vdir

Nessus audit file checks

<if>
<condition type:"AND"> 
<custom_item>
 type : AUDIT_POWERSHELL
 description: "IISPS:Check if PS Webadministration is available:IIS8"
 value_type : POLICY_TEXT
 value_data : "Powershell Webadministration is available"
 powershell_args: 'if
                   ($(get-module -listavailable Webadministration -Erroraction SilentlyContinue) -eq $Null)
                   {write-host "Powershell Webadministration is not available" } 
                   else 
                   {write-host "Powershell Webadministration is available" }'
</custom_item>
</condition>
<then>
 
<custom_item>
 type: AUDIT_POWERSHELL
 description: "IIS800003:Ensure Web Content Is on Non-System Partition (Webroot):IIS8"
 value_type: POLICY_TEXT
 value_data: ""
 powershell_args: 'import-module Webadministration -DisableNameChecking; 
                   get-childitem IIS:\Sites | 
                   where {$_.physicalPath -match \\"SystemDrive\\" -or $_.physicalPath -match \\"C:\\"} | 
                   Select Name, Physicalpath, State ' 
 powershell_option: CAN_BE_NULL
</custom_item>
 
<custom_item>
 type: AUDIT_POWERSHELL
 description: "IIS800003:Ensure Web Content Is on Non-System Partition (VDIR):IIS8"
 value_type: POLICY_TEXT
 value_data: ""
 powershell_args: 'import-module Webadministration -DisableNameChecking; 
                   get-webvirtualdirectory | 
                   where {$_.physicalPath -match \\"SystemDrive\\" -or $_.physicalPath -match \\"C:\\"} | 
                   Select Path, Physicalpath' 
 powershell_option: CAN_BE_NULL
</custom_item>
 
</then>
<else>
<custom_item>
 type : AUDIT_IIS_APPCMD
 description: "IIS800003:Ensure Web Content Is on Non-System Partition (APPCMD):IIS8"
 value_type : POLICY_TEXT
 value_data : "physicalPath:(\%SystemDrive\%|C:)"
 appcmd_args: "list vdir"
 check_type : CHECK_NOT_REGEX
</custom_item>
</else>
</if>
 
<custom_item>
 type : FILE_CHECK
 description: "IIS800004:Webroot directory Drive E\Websites must exist:IIS8"
 value_type : POLICY_TEXT
 value_data : "E:\Websites"
 file_option: MUST_EXIST
</custom_item> 
 
<custom_item>
 type : FILE_CHECK
 description: "IIS800005:WWW Webroot directory Drive E\Websites\www must exist:IIS8"
 value_type : POLICY_TEXT
 value_data : "E:\Websites\wwwroot"
 file_option: MUST_EXIST
</custom_item>

<if> <condition type:"AND"> <custom_item> type : AUDIT_POWERSHELL description: "IISPS:Check if PS Webadministration is available:IIS8" value_type : POLICY_TEXT value_data : "Powershell Webadministration is available" powershell_args: 'if ($(get-module -listavailable Webadministration -Erroraction SilentlyContinue) -eq $Null) {write-host "Powershell Webadministration is not available" } else {write-host "Powershell Webadministration is available" }' </custom_item> </condition> <then> <custom_item> type: AUDIT_POWERSHELL description: "IIS800003:Ensure Web Content Is on Non-System Partition (Webroot):IIS8" value_type: POLICY_TEXT value_data: "" powershell_args: 'import-module Webadministration -DisableNameChecking; get-childitem IIS:\Sites | where {$_.physicalPath -match \\"SystemDrive\\" -or $_.physicalPath -match \\"C:\\"} | Select Name, Physicalpath, State ' powershell_option: CAN_BE_NULL </custom_item> <custom_item> type: AUDIT_POWERSHELL description: "IIS800003:Ensure Web Content Is on Non-System Partition (VDIR):IIS8" value_type: POLICY_TEXT value_data: "" powershell_args: 'import-module Webadministration -DisableNameChecking; get-webvirtualdirectory | where {$_.physicalPath -match \\"SystemDrive\\" -or $_.physicalPath -match \\"C:\\"} | Select Path, Physicalpath' powershell_option: CAN_BE_NULL </custom_item> </then> <else> <custom_item> type : AUDIT_IIS_APPCMD description: "IIS800003:Ensure Web Content Is on Non-System Partition (APPCMD):IIS8" value_type : POLICY_TEXT value_data : "physicalPath:(\%SystemDrive\%|C:)" appcmd_args: "list vdir" check_type : CHECK_NOT_REGEX </custom_item> </else> </if> <custom_item> type : FILE_CHECK description: "IIS800004:Webroot directory Drive E\Websites must exist:IIS8" value_type : POLICY_TEXT value_data : "E:\Websites" file_option: MUST_EXIST </custom_item> <custom_item> type : FILE_CHECK description: "IIS800005:WWW Webroot directory Drive E\Websites\www must exist:IIS8" value_type : POLICY_TEXT value_data : "E:\Websites\wwwroot" file_option: MUST_EXIST </custom_item>