Best practice for systems running IIS, part of Hardening IIS:
Execute the following command to ensure no virtual directories are mapped to the system
drive:
%systemroot%\system32\inetsrv\appcmd list vdir |
Nessus audit file checks
<if> <condition type:"AND"> <custom_item> type : AUDIT_POWERSHELL description: "IISPS:Check if PS Webadministration is available:IIS8" value_type : POLICY_TEXT value_data : "Powershell Webadministration is available" powershell_args: 'if ($(get-module -listavailable Webadministration -Erroraction SilentlyContinue) -eq $Null) {write-host "Powershell Webadministration is not available" } else {write-host "Powershell Webadministration is available" }' </custom_item> </condition> <then> <custom_item> type: AUDIT_POWERSHELL description: "IIS800003:Ensure Web Content Is on Non-System Partition (Webroot):IIS8" value_type: POLICY_TEXT value_data: "" powershell_args: 'import-module Webadministration -DisableNameChecking; get-childitem IIS:\Sites | where {$_.physicalPath -match \\"SystemDrive\\" -or $_.physicalPath -match \\"C:\\"} | Select Name, Physicalpath, State ' powershell_option: CAN_BE_NULL </custom_item> <custom_item> type: AUDIT_POWERSHELL description: "IIS800003:Ensure Web Content Is on Non-System Partition (VDIR):IIS8" value_type: POLICY_TEXT value_data: "" powershell_args: 'import-module Webadministration -DisableNameChecking; get-webvirtualdirectory | where {$_.physicalPath -match \\"SystemDrive\\" -or $_.physicalPath -match \\"C:\\"} | Select Path, Physicalpath' powershell_option: CAN_BE_NULL </custom_item> </then> <else> <custom_item> type : AUDIT_IIS_APPCMD description: "IIS800003:Ensure Web Content Is on Non-System Partition (APPCMD):IIS8" value_type : POLICY_TEXT value_data : "physicalPath:(\%SystemDrive\%|C:)" appcmd_args: "list vdir" check_type : CHECK_NOT_REGEX </custom_item> </else> </if> <custom_item> type : FILE_CHECK description: "IIS800004:Webroot directory Drive E\Websites must exist:IIS8" value_type : POLICY_TEXT value_data : "E:\Websites" file_option: MUST_EXIST </custom_item> <custom_item> type : FILE_CHECK description: "IIS800005:WWW Webroot directory Drive E\Websites\www must exist:IIS8" value_type : POLICY_TEXT value_data : "E:\Websites\wwwroot" file_option: MUST_EXIST </custom_item> |