Reputation: 565
I am supporting a classic asp application developed by another developer. This application will be public facing. Before making it public our network team ran a Security Scan and found some issues. One of the issue mentioned by them is as follows:
Fix Microsoft IIS ISAPI Extension Enumerate Root Web Server Directory Vulnerability
and they provided following steps to resolve this:
You can configure IIS 7 to check for the existence of a file before returning an error message.
- Go to Handler Mappings
- For all enabled IISAPI mappings, Edit ->
Request Restrictions -> Check 'Invoke handler only if request is
mapped to: File'- Disable all unused mappings.
This will address the following issue: Microsoft IIS ISAPI Extension Enumerate Root Web Server Directory Vulnerability (HTTP-IIS- 0013).
I am not familiar with Classic ASP but I checked Handler mapping and tried the steps mentioned above. Following are my questions:
Upvotes: 3
Views: 7733
Reputation: 1000
Instead of changing the mappings you should be able to turn off detailed error messages for remote users.
In IIS manager select your website, click on error pages, edit feature settings, choose detailed errors for local requests and custom error pages for remote requests.
Upvotes: 2