Reputation: 565
IIS ISAPI Extension Enumerate Root Web Server Directory Vulnerability
I am supporting a classic asp application developed by another developer. This application will be public facing. Before making it public our network team ran a Security Scan and found some issues. One of the issue mentioned by them is as follows:
Fix Microsoft IIS ISAPI Extension Enumerate Root Web Server Directory Vulnerability
and they provided following steps to resolve this:
You can configure IIS 7 to check for the existence of a file before returning an error message.
- Go to Handler Mappings
- For all enabled IISAPI mappings, Edit ->
Request Restrictions -> Check 'Invoke handler only if request is
mapped to: File'- Disable all unused mappings.
This will address the following issue: Microsoft IIS ISAPI Extension Enumerate Root Web Server Directory Vulnerability (HTTP-IIS- 0013).
I am not familiar with Classic ASP but I checked Handler mapping and tried the steps mentioned above. Following are my questions:
- Is there an easy way to identify handlers which are not being used?
- there are 50+ handlers do I need to click each one of those to invoke handler only if request is mapped to: File
- Can this all be handled from Web.config?
Upvotes: 3
Views: 7733
Answers (1)
Reputation: 1000
Instead of changing the mappings you should be able to turn off detailed error messages for remote users.
In IIS manager select your website, click on error pages, edit feature settings, choose detailed errors for local requests and custom error pages for remote requests.
Upvotes: 2
Related Questions
- ISAPI Extension
- ISAPI Extension gives 404 on IIS7
- System Folder Classic ASP Vulnerability?
- Asp directory listing unfolding
- What is the path of the root directory on IIS server?
- Root Path Problem in asp.net?
- directory listing denied
- ISAPI Extensions on IIS 7.5/Windows 7 (professional)
- How to add an ISAPI extension to a ASP.Net development iis server?
- ASP file being caught by .NET isapi