HBhatia
HBhatia

Reputation: 565

IIS ISAPI Extension Enumerate Root Web Server Directory Vulnerability

I am supporting a classic asp application developed by another developer. This application will be public facing. Before making it public our network team ran a Security Scan and found some issues. One of the issue mentioned by them is as follows:

Fix Microsoft IIS ISAPI Extension Enumerate Root Web Server Directory Vulnerability

and they provided following steps to resolve this:

You can configure IIS 7 to check for the existence of a file before returning an error message.

  • Go to Handler Mappings
  • For all enabled IISAPI mappings, Edit ->
    Request Restrictions -> Check 'Invoke handler only if request is
    mapped to: File'
  • Disable all unused mappings.

This will address the following issue: Microsoft IIS ISAPI Extension Enumerate Root Web Server Directory Vulnerability (HTTP-IIS- 0013).

I am not familiar with Classic ASP but I checked Handler mapping and tried the steps mentioned above. Following are my questions:

  1. Is there an easy way to identify handlers which are not being used?
  2. there are 50+ handlers do I need to click each one of those to invoke handler only if request is mapped to: File
  3. Can this all be handled from Web.config?

Upvotes: 3

Views: 7733

Answers (1)

scampbell
scampbell

Reputation: 1000

Instead of changing the mappings you should be able to turn off detailed error messages for remote users.

In IIS manager select your website, click on error pages, edit feature settings, choose detailed errors for local requests and custom error pages for remote requests.

Upvotes: 2

Related Questions