4.9 Ensure 'notListedIsapisAllowed' is set to false

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The notListedIsapisAllowedattribute is a server-level setting that is located in the ApplicationHost.config file in the <isapiCgiRestriction> element of the <system.webServer> section under <security>. This element ensures that malicious users cannot copy unauthorized ISAPI binaries to the Web server and then run them. It is recommended that notListedIsapisAllowed be set to false.
Rationale:
Restricting this attribute to falsewill help prevent potentially malicious ISAPI extensions from being run.

Solution

To use IIS Manager to set the notListedIsapisAllowed attribute to false:
1. Open IIS Manager as Administrator
2. In the Connections pane on the left, select server to be configured
3. In Features View, select ISAPI and CGI Restrictions; in the Actions pane, select Open Feature
4. In the Actions pane, select Edit Feature Settings
5. In the Edit ISAPI and CGI Restrictions Settings dialog, clear the Allow unspecified ISAPI modules check box, if checked
6. Click OK
Enter the following command in AppCmd.exe to configure:
%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/isapiCgiRestriction /notListedIsapisAllowed:false
OR
Enter the following command in PowerShell to configure:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/security/isapiCgiRestriction' -name 'notListedIsapisAllowed' -value 'False'
Default Value:
The default value for notListedIsapisAllowed is false.

See Also

https://workbench.cisecurity.org/files/2297