1.1 Ensure web content is on non-system partition

Information

Web resources published through IIS are mapped, via Virtual Directories, to physical locations on disk. It is recommended to map all Virtual Directories to a non-system disk volume.
Rationale:
Isolating web content from system files may reduce the probability of:
* Web sites/applications exhausting system disk space
* File IO vulnerability in the web site/application from affecting the confidentiality and/or integrity of system files

Solution

1. Browse to web content in C:\\inetpub\\wwwroot\\
2. Copy or cut content onto a dedicated and restricted web folder on a non-system drive such as D:\\webroot\\
3. Change mappings for any applications or Virtual Directories to reflect the new location
To change the mapping for the application named app1 which resides under the Default Web Site, open IIS Manager:
1. Expand the server node
2. Expand Sites
3. Expand Default Web Site
4. Click on app1
5. In the Actions pane, select Basic Settings
6. In the Physical path text box, put the new location of the application, D:\\wwwroot\\app1 in the example above
Default Value:
The default location for web content is: %systemdrive%\\inetpub\\wwwroot.

See Also

https://workbench.cisecurity.org/files/2297

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CSCv7|14

Plugin: Windows

Control ID: 9c3162c79ab949b0e801e4a03f1a9ecc021f7894e0c6843701585502db158d83