IISW-SI-000216 - The IIS 8.5 website must have resource mappings set to disable the serving of certain file types.


Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client.

By not specifying which files can and which files cannot be served to a user, the web server could deliver to a user web server configuration files, log files, password files, etc.

The web server must only allow hosted application file types to be served to a user and all other types must be disabled.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Follow the procedures below for each site hosted on the IIS 8.5 web server:

Open the IIS 8.5 Manager.
Click the site name to review.
Double-click Request Filtering >> File Name Extensions Tab >> Deny File Name Extension.
Add any script file extensions listed on the black list that are not listed.
Select 'Apply' from the 'Actions' pane.

See Also


Item Details


References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-214456r903089_rule, STIG-ID|IISW-SI-000216, STIG-Legacy|SV-91497, STIG-Legacy|V-76801, Vuln-ID|V-214456

Plugin: Windows

Control ID: 4649ee26f0581ff405f7093c4553db264971ce9e1294006a2dc2312a7268f1fc