From IIS 8.5 Site Security Technical Implementation Guide
Part of SRG-APP-000141-WSR-000083
Associated with: CCI-000381
Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client.
For "Handler Mappings", the ISSO must document and approve all allowable file extensions the website allows (white list) and denies (black list) by the website. The white list and black list will be compared to the "Handler Mappings" in IIS 8.5. "Handler Mappings" at the site level take precedence over "Handler Mappings" at the server level. Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Double-click "Request Filtering". If any file name extensions from the black list have "Allowed" set to "True", this is a finding.
Follow the procedures below for each site hosted on the IIS 8.5 web server: Open the IIS 8.5 Manager. Click the site name under review. Double-click "Request Filtering". For any file name extensions from the black list which have "Allowed" set to "True", remove the file name extension. Select "Deny File Name Extension" from the "Actions" pane. Add each file name extension from the black list. Select "Apply" from the "Actions" pane.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer