Understanding IIS Default Page Vulnerability
Who is this article for?Users who want to learn more about the IIS default page vulnerability.
No elevated permissions are required.
This article delves into the topic of the IIS Default Page Vulnerability, shedding light on its implications and potential risks for web servers.
Important: This article does not serve as a comprehensive guide to Windows administration and should not be considered as advice or a recommendation. However, it provides information that you may find beneficial. It's important to assess the suitability of the content alongside other resources and guidance available.
1. IIS Default Page Vulnerability
Following the installation of IIS on a server, you typically gain access to a Welcome page by opening a web browser. In recent versions of Windows, the page appears as follows:
Note: Addressing this issue falls outside the scope of Ideagen support as it pertains to IIS rather than Ideagen software.
This is beneficial because it allows for easy testing of your new IIS installation. However, many security vendors consider it a low-risk vulnerability, often flagged as "Microsoft IIS Default Page Vulnerability," for two main reasons:
- It indicates that the server is running Windows.
- It suggests that the server may not be fully configured, making it potentially easier to attack.
As a result, they recommend removing the default page. In a standard installation, you can accomplish this by:
- Navigating to C:\inetpub\wwwroot on the IIS server using File Explorer.
- Deleting the files named iisstart.htm and iisstart.png.
Tip: For more information on configuring default documents in IIS, see: Configure the Default Document in Internet Information Services.