Iis – Remove CGI from IIS7

iisiis-7windows-server-2008

I ran some security scan and the scan said that all kind of CGI stuff are potential thread.
This is part of the result :

(ash) is present in the cgi-bin directory

(bash) is present in the cgi-bin directory

By exploiting this vulnerability, a malicious user may be able to
execute arbitrary commands on a remote system. In some cases, the
hacker may be able to gain root level access to the system, in which
case the hacker might be able to cause copious damage to the system,
or use the system as a jumping off point to target other systems on
the network for intrusion and/or denial of service attacks.

and many more related to cgi-bin directory. First I searched all the server for cgi-bin folder and it did not find any. Second I'm running my website on pure .NET and I don't use any scripts like php. Question is how can I remove this CGI thing from the IIS?

Best Answer

CGI is a sub role of IIS.

In server 2012 Go to remove roles and drill down the following tree

[X] Web Server (IIS)                                    
[X] Web Server                                                 
    [X] Application Development                     
        [X] .NET Extensibility 3.5                  
        [X] .NET Extensibility 4.5                  
        [X] Application Initialization              
        [X] ASP                                     
        [X] ASP.NET 3.5                             
        [X] ASP.NET 4.5                             
        [ ] CGI   <==== Make sure it is not checked!                                  
        [X] ISAPI Extensions                        
        [X] ISAPI Filters                           
        [X] Server Side Includes                    
        [ ] WebSocket Protocol

This insures that it is disabled and will not cause any security risks.

Related Topic