tenable:106609 · Microsoft Windows IIS Default Index Page

01 · The Real Story

Like leaving the builder’s sign in the yard after the house is occupied

Tenable plugin 106609 fires when an IIS site serves the stock default page at the web root. In practice, the affected range is not a software version range but a deployment condition: any Windows host running Microsoft IIS where the default document list still resolves to a stock file such as Iisstart.htm, Default.htm, Default.asp, Index.htm, Index.html, or Default.aspx and that content is still the IIS welcome page. Microsoft documents that default documents are enabled by default in IIS, so this is fundamentally a hardening/configuration issue, not a vendor patchable product flaw.

Tenable scoring this as MEDIUM overstates the operational risk for enterprise patch triage. The page can help an attacker fingerprint IIS and spot an unfinished deployment, but by itself it does not provide code execution, auth bypass, privilege escalation, or meaningful data exposure; it mainly shortens reconnaissance that other signals like headers, TLS fingerprints, and normal content often already provide.

"This is a breadcrumb, not a breach: useful for recon, weak as a standalone security risk."

02 · The Attack Path

3 steps from start to impact.

STEP 01

Fetch the root page with curl or a browser

An unauthenticated attacker sends GET / to a reachable IIS site and receives the stock welcome page. Nessus plugin 106609 does exactly this style of remote content check when paranoid reporting is enabled. The practical output is a server fingerprint and a sign that the default site or default document chain was left in place.

Conditions required:

Unauthenticated network reachability to HTTP or HTTPS on the IIS site
A site binding that resolves / to a default document
The stock IIS page or an unmistakable derivative still exists in the site content path

Where this breaks in practice:

Many IIS servers are internal-only, which makes this post-initial-access intelligence rather than initial access
A custom application homepage usually replaces the stock page, so the condition is absent on mature deployments
The page often reveals less than standard headers, certificates, or application behavior already do

Detection/coverage: Very high coverage. Nessus 106609, Nikto-style content checks, and simple curl/browser validation can all detect it. Tenable notes the plugin requires Enable paranoid mode.

STEP 02

Use the page to tune follow-on enumeration with nmap or Nikto

Once the server is identified as IIS on Windows, an attacker can prioritize IIS-specific path checks, module guessing, and Windows-oriented web tradecraft. OWASP explicitly treats default pages and error pages as effective fingerprinting material. This is where the finding has value: it reduces guesswork for the next tool, not because the page itself grants access.

Conditions required:

The attacker can interact repeatedly with the web service
There are additional IIS-specific weaknesses, weak apps, or forgotten paths worth probing

Where this breaks in practice:

Fingerprinting alone does not cross a trust boundary
Modern EDR, WAF, and reverse proxies often catch or rate-limit noisy follow-on enumeration
Most enterprise IIS estates expose plenty of equivalent fingerprints elsewhere

Detection/coverage: Web logs, WAF telemetry, and network IDS should see the follow-on enumeration. The default-page check itself is low-noise and easy to miss unless access logs are reviewed.

STEP 03

Exploit a separate weakness for real impact

Actual compromise requires a second bug or misconfiguration: a vulnerable app, exposed admin interface, weak credentials, or another IIS/application flaw. The default page may marginally accelerate target selection, but it is not the exploit primitive. That dependency chain is the decisive downward pressure on severity.

Conditions required:

A separate exploitable web flaw or weak management path exists
Security controls fail to stop enumeration or exploitation

Where this breaks in practice:

No direct confidentiality, integrity, or availability impact comes from the default page alone
The blast radius is limited unless another issue is present
Attack success depends on unrelated weaknesses, so this finding is rarely the bottleneck

Detection/coverage: Detection shifts to the second-stage issue. Scanner coverage for the stock page is strong; coverage for chained app-specific weaknesses varies.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No CISA KEV entry applies here and there is no evidence this is tracked as a standalone exploited vulnerability. Treat it as recon/hardening debt, not an active exploitation headline.
Proof-of-concept availability	No special PoC is required. A browser or `curl -i https://host/` is enough to validate exposure; follow-on recon is commonly done with `nmap` and `Nikto`.
EPSS	N/A. There is no CVE for this plugin finding, so there is no FIRST EPSS score or percentile.
KEV status	Not applicable. This is not a KEV-trackable CVE; no KEV date exists.
Vendor CVSS	Tenable assigns `5.3` with vector `CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`, effectively modeling light information disclosure from unauthenticated network access.
Affected scope	Any Microsoft IIS on Windows where the root path still resolves to the stock IIS default page. Microsoft documents default documents as enabled by default and lists common default filenames including `Default.htm`, `Default.asp`, `Index.htm`, `Index.html`, and `Iisstart.htm`.
Fixed state	There is no patched software version. The corrected state is operational: remove/replace the stock page, disable the unused default site or binding, or change default-document behavior so `/` no longer serves the IIS welcome content.
Exposure data	Internet search engines can fingerprint IIS, but exact counts for the stock default page are noisy and query-dependent. Shodan/Censys can support scoping, yet the population size is unstable because titles, bodies, and reverse-proxy layers change.
Disclosure date	Tenable published plugin `106609` on 2018-02-05 and last updated it on 2020-04-22.
Reporting source	This is a Tenable-authored detection for a web-server hardening issue. OWASP guidance aligns with removing default files and using such pages as fingerprinting indicators during testing.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (2.1/10)

The decisive factor is that this finding is only useful as reconnaissance; it does not itself provide access or impact. In real enterprise environments, its value drops further because many affected IIS instances are internal-only and the same platform fingerprint is often available through easier signals anyway.

HIGH Severity downgrade from vendor `MEDIUM` to `LOW`

HIGH Assessment that this is a configuration hygiene finding rather than a patch-grade vulnerability

MEDIUM Enterprise-wide exposure impact without asset context

Why this verdict

Baseline starts too high Tenable's 5.3 assumes anonymous network-readable information disclosure, but the leaked value is usually just IIS fingerprinting and a hint of unfinished hardening.
Requires a second failure to matter There is no direct path from this page to code execution, privilege gain, auth bypass, or material data loss; an attacker still needs another bug, weak app, or exposed admin path.
Attacker position often implies prior access If the IIS host is internal-only, the prerequisite is internal network reachability, which means the finding becomes post-initial-access recon rather than a front-door risk.
Reachable population is narrower than CVSS suggests Many enterprise IIS nodes are management, middleware, or intranet services not broadly internet-exposed, sharply reducing attacker opportunity.
Modern controls should catch the meaningful stage, not this breadcrumb WAF, EDR, reverse proxies, and web logging are more likely to disrupt the exploit chain at the follow-on enumeration or attack stage.

Why not higher?

There is no standalone exploit chain here. Even for internet-facing hosts, the welcome page usually adds only weak fingerprinting value that attackers can often derive from headers, TLS, or application behavior; the real risk sits in whatever *other* issue they find next.

Why not lower?

It is still a real hardening lapse, especially on public-facing IIS where the stock page can advertise platform choice and signal sloppy deployment practices. At scale, forgotten default sites and placeholder pages are also useful indicators for broader configuration drift, so this should remain in backlog hygiene rather than be universally discarded.

05 · Compensating Control

What to do — in priority order.

Replace the stock page — Swap the IIS welcome page for the intended application landing page or a generic maintenance page so / no longer fingerprints the server. For a LOW verdict there is no formal mitigation SLA; handle this as backlog hygiene during normal web hardening.
Disable unused default sites and bindings — If Default Web Site exists only because IIS was installed, stop or remove it and clean up stray bindings that expose placeholder content. This reduces accidental exposure and prevents the welcome page from being reachable on alternate hostnames or IP bindings; schedule as backlog hygiene.
Scope and suppress intentionally benign cases — If an internal-only placeholder site is intentionally retained, document the business reason and reclassify or suppress the finding in Tenable so patch queues are not polluted. Do this after confirming the site is not internet-exposed and does not leak extra version or environment details.
Review adjacent IIS hardening — Use this finding as a trigger to verify directory browsing, sample applications, verbose errors, unnecessary modules, and admin paths are not exposed. The welcome page itself is weak, but it is a good drift signal for nearby hardening misses; clean those up in the same maintenance cycle.

What doesn't work

A WAF alone does not solve this; the issue is the server intentionally serving stock content at /.
Simply hiding the Server header is incomplete, because body content and default responses can still fingerprint IIS.
Treating this like an emergency patch wastes cycles; there is no vendor patch version to deploy and no direct exploit primitive to shut down.

06 · Verification

Crowdsourced verification payload.

Run this on the IIS host itself in an elevated PowerShell session. Invoke it as powershell -ExecutionPolicy Bypass -File .\check-iis-default-page.ps1 or save it and run locally; it needs rights to read IIS configuration and web root files via the WebAdministration module.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# check-iis-default-page.ps1

# Exit codes:

#   0 = PATCHED

#   1 = VULNERABLE

#   2 = UNKNOWN


$ErrorActionPreference = 'Stop'

function Write-Result {
    param(
        [string]$State,
        [int]$Code,
        [string]$Message
    )
    Write-Output "$State - $Message"
    exit $Code
}

try {
    Import-Module WebAdministration -ErrorAction Stop
} catch {
    Write-Result -State 'UNKNOWN' -Code 2 -Message 'WebAdministration module not available; cannot inspect IIS configuration.'
}

$stockNames = @('iisstart.htm','default.htm','default.asp','index.htm','index.html','default.aspx')
$stockMarkers = @(
    'IIS Windows Server',
    'Internet Information Services',
    'Welcome',
    'iisstart.png'
)

try {
    $sites = Get-Website | Where-Object { $_.State -eq 'Started' }
} catch {
    Write-Result -State 'UNKNOWN' -Code 2 -Message 'Unable to enumerate IIS sites.'
}

if (-not $sites -or $sites.Count -eq 0) {
    Write-Result -State 'PATCHED' -Code 0 -Message 'No started IIS websites found.'
}

$findings = New-Object System.Collections.Generic.List[string]

foreach ($site in $sites) {
    try {
        $sitePath = $site.PhysicalPath
        if ([string]::IsNullOrWhiteSpace($sitePath)) { continue }

        $expandedPath = [Environment]::ExpandEnvironmentVariables($sitePath)
        if (-not (Test-Path -LiteralPath $expandedPath)) { continue }

        $bindings = @($site.Bindings.Collection | ForEach-Object { $_.bindingInformation + ' [' + $_.protocol + ']' })
        $hasWebBinding = $false
        foreach ($b in $site.Bindings.Collection) {
            if ($b.protocol -in @('http','https')) { $hasWebBinding = $true; break }
        }
        if (-not $hasWebBinding) { continue }

        $defaultDocs = @()
        try {
            $dd = Get-WebConfigurationProperty -PSPath 'MACHINE/WEBROOT/APPHOST' -Filter "system.webServer/defaultDocument/files" -Location $site.Name -Name '.'
            if ($dd) {
                $defaultDocs = @($dd | ForEach-Object { $_.value.ToString().ToLowerInvariant() })
            }
        } catch {
            # Fall back to stock names if per-site config can't be read

            $defaultDocs = @()
        }

        if (-not $defaultDocs -or $defaultDocs.Count -eq 0) {
            $defaultDocs = $stockNames
        }

        foreach ($doc in $defaultDocs) {
            if ($stockNames -notcontains $doc.ToLowerInvariant()) { continue }
            $candidate = Join-Path -Path $expandedPath -ChildPath $doc
            if (-not (Test-Path -LiteralPath $candidate -PathType Leaf)) { continue }

            $isStock = $false
            if ($doc.ToLowerInvariant() -eq 'iisstart.htm') {
                $isStock = $true
            } else {
                try {
                    $content = Get-Content -LiteralPath $candidate -Raw -ErrorAction Stop
                    foreach ($marker in $stockMarkers) {
                        if ($content -match [regex]::Escape($marker)) {
                            $isStock = $true
                            break
                        }
                    }
                } catch {
                    # If file exists but content cannot be read, keep evaluating other files

                }
            }

            if ($isStock) {
                $bindText = if ($bindings.Count -gt 0) { $bindings -join ', ' } else { 'no binding details' }
                $findings.Add("Site '$($site.Name)' serves probable stock IIS content via '$doc' in '$expandedPath' with bindings: $bindText") | Out-Null
                break
            }
        }
    } catch {
        # Continue checking other sites

        continue
    }
}

if ($findings.Count -gt 0) {
    Write-Result -State 'VULNERABLE' -Code 1 -Message ($findings -join '; ')
} else {
    Write-Result -State 'PATCHED' -Code 0 -Message 'No started IIS site appears to expose the stock default IIS page from common default documents.'
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, reclassify Tenable plugin 106609 to LOW in your program and scope it to internet-facing IIS first. There is no noisgate mitigation SLA for a LOW finding and noisgate remediation SLA is effectively backlog hygiene, so do not burn emergency patch capacity on this; instead, remove the stock page or disable unused default sites during the next normal web-hardening change window, and suppress intentional internal-only placeholders once verified.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.