Remove dependency on default document in IIS configuration
A common security vulnerability exists in the default IIS configuration when SCCM is installed. Having the default documents (eg iisstart.htm) can aide a malicious actor in discovery https://www.rapid7.com/db/vulnerabilities/http-iis-default-install-page
IF the default document is removed, Workgroup clients are unable to communicate with SCCM. The default document should not be a dependency on SCCM, or on workgroup clients ability to connect.
Symptoms: Clients not joined to the domain can not connect to an SCCM server
Client Location log shows http 403 errors
Error sending HEAD request. HTTP code 403, status 'Forbidden' ClientLocation
Text=CCMEBADHTTPSTATUS_CODE ClientLocation
Workaround:
Adding a default document to the IIS site is a workaround, but potential security risk

1 comment
-
Pavel Yurenev commented
Note that here IIS is configured, and a user (or admin) should be aware of it.
So Rapid7 motivation doesn't qualify here.