Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Web server system files must conform to minimum file permission requirements.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2259 | WG300 IIS6 | SV-38327r1_rule | ECCD-1 ECCD-2 ECLP-1 | Medium |
| Description |
|---|
| This check verifies the key web server system configuration files are owned by the SA or Web Manager controlled account. These same files which control the configuration of the web server, and thus its behavior, must also be accessible by the account which runs the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform. |
| STIG | Date |
|---|---|
| IIS6 Server | 2011-09-26 |
Details
| Check Text ( C-37717r1_chk ) |
|---|
| The default server root is %system%\system32\inetsrv. The anonymous web user is IUSR_computername, which is created by default when IIS is installed. This account should be part of a group named Guests or WebUsers (IIS Lockdown creates the Web Applications and Web Anonymous Users Groups) and have read and execute permissions only to web content directories. Other permissions are as follows: \inetpub Administrators (Full Control) System (Full Control) Authenticated Users (Read) \inetpub\AdminScripts Administrators (Full Control) System (Full Control) \inetpub\ftproot Administrators (Full Control) System (Full Control) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) \inetpub\ftproot\ftpfiles Administrators (Full Control) System (Full Control) WebAdmins (Modify) Authenticated Users (Read) Web Anonymous Users (Read) Web Applications (Read) IIS_WPG (Read) IIS Permissions: Read and None FTP Uploads (if required) \inetpub\ftproot\dropbox Administrators (Full Control) WebAdmins or FTPAdmins (Read,Write,Delete) SpecifiedUsers (Write) IIS Permissions: Write and None \inetpub\mailroot Administrators (Full Control) System (Full Control) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) \inetpub\wwwroot Administrators (Full Control) System (Full Control) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) \inetpub\wwroot\docs Administrators (Full Control) System (Full Control) WebAdmins (Modify) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) IIS Permissions: Read and None \inetpub\wwwroot\images Administrators (Full Control) System (Full Control) WebAdmins (Modify) Authenticated Users (Read) Web Anonymous Users (Deny Write) Web Applications (Deny Write) IIS_WPG (Deny Write) IIS Permissions: Read and None \inetpub\wwwroot\scripts Administrators (Full Control) System (Full Control) WebAdmins(Modify) IIS_WPG (Traverse Folder/Execute) Web Anonymous Users (Traverse Folder/Execute) Web Applications (Traverse Folder/Execute) IIS Permissions: Script NOTE: There may be additional application specific content directories associated with this web server and they should follow the same guidance as the wwwroot and associated sub-directories for permissions. \WINNT\system32\inetsrv Administrators (Full Control) System (Full Control) Users (Read & Execute) \WINNT\system32\inetsrv\data Administrators (Full Control) System (Full Control) Users (Read & Execute) \WINNT\system32\inetsrv\ASP Compiled Templates Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\History Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\iisadmin Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\iisadmpwd Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\inetmgr.exe Administrators (Full Control) System (Full Control) Web Admins (Read & Execute) Web Anonymous Users (Deny ALL) Web Applications (Deny ALL) IIS_WPG (Deny ALL) \WINNT\system32\inetsrv\MetaBack Administrators (Full Control) System (Full Control) \WINNT\system32\inetsrv\urlscan Administrators (Full Control) System (Full Control) LocalService (Read / Execute) NetworkService (Read/Execute) FILE SPECIFIC PERMISSIONS: \WINNT\system32\inetsrv\*.exe \WINNT\system32\inetsrv\*.bat \WINNT\system32\inetsrv\oblt-log.log \WINNT\system32\inetsrv\oblt-rep.log \WINNT\system32\inetsrv\oblt-undo.log \WINNT\system32\inetsrv\oblt-undone.log Administrators (Full Control) System (Full Control) Users (Read & Execute) Web Anonymous Users (Deny ALL) Web Applications (Deny ALL) IIS_WPG (Deny ALL) \WINNT\system32\inetsrv\metabase.bin \WINNT\system32\inetsrv\metabase.xml \WINNT\system32\inetsrv\MBSchema.xml \WINNT\system32\inetsrv\ MBSchema.bin.00000000h Administrators (Full Control) System (Full Control) If the file permissions do not meet the minimum file permissions listed above, this is a finding. More restrictive file permissions would not be a finding. NOTE: If there is a "Windows\SysWOW64\Inetsrv" present on the system, this check applies to that directory as well. NOTE: To check the file permissions, navigate to the directories or files using a tool such as Windows Explorer, right click on the directory or file being reviewed > Select properties > Select security tab. The permissions will then be displayed for your review. To check the IIS Permissions, use the Internet Services Manager, navigate to the web site being reviewed > Select properties > Select the Home Directory tab. From here review the assigned IIS permissions for this web site. |
| Fix Text (F-32964r1_fix) |
|---|
| Set file permissions on the web server system files to meet minimum file permission requirements. |