UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Anonymous access accounts must be restricted.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6537 WG195 IIS6 SV-29351r2_rule ECCD-1 ECCD-2 ECLP-1 High
Description
Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data that are stored on the web server need to be evaluated and a determination made concerning authorized access to information and programs on the server. In most cases, we can identify several types of users on a web server. These are system SAs, web administrators, auditors, authors, developers, and clients (web users, either anonymous or authenticated). Only authorized users and administrative accounts will be allowed on the host server in order to maintain the web server, applications, and review the server operations.
STIG Date
IIS6 Server 2011-09-26

Details

Check Text ( C-37646r1_chk )
The reviewer should review the privileges assigned to the "IUSR_Account". Any group the IUSR_Account is assigned to must not provide authenticated access to the external users. The use of another group created for anonymous access is the acceptable solution for group assignment.

1. Select Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Users.
2. Double click the IUSR_Account > Select “Member of:” tab.

If the IUSR_Account is assigned to any group other than a local anonymous group, this is a finding.

NOTE: Any associations with the authenticated users group or everyone group would not make this a finding.
NOTE: The group created for the anonymous account needs to be restricted to the web directories, and not have access to the entire system.
Fix Text (F-32887r1_fix)
Remove the anonymous access account from all privileged accounts and all privileged groups.