UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Web server system files must conform to minimum file permission requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2259 WG300 IIS6 SV-31321r1_rule ECCD-1 ECCD-2 ECLP-1 Medium
Description
This check verifies the key web server system configuration files are owned by the SA or Web Manager controlled account. These same files which control the configuration of the web server, and thus its behavior, must also be accessible by the account which runs the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.
STIG Date
IIS6 Server 2014-12-05

Details

Check Text ( C-29966r1_chk )
IIS:
The default server root is %system%\system32\inetsrv. The anonymous web user is IUSR_computername and IWAM_computername, which are created by default when IIS is installed. This account should be part of a group named Guests or WebUsers (IIS Lockdown creates the Web Applications and Web Anonymous Users Groups) and have read and execute permissions only to web content directories. Other permissions are as follows:

\inetpub
Administrators (Full Control)
System (Full Control)
Authenticated Users (Read)

\inetpub\AdminScripts
Administrators (Full Control)
System (Full Control)

\inetpub\ftproot
Administrators (Full Control)
System (Full Control)
Authenticated Users (Read)
Web Anonymous Users (Deny Write)
Web Applications (Deny Write)
IIS_WPG (Deny Write)

\inetpub\ftproot\ftpfiles
Administrators (Full Control)
System (Full Control)
WebAdmins (Modify)
Authenticated Users (Read)
Web Anonymous Users (Read)
Web Applications (Read)
IIS_WPG (Read)
IIS Permissions: Read and None

FTP Uploads (if required)
\inetpub\ftproot\dropbox
Administrators (Full Control)
WebAdmins or FTPAdmins (Read,Write,Delete)
SpecifiedUsers (Write)
IIS Permissions: Write and None

\inetpub\mailroot
Administrators (Full Control)
System (Full Control)
Authenticated Users (Read)
Web Anonymous Users (Deny Write)
Web Applications (Deny Write)
IIS_WPG (Deny Write)

\inetpub\wwwroot
Administrators (Full Control)
System (Full Control)
Authenticated Users (Read)
Web Anonymous Users (Deny Write)
Web Applications (Deny Write)
IIS_WPG (Deny Write)

\inetpub\wwroot\docs
Administrators (Full Control)
System (Full Control)
WebAdmins (Modify)
Authenticated Users (Read)
Web Anonymous Users (Deny Write)
Web Applications (Deny Write)
IIS_WPG (Deny Write)
IIS Permissions: Read and None

\inetpub\wwwroot\images
Administrators (Full Control)
System (Full Control)
WebAdmins (Modify)
Authenticated Users (Read)
Web Anonymous Users (Deny Write)
Web Applications (Deny Write)
IIS_WPG (Deny Write)
IIS Permissions: Read and None

\inetpub\wwwroot\scripts
Administrators (Full Control)
System (Full Control)
WebAdmins(Modify)
IIS_WPG (Traverse Folder/Execute)
Web Anonymous Users (Traverse Folder/Execute)
Web Applications (Traverse Folder/Execute)
IIS Permissions: Script

NOTE: There may additional application specific content directories associated with
this web server and they should follow the same guidance as the wwwroot and
associated sub-directories for permissions.

\WINNT\system32\inetsrv
Administrators (Full Control)
System (Full Control)
Users (Read & Execute)

\WINNT\system32\inetsrv\data
Administrators (Full Control)
System (Full Control)
Users (Read & Execute)

\WINNT\system32\inetsrv\ASP Compiled Templates
Administrators (Full Control)
System (Full Control)

\WINNT\system32\inetsrv\History
Administrators (Full Control)
System (Full Control)

\WINNT\system32\inetsrv\iisadmin
Administrators (Full Control)
System (Full Control)

\WINNT\system32\inetsrv\iisadmpwd
Administrators (Full Control)
System (Full Control)

\WINNT\system32\inetsrv\inetmgr.exe
Administrators (Full Control)
System (Full Control)
Web Admins (Read & Execute)
Web Anonymous Users (Deny ALL)
Web Applications (Deny ALL)
IIS_WPG (Deny ALL)

\WINNT\system32\inetsrv\MetaBack
Administrators (Full Control)
System (Full Control)

\WINNT\system32\inetsrv\urlscan
Administrators (Full Control)
System (Full Control)
LocalService (Read / Execute)
NetworkService (Read/Execute)

FILE SPECIFIC PERMISSIONS

\WINNT\system32\inetsrv\*.exe
\WINNT\system32\inetsrv\*.bat
\WINNT\system32\inetsrv\oblt-log.log
\WINNT\system32\inetsrv\oblt-rep.log
\WINNT\system32\inetsrv\oblt-undo.log
\WINNT\system32\inetsrv\oblt-undone.log
Administrators (Full Control)
System (Full Control)
Users (Read & Execute)
Web Anonymous Users (Deny ALL)
Web Applications (Deny ALL)
IIS_WPG (Deny ALL)

\WINNT\system32\inetsrv\metabase.bin
\WINNT\system32\inetsrv\metabase.xml
\WINNT\system32\inetsrv\MBSchema.xml
\WINNT\system32\inetsrv\ MBSchema.bin.00000000h
Administrators (Full Control)
System (Full Control)

If the file permissions do not meet the minimum file permissions listed above, this is a finding. More restrictive file permissions would not be a finding.

NOTE: If there is a "Windows\SysWOW64\Inetsrv" present on the system, this check applies to that directory as well.

NOTE: To check the file permissions, you will need to navigate the directories or files using a tools such as Windows Explorer, right click on the directory or file that you are reviewing, select properties, then the security tab. The permissions will then be displayed for your review.

To check the IIS Permissions, you will need to use the Internet Services Manager, navigate to the web site you are reviewing, select properties, select the Home Directory tab. From here you can review the assigned IIS
Fix Text (F-26831r1_fix)
Set file permissions on the web server systems files to meet minimum file permissions requirements.