Access to web administration tools must be restricted to the Web Manager and the Web Manager’s designees.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2248 | WG220 IIS6 | SV-38326r2_rule | ECCD-1 ECCD-2 ECLP-1 | Medium |
| Description |
|---|
| The key web service administrative and configuration tools must only be accessible by the web server staff. All users granted this authority will be documented and approved by the ISSO. Access to the IIS Manager will be limited to authorized users and administrators. |
| STIG | Date |
|---|---|
| IIS6 Server | 2015-06-01 |
Details
| Check Text ( C-37716r1_chk ) |
|---|
| 1. Open the Microsoft Management Console (MMC). 2. Expand the applicable policy > Windows Settings > Security Settings > Local Policies 3. Click on User Rights Assignment. 4. Double click Allow log on locally. 5. The Allow log on locally must be limited to accounts owned by the SA, Web Manager, or Web Manager designees. 6. Navigate to %systemroot%\system32\inetsrv\. 7. Right click inetmgr.exe and select properties. 8. Select the security tab. 9. The Internet Services Manager (i.e. inetmgr.exe) must be limited to accounts owned by the SA, Web Manager, or Web Manager’s designees. If accounts other than the System, SA, Web Manager, or Web Manager designees have access to the web administration tool or equivalent, this is a finding. |
| Fix Text (F-32963r1_fix) |
|---|
| Restrict access to the web administration tool to only the Web Manager and the Web Manager’s designees. |