Anonymous access accounts must be restricted.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6537	WG195 IIS6	SV-29351r1_rule	ECCD-1 ECCD-2 ECLP-1	High

Description
Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data that are stored on the web server need to be evaluated and a determination made concerning authorized access to information and programs on the server. In most cases, we can identify several types of users on a web server. These are system SAs, web administrators, auditors, authors, developers, and clients (web users, either anonymous or authenticated). Only authorized users and administrative accounts will be allowed on the host server in order to maintain the web server, applications, and review the server operations.

Description

Many of the security problems that occur are not the result of a user gaining access to files or data for which the user does not have permissions, but rather users are assigned incorrect permissions to unauthorized data. The files, directories, and data that are stored on the web server need to be evaluated and a determination made concerning authorized access to information and programs on the server. In most cases, we can identify several types of users on a web server. These are system SAs, web administrators, auditors, authors, developers, and clients (web users, either anonymous or authenticated). Only authorized users and administrative accounts will be allowed on the host server in order to maintain the web server, applications, and review the server operations.

STIG	Date
IIS6 Server	2015-06-01

Details

Check Text ( C-37646r1_chk )
The reviewer should review the privileges assigned to the "IUSR_Account". Any group the IUSR_Account is assigned to must not provide authenticated access to the external users. The use of another group created for anonymous access is the acceptable solution for group assignment. 1. Select Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Users. 2. Double click the IUSR_Account > Select “Member of:” tab. If the IUSR_Account is assigned to any group other than a local anonymous group, this is a finding. NOTE: Any associations with the authenticated users group or everyone group would not make this a finding. NOTE: The group created for the anonymous account needs to be restricted to the web directories, and not have access to the entire system.

Check Text ( C-37646r1_chk )

The reviewer should review the privileges assigned to the "IUSR_Account". Any group the IUSR_Account is assigned to must not provide authenticated access to the external users. The use of another group created for anonymous access is the acceptable solution for group assignment.

1. Select Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups > Users.
2. Double click the IUSR_Account > Select “Member of:” tab.

If the IUSR_Account is assigned to any group other than a local anonymous group, this is a finding.

NOTE: Any associations with the authenticated users group or everyone group would not make this a finding.
NOTE: The group created for the anonymous account needs to be restricted to the web directories, and not have access to the entire system.

Fix Text (F-32887r1_fix)
Remove the anonymous access account from all privileged accounts and all privileged groups.