A unique non-privileged account must be used to run Worker Process Identities.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-13713	WA000-WI6040 IIS6	SV-38046r1_rule	ECSC-1	High

Description
The Worker Process Identity is the user defined to run an Application Pool. The IIS 6 worker processes, by default, run under the NetworkService account. Creating a custom identity for each Application Pool better track issues occurring within each web site. When a custom identity is used, the rights and privileges must not exceed those associated with the NetworkService security principal.

STIG	Date
IIS6 Site	2011-10-03

Details

Check Text ( C-37408r1_chk )
1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Identity tab. 2. Identify the account used to run the process identities. 3. Check the privileges on the account found in step 2 by using Computer Management and opening Users and Groups. 4. The account should be in the IIS_WPG group and not have membership to the Administrators group. If the account used to run the Worker Process Identities is also an Administrator, this is a finding. If the account is set to LocalSystem, this is a finding. NOTE: The "Local Service" or "Network Service" built in accounts are not privileged accounts and would not be a finding. NOTE: This check may be reported as a False Positive by the Gold Disk so a manual verification is recommended if this is an open finding. If this is reported as not a finding, no further checking is necessary.

Check Text ( C-37408r1_chk )

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Identity tab.
2. Identify the account used to run the process identities.
3. Check the privileges on the account found in step 2 by using Computer Management and opening Users and Groups.
4. The account should be in the IIS_WPG group and not have membership to the Administrators group.

If the account used to run the Worker Process Identities is also an Administrator, this is a finding.
If the account is set to LocalSystem, this is a finding.

NOTE: The "Local Service" or "Network Service" built in accounts are not privileged accounts and would not be a finding.
NOTE: This check may be reported as a False Positive by the Gold Disk so a manual verification is recommended if this is an open finding. If this is reported as not a finding, no further checking is necessary.

Fix Text (F-32644r1_fix)
1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Identity tab. 2. Enter the desired account information. 3. Check the privileges on the account found in step 2 by using Computer Management and opening Users and Groups. 4. Ensure the account is a member of the IIS_WPG group and does not have membership to the Administrators group.

Fix Text (F-32644r1_fix)

1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Identity tab.
2. Enter the desired account information.
3. Check the privileges on the account found in step 2 by using Computer Management and opening Users and Groups.
4. Ensure the account is a member of the IIS_WPG group and does not have membership to the Administrators group.