Web server/site administration must be performed over a secure path.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2249	WG230 IIS6	SV-30589r3_rule	EBRU-1	High

Description
Logging in to a web server via a telnet session or using HTTP or FTP to perform updates and maintenance is a major risk. In all such cases, userids and passwords are passed in the plain text. A secure shell service or HTTPS need to be installed and in use for these purposes. Another alternative is to administer the web server from the console, which implies physical access to the server.

STIG	Date
IIS6 Site	2011-10-03

Details

Check Text ( C-37416r1_chk )
NOTE: Standalone member server administration could be accomplished securely via the MMC at the host console. It is recommended to limit any server administration to the local host using the MMC or the ISM. This would NOT be considered a finding. NOTE: Server administration could be accomplished via the MMC in a domain environment. This is performed by creating a remote MMC session with the target computer. User authentication relies on the host domain environment. Only SAs or Web Administrators should have access to this resource. This would not be considered a finding. If the site is using the IIS Remote Administration (HTML) Tool: 1. Open the Internet Information Services Manager. 2. Expand the Web Sites directory > Right click Administration > Select the Directory Security tab. 3. Under Secure communications ensure both Require Secure Communication and Require 128-bit encryption is selected. If a site is using the IIS Remote Administration (HTML) Tool and these are not selected, this is a finding. If using terminal services: 1. Open the Terminal Services Configuration application. 2. Select the Connections directory. 3. In the right hand pane double click on the desired connection. 4. Select the general tab. 5. Under the Security area ensure the Security Layer drop down is set to SSL and the Encryption level is set to FIPS Compliant. If a site is using terminal services and Security Layer drop down is not set to SSL or the Encryption level is not set to FIPS Compliant, this is a finding. NOTE: If other forms of Windows compatible SSH are used (i.e., F-Secure SSH Tunnel, SecureCRT, NT sshd, and Tera Term with TTSSH) ensure they are using TLS. If it is found that the web server or web site is administered via an insecure path, this is a finding.

Check Text ( C-37416r1_chk )

NOTE: Standalone member server administration could be accomplished securely via the MMC at the host console. It is recommended to limit any server administration to the local host using the MMC or the ISM. This would NOT be considered a finding.

NOTE: Server administration could be accomplished via the MMC in a domain environment. This is performed by creating a remote MMC session with the target computer. User authentication relies on the host domain environment. Only SAs or Web Administrators should have access to this resource. This would not be considered a finding.

If the site is using the IIS Remote Administration (HTML) Tool:

1. Open the Internet Information Services Manager.
2. Expand the Web Sites directory > Right click Administration > Select the Directory Security tab.
3. Under Secure communications ensure both Require Secure Communication and Require 128-bit encryption is selected.
If a site is using the IIS Remote Administration (HTML) Tool and these are not selected, this is a finding.

If using terminal services:

1. Open the Terminal Services Configuration application.
2. Select the Connections directory.
3. In the right hand pane double click on the desired connection.
4. Select the general tab.
5. Under the Security area ensure the Security Layer drop down is set to SSL and the Encryption level is set to FIPS Compliant.

If a site is using terminal services and Security Layer drop down is not set to SSL or the Encryption level is not set to FIPS Compliant, this is a finding.

NOTE: If other forms of Windows compatible SSH are used (i.e., F-Secure SSH Tunnel, SecureCRT, NT sshd, and Tera Term with TTSSH) ensure they are using TLS.

If it is found that the web server or web site is administered via an insecure path, this is a finding.

Fix Text (F-32652r1_fix)
Ensure the web server and web site administration is performed over a secure path.