UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

A unique non-privileged account must be used to run Worker Process Identities.


Overview

Finding ID Version Rule ID IA Controls Severity
V-13713 WA000-WI6040 IIS6 SV-38046r1_rule ECSC-1 High
Description
The Worker Process Identity is the user defined to run an Application Pool. The IIS 6 worker processes, by default, run under the NetworkService account. Creating a custom identity for each Application Pool better track issues occurring within each web site. When a custom identity is used, the rights and privileges must not exceed those associated with the NetworkService security principal.
STIG Date
IIS6 Site 2014-12-10

Details

Check Text ( C-37408r1_chk )
1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Identity tab.
2. Identify the account used to run the process identities.
3. Check the privileges on the account found in step 2 by using Computer Management and opening Users and Groups.
4. The account should be in the IIS_WPG group and not have membership to the Administrators group.

If the account used to run the Worker Process Identities is also an Administrator, this is a finding.
If the account is set to LocalSystem, this is a finding.

NOTE: The "Local Service" or "Network Service" built in accounts are not privileged accounts and would not be a finding.
NOTE: This check may be reported as a False Positive by the Gold Disk so a manual verification is recommended if this is an open finding. If this is reported as not a finding, no further checking is necessary.
Fix Text (F-32644r1_fix)
1. Open the IIS Manager > Right click on the Application Pool that corresponded to the website being reviewed > Select Properties > Select the Identity tab.
2. Enter the desired account information.
3. Check the privileges on the account found in step 2 by using Computer Management and opening Users and Groups.
4. Ensure the account is a member of the IIS_WPG group and does not have membership to the Administrators group.