Users other than Auditors group must not have greater than read access to log files.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2252	WG250 IIS6	SV-30017r1_rule	ECTP-1	Medium

Description
A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the Web Manager with valuable information. To ensure the integrity of the log files and protect the SA and Web Manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files.

Description

A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the Web Manager with valuable information. To ensure the integrity of the log files and protect the SA and Web Manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files.

STIG	Date
IIS6 Site	2015-06-01

Details

Check Text ( C-29939r1_chk )
1. Open the IIS Manager > Expand the Web Sites directory > Right click on the site being reviewed and select properties. 2. Select the Web Site tab > Click on the properties button beside the log format dropdown. 3. Note the log file path under Log file directory. 4. Navigate to this location. 5. Right click on the directories and files in this location > Select properties > Select the Security tab. 6. Ensure only the System, Administrators, and Auditors group have greater than Read permission. If any users or groups, other than System, Administrators, or Auditors, have greater than read permission to the log directories and files, this is a finding. NOTE: The Auditor group does not have to have the name Auditors, but the site will need to identify the group containing the auditors.

Check Text ( C-29939r1_chk )

1. Open the IIS Manager > Expand the Web Sites directory > Right click on the site being reviewed and select properties.
2. Select the Web Site tab > Click on the properties button beside the log format dropdown.
3. Note the log file path under Log file directory.
4. Navigate to this location.
5. Right click on the directories and files in this location > Select properties > Select the Security tab.
6. Ensure only the System, Administrators, and Auditors group have greater than Read permission.

If any users or groups, other than System, Administrators, or Auditors, have greater than read permission to the log directories and files, this is a finding.

NOTE: The Auditor group does not have to have the name Auditors, but the site will need to identify the group containing the auditors.

Fix Text (F-32675r1_fix)
Ensure only the System, Administrators, and Auditors group has greater than read permission to the log files.