The IISADMPWD directory has not been removed from the Web server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-13698	WA000-WI035	SV-14308r1_rule		High

Description
The IISADMPWD directory is included by default with IIS. It allows users to reset Windows passwords. The use of userid and passwords is a far less secure solution for controlling user access to web applications than a PKI solution with subscriber certificates. The capabiltiy to be able to change passwords externally gives potential intruders an easier mechanism to access the system in an effort to compromise userids and passwords.

Description

The IISADMPWD directory is included by default with IIS. It allows users to reset Windows passwords. The use of userid and passwords is a far less secure solution for controlling user access to web applications than a PKI solution with subscriber certificates. The capabiltiy to be able to change passwords externally gives potential intruders an easier mechanism to access the system in an effort to compromise userids and passwords.

STIG	Date
IIS 7.0 Server STIG	2019-03-22

Details

Check Text ( C-10949r1_chk )
Using Explorer, Navigate to the %systemroot%\system32\inetsrv directory on the web server. If the IISADMPWD directory does not exist, this is NOT a finding and you can stop the check procedure here. NOTE: There have been numerous reports of sites not being able to delete this directory without Windows File Protection automatically restoring it. The work around for this will be to ensure the virtual directory is removed from all web sites associated with the server and to restrict access for this directory and files to the system and administrators. If the IISADMPWD directory exists on the server, review the permissions on this directory and files within the directory. The permissions should be as follows: Administrators - Full Control System - Full Control If any other user or group has permissions to this directory, this is a finding. If the permissions are set correctly, please use the IIS Services Manager and review the web sites to see if there is a virtual directory associated with any of the sites pointing to the IISADMPWD directory. A virtual directory will be a child directory to a web site. If any of these directories point to the IISADMPWD directory, this is a finding, even if the permissions are set correctly. NOTE: There is a possibility that the automated check will result in a false positive condition. This could occur if you have renamed the Administrators account. If the account that is causing the finding has access to this directory is in the Administrators group, this would not be a finding. --------------------

Check Text ( C-10949r1_chk )

Using Explorer, Navigate to the %systemroot%\system32\inetsrv directory on the web server.

If the IISADMPWD directory does not exist, this is NOT a finding and you can stop the check procedure here.

NOTE: There have been numerous reports of sites not being able to delete this directory without Windows File Protection automatically restoring it. The work around for this will be to ensure the virtual directory is removed from all web sites associated with the server and to restrict access for this directory and files to the system and administrators.

If the IISADMPWD directory exists on the server, review the permissions on this directory and files within the directory. The permissions should be as follows:

Administrators - Full Control
System - Full Control

If any other user or group has permissions to this directory, this is a finding.

If the permissions are set correctly, please use the IIS Services Manager and review the web sites to see if there is a virtual directory associated with any of the sites pointing to the IISADMPWD directory.

A virtual directory will be a child directory to a web site. If any of these directories point to the IISADMPWD directory, this is a finding, even if the permissions are set correctly.

NOTE: There is a possibility that the automated check will result in a false positive condition. This could occur if you have renamed the Administrators account. If the account that is causing the finding has access to this directory is in the Administrators group, this would not be a finding.
--------------------

Fix Text (F-13140r1_fix)
If possible, ensure the IISADMPWD directory has been removed from the web server. NOTE: There have been numerous reports of sites not being able to delete this directory without Windows File Protection automatically restoring it. The work around for this will be to ensure the virtual directory is removed from all web sites associated with the server and to restrict access for this directory and files to the system and administrators. NOTE: You may be able to delete the .dll in the IISADMOWD folder by going into safe mode and deleting it. This will not work for the folder. If the IISADMPWD directory cannot be deleted set the permissions as follows: Administrators - Full Control System - Full Control Also, review all web sites associated with this server and ensure any virtual directories pointing to IISADMPWD are removed. A virtual directory will be a child directory to a web site.

Fix Text (F-13140r1_fix)

If possible, ensure the IISADMPWD directory has been removed from the web server.

NOTE: There have been numerous reports of sites not being able to delete this directory without Windows File Protection automatically restoring it. The work around for this will be to ensure the virtual directory is removed from all web sites associated with the server and to restrict access for this directory and files to the system and administrators.

NOTE: You may be able to delete the .dll in the IISADMOWD folder by going into safe mode and deleting it. This will not work for the folder.

If the IISADMPWD directory cannot be deleted set the permissions as follows:

Administrators - Full Control
System - Full Control

Also, review all web sites associated with this server and ensure any virtual directories pointing to IISADMPWD are removed.

A virtual directory will be a child directory to a web site.