Users other than from the Auditors group have greater than read access to log files.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2252	WG250	SV-30016r1_rule		Medium

Description
A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. To ensure the integrity of the log files and protect the SA and web manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files.

Description

A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web manager with valuable information. To ensure the integrity of the log files and protect the SA and web manager from a conflict of interest related to the maintenance of these files, only the members of the Auditors group will be granted permissions to move, copy, and delete these files in the course of their duties related to the archiving of these files.

STIG	Date
IIS 7.0 Server STIG	2019-03-22

Details

Check Text ( C-29938r1_chk )
Query the SA to determine who has update access to the web server log files. If any of the accounts that have greater than read access to the log file are not a part of the identified Auditors group, then this is a finding. NOTE: The group does not have to have the name Auditors, but the site will need to identify the group that contains the auditors. To determine the settings: Start >> Programs >> Administrative Tools >> Internet Services Manager >> Select Website to view properties >> Web Site Tab >> Properties >> General Logging Properties provides the location of the log files. After locating the logs, use the Windows Explorer to move to these files and examine their properties. Properties >> Security >> Permissions. Permissions greater than Read, Execute should be noted for only the System and the Auditors Group. If the SA, Web Manager or users other than the Auditors group have greater than read access to the log files, this is a finding.

Check Text ( C-29938r1_chk )

Query the SA to determine who has update access to the web server log files. If any of the accounts that have greater than read access to the log file are not a part of the identified Auditors group, then this is a finding.

NOTE: The group does not have to have the name Auditors, but the site will need to identify the group that contains the auditors.

To determine the settings:

Start >> Programs >> Administrative Tools >> Internet Services Manager >>
Select Website to view properties >> Web Site Tab >> Properties >> General Logging Properties provides the location of the log files.

After locating the logs, use the Windows Explorer to move to these files and examine their properties.

Properties >> Security >> Permissions. Permissions greater than Read, Execute should be noted for only the System and the Auditors Group.

If the SA, Web Manager or users other than the Auditors group have greater than read access to the log files, this is a finding.

Fix Text (F-2301r1_fix)
Ensure only the Auditors group has greater than read access to log files.