Web server system files will conform to minimum file permission requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2259	WG300	SV-2259r1_rule		Medium

Description
This check verifies that the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server, and thus its behavior, must also be accessible by the account that runs the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.

Description

This check verifies that the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server, and thus its behavior, must also be accessible by the account that runs the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.

STIG	Date
IIS 7.0 Server STIG	2019-03-22

Details

Check Text ( C-29964r1_chk )
Windows 2008 servers may be impacted by this check. If the SA or the web administrator can demonstrate that this requirement as written will adversely affect the web server by providing vendor documentation, then the reviewer will verify compliance with vendor guidance with respect to file permissions and access controls. Query the SA or the web administrator to determine if an access control file is used by the web server and the name and location of the files. The reviewer will verify the permissions on these files. Some examples are listed below, but the specific file names may vary by web server software products. NOTE: These are just sample file names and directories. The actual names will vary based on the product that is being used. You will have to determine the appropriate directory and file that correspond to the samples provided below. Example: ServerRoot "C:\Program Files\Product" Permissions on this directory files should be: Administrators: full System: full WebAdmin: full WebUser: read, execute Web Service Account: read, execute Permissions for the /config directory should be as follows: (This is a sub-directory to the main web directory identified above.) Administrators: full System: read WebAdmin: modify Web Service Account: read Permissions on this directory files should be: Administrators: full System: full WebAdmin: full WebUser: read, execute Web Service Account: read, execute Permissions for the /bin directory should be as follows: (This is a sub-directory to the main web directory identified above.) Administrators: full System: read, execute WebAdmin: modify Web Service Account: read, execute Permissions for the /logs directory should be as follows: (This is a sub-directory to the main web directory identified above.) Administrators: read System: full WebAdmin: read Web Service Account: modify Auditors: full Permissions for the /htdocs directory (DocumentRoot) should be as follows: (This is a sub-directory to the main web directory identified above.) Administrators: Full control System: Read WebAdmin: Modify Web Service Account: Read If any of the permissions listed above are less restrictive, this is a finding.

Check Text ( C-29964r1_chk )

Windows 2008 servers may be impacted by this check. If the SA or the web administrator can demonstrate that this requirement as written will adversely affect the web server by providing vendor documentation, then the reviewer will verify compliance with vendor guidance with respect to file permissions and access controls.

Query the SA or the web administrator to determine if an access control file is used by the web server and the name and location of the files. The reviewer will verify the permissions on these files. Some examples are listed below, but the specific file names may vary by web server software products.

NOTE: These are just sample file names and directories. The actual names will vary based on the product that is being used. You will have to determine the appropriate directory and file that correspond to the samples provided below.

Example: ServerRoot "C:\Program Files\Product"

Permissions on this directory files should be:

Administrators: full
System: full
WebAdmin: full
WebUser: read, execute
Web Service Account: read, execute

Permissions for the /config directory should be as follows:
(This is a sub-directory to the main web directory identified above.)

Administrators: full
System: read
WebAdmin: modify
Web Service Account: read

Permissions on this directory files should be:

Administrators: full
System: full
WebAdmin: full
WebUser: read, execute
Web Service Account: read, execute

Permissions for the /bin directory should be as follows:
(This is a sub-directory to the main web directory identified above.)

Administrators: full
System: read, execute
WebAdmin: modify
Web Service Account: read, execute

Permissions for the /logs directory should be as follows:
(This is a sub-directory to the main web directory identified above.)

Administrators: read
System: full
WebAdmin: read
Web Service Account: modify
Auditors: full

Permissions for the /htdocs directory (DocumentRoot) should be as follows:
(This is a sub-directory to the main web directory identified above.)

Administrators: Full control
System: Read
WebAdmin: Modify
Web Service Account: Read

If any of the permissions listed above are less restrictive, this is a finding.

Fix Text (F-26829r1_fix)
Set file permissions on the web server systems files to meet minimum file permissions requirements.