Access to web administration tools must be restricted to the web manager and the web managers designees.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2248 | WG220 IIS7 | SV-46357r3_rule | Medium |
| Description |
|---|
| The key web service administrative and configuration tools must only be accessible by the web server staff. All users granted this authority will be documented and approved by the ISSO. Access to the IIS Manager will be limited to authorized users and administrators. |
| STIG | Date |
|---|---|
| IIS 7.0 Server STIG | 2019-05-01 |
Details
| Check Text ( C-32734r5_chk ) |
|---|
| 1. Open the IIS Manager and select Properties. 2. Select the Shortcut tab, and then left-click Open File Location. 3. Right-click InetMgr.exe, then click Properties from the context menu. 4. Select the Security tab. 5. Review the groups and user names. The following account may have Full control priviledges: TrustedInstaller The following accounts may have read & execute, and read permissions: Administrators (non-elevated) System Users Specific users may be granted read & execute and read permissions. Compare the local documentation authorizing specific users, against the specific users observed in step 5. If any other access is observed, this is a finding. |
| Fix Text (F-26807r1_fix) |
|---|
| Restrict access to the web administration tool to only the web manager and the web manager’s designees. |