Web server administration will be performed over a secure path or at the console.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2249 | WG230 IIS5 | SV-30589r1_rule | High |
| Description |
|---|
| Logging in to a web server via a telnet session or using HTTP or FTP to perform updates and maintenance is a major risk. In all such cases, userids and passwords are passed in the plain text. A secure shell service or HTTPS need to be installed and in use for these purposes. Another alternative is to administer the web server from the console, which implies physical access to the server. |
| STIG | Date |
|---|---|
| IIS 7.0 Site STIG | 2019-03-22 |
Details
| Check Text ( C-30919r1_chk ) |
|---|
| Standalone member server administration could be accomplished securely via the MMC at the host console. It is recommended to limit any server administration to the local host using the MMC or the ISM. If the HTML version of the ISM or the HTTP administration server is used, it must be used with TLS enabled. The HTML version, however, can be used but is not recommended. If this option is used, verify that TLS is used. Using Internet Services Manager>> Select web site to be examined; Select the Properties of the web site in question >>Select Web Site Tab >> Note the entry for HTTPS Port. (i.e., 443) Server administration could be accomplished via the MMC in a domain environment. This is performed by creating a remote MMC session with the target computer. User authentication relies on the host domain environment. Only SAs or web administrators should have access to this resource. Options for remote Terminal Windows sessions: Select START >> Programs >>look for F-Secure or equivalent program. Some versions of Windows compatible SSH are F-Secure SSH Tunnel, SecureCRT, NT sshd, and Tera Term with TTSSH. |
| Fix Text (F-2298r1_fix) |
|---|
| Ensure the web server's administration is only performed over a secure path. |