UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Access to web administration tools must be restricted to the web manager and the web manager’s designees.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2248 WG220 IIS7 SV-32328r1_rule ECCD-1 ECCD-2 ECLP-1 Medium
Description
The key web service administrative and configuration tools must only be accessible by the web server staff. All users granted this authority will be documented and approved by the IAO. Access to the IIS Manager will be limited to authorized users and administrators.
STIG Date
IIS 7.0 WEB SERVER STIG 2013-04-11

Details

Check Text ( C-32734r2_chk )
1. Open the IIS Manager and select Properties.
2. Select the Shortcut tab, and then left-click Open File Location.
3. Right-click InetMgr.exe, then click Properties from the context menu.
4. Select the Security tab.
5. Review the groups and user names.
The following accounts may have read & execute, and read permissions:
Administrators (non-elevated)
System

Specific users may be granted read & execute and read permissions. Compare the local documentation authorizing specific users, against the specific users observed in step 5. If any other access is observed, this is a finding.
Fix Text (F-26807r1_fix)
Restrict access to the web administration tool to only the web manager and the web manager’s designees.