UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Web server system files must conform to minimum file permission requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-2259 WG300 IIS7 SV-32332r2_rule Medium
Description
This check verifies the key web server system configuration files are owned by the SA or the web administrator controlled account. These same files that control the configuration of the web server, and thus its behavior, must also be accessible by the account running the web service. If these files are altered by a malicious user, the web server would no longer be under the control of its managers and owners; properties in the web server configuration could be altered to compromise the entire server platform.
STIG Date
IIS 7.0 WEB SERVER STIG 2017-06-28

Details

Check Text ( C-32738r1_chk )
1. Open Explorer and navigate to the inetpub directory.
2. Right-click inetpub and select Properties.
3. Click the Security tab.
4. Verify the permissions for the following users; if the permissions are less restrictive, this is a finding.

System: Full control
Administrators: Full control
TrustedInstaller: Full control
Users: Read & execute, list folder contents
Creator/Owner: Special permissions to subkeys
Fix Text (F-29065r1_fix)
1. Open Explorer and navigate to the inetpub directory.
2. Right-click inetpub and select Properties.
3. Click the Security tab.
4. Set the following permissions:
System: Full control
Administrators: Full control
TrustedInstaller: Full control
Users: Read & execute, list folder contents
Creator/Owner: special permissions to subkeys