Access to web administration tools must be restricted to the web manager and the web managers designees.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-218816	IIST-SV-000147	SV-218816r879753_rule		Medium

Description
A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server instability, or hosted application instability. To limit changes to the web server and limit exposure to any adverse effects from the changes, files such as the web server application files, libraries, and configuration files must have permissions and ownership set properly to only allow privileged users access. The key web service administrative and configuration tools must only be accessible by the web server staff. All users granted this authority will be documented and approved by the ISSO. Access to the IIS Manager will be limited to authorized users and administrators. Satisfies: SRG-APP-000380-WSR-000072, SRG-APP-000435-WSR-000147, SRG-APP-000033-WSR-000169

Description

A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the potential for an adverse effect such as a DoS, web server instability, or hosted application instability. To limit changes to the web server and limit exposure to any adverse effects from the changes, files such as the web server application files, libraries, and configuration files must have permissions and ownership set properly to only allow privileged users access. The key web service administrative and configuration tools must only be accessible by the web server staff. All users granted this authority will be documented and approved by the ISSO. Access to the IIS Manager will be limited to authorized users and administrators. Satisfies: SRG-APP-000380-WSR-000072, SRG-APP-000435-WSR-000147, SRG-APP-000033-WSR-000169

STIG	Date
Microsoft IIS 10.0 Server Security Technical Implementation Guide	2023-03-08

Details

Check Text ( C-20288r310923_chk )
Right-click "InetMgr.exe", then click "Properties" from the "Context" menu. Select the "Security" tab. Review the groups and user names. The following accounts may have Full control privileges: TrustedInstaller Web Managers Web Manager designees CREATOR OWNER: Full Control, Subfolders and files only The following accounts may have read and execute, or read permissions: Non Web Manager Administrators ALL APPLICATION PACKAGES (built-in security group) ALL RESTRICTED APPLICATION PACKAGES (built-in security group) SYSTEM Users Specific users may be granted read and execute and read permissions. Compare the local documentation authorizing specific users, against the users observed when reviewing the groups and users. If any other access is observed, this is a finding.

Check Text ( C-20288r310923_chk )

Right-click "InetMgr.exe", then click "Properties" from the "Context" menu.

Select the "Security" tab.

Review the groups and user names.

The following accounts may have Full control privileges:

TrustedInstaller
Web Managers
Web Manager designees
CREATOR OWNER: Full Control, Subfolders and files only

The following accounts may have read and execute, or read permissions:

Non Web Manager Administrators
ALL APPLICATION PACKAGES (built-in security group)
ALL RESTRICTED APPLICATION PACKAGES (built-in security group)
SYSTEM
Users

Specific users may be granted read and execute and read permissions.

Compare the local documentation authorizing specific users, against the users observed when reviewing the groups and users.

If any other access is observed, this is a finding.

Fix Text (F-20286r310924_fix)
Restrict access to the web administration tool to only the web manager and the web manager’s designees.