Access to the web server log files will be restricted to administrators, web administrators, and auditors.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-13689	WG255	SV-14286r3_rule	ECCD-1 ECCD-2 ECTP-1	Medium

Description
A major tool in exploring the web site use, attempted use, unusual conditions, and problems are the access and error logs. In the event of a security incident, these logs can provide the SA and the web administrator with valuable information. Because of the information that is captured in the logs, it is critical that only authorized individuals have access to the logs.

STIG	Date
Web Server STIG	2010-10-07

Details

Check Text ( C-30012r1_chk )
To ensure the integrity of the log file data, only the members of the Auditors group, administrators, and the user assigned to run the web server software will be granted permissions to read the log files. Query the SA to determine who has access to the web server log files. NOTE: Auditors may have full control of the logs. This does not apply to active log files that require the system account to have full access. If any account has access to the log files other than those authorized, this is a finding. IIS: 1. From the Start menu button, select Programs. 2. Select Administrative Tools. 3. Select Internet Service Manager. 4. Select the web site. 5. At the web site tab, select Properties. 6. General logging properties will indicate the location of the log files. After locating the logs, use Explorer to examine file properties. 7. Right-click a file and select Properties. 8. Select Permissions. If access is granted to anyone other than the auditors, the administrators, the web administrators, the web server account, or the service used to generate the log files, this is a finding.

Check Text ( C-30012r1_chk )

To ensure the integrity of the log file data, only the members of the Auditors group, administrators, and the user assigned to run the web server software will be granted permissions to read the log files.

Query the SA to determine who has access to the web server log files.

NOTE: Auditors may have full control of the logs. This does not apply to active log files that require the system account to have full access.

If any account has access to the log files other than those authorized, this is a finding.

IIS:

1. From the Start menu button, select Programs.
2. Select Administrative Tools.
3. Select Internet Service Manager.
4. Select the web site.
5. At the web site tab, select Properties.
6. General logging properties will indicate the location of the log files.

After locating the logs, use Explorer to examine file properties.

7. Right-click a file and select Properties.
8. Select Permissions.

If access is granted to anyone other than the auditors, the administrators, the web administrators, the web server account, or the service used to generate the log files, this is a finding.

Fix Text (F-26859r1_fix)
Grant permission to read log files to only the members of the Auditors group, administrators, and the user assigned to run the web server software.