STIGQter: STIG Summary: Microsoft IIS 8.5 Site Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Anonymous IIS 8.5 website access accounts must be restricted.

DISA Rule

SV-214461r508659_rule

Vulnerability Number

V-214461

Group Title

SRG-APP-000211-WSR-000031

Rule Version

IISW-SI-000221

Severity

CAT I

CCI(s)

• CCI-001082 - The information system separates user functionality (including user interface services) from information system management functionality.

Weight

10

Fix Recommendation

Remove the Anonymous access account from all privileged accounts and all privileged groups.

Check Contents

Check the account used for anonymous access to the website.

Follow the procedures below for each site hosted on the IIS 8.5 web server:
Open the IIS 8.5 Manager.

Double-click "Authentication" in the IIS section of the website’s Home Pane.

If Anonymous access is disabled, this is Not a Finding.

If Anonymous access is enabled, click “Anonymous Authentication”.

Click “Edit” in the "Actions" pane.

If the “Specific user” radio button is enabled and an ID is specified in the adjacent control box, this is the ID being used for anonymous access. Note: account name.

Check privileged groups that may allow the anonymous account inappropriate membership:
Open “Server Manager” on the machine.

Expand Configuration.

Expand Local Users and Groups.

Click “Groups”.

Review members of any of the following privileged groups:

Administrators
Backup Operators
Certificate Services (of any designation)
Distributed COM Users
Event Log Readers
Network Configuration Operators
Performance Log Users
Performance Monitor Users
Power Users
Print Operators
Remote Desktop Users
Replicator

Double-click each group and review its members.

If the IUSR account or any account noted above used for anonymous access is a member of any group with privileged access, this is a finding.

Vulnerability Number

V-214461

Documentable

False

Rule Version

IISW-SI-000221

Severity Override Guidance

Check the account used for anonymous access to the website.

Follow the procedures below for each site hosted on the IIS 8.5 web server:
Open the IIS 8.5 Manager.

Double-click "Authentication" in the IIS section of the website’s Home Pane.

If Anonymous access is disabled, this is Not a Finding.

If Anonymous access is enabled, click “Anonymous Authentication”.

Click “Edit” in the "Actions" pane.

If the “Specific user” radio button is enabled and an ID is specified in the adjacent control box, this is the ID being used for anonymous access. Note: account name.

Check privileged groups that may allow the anonymous account inappropriate membership:
Open “Server Manager” on the machine.

Expand Configuration.

Expand Local Users and Groups.

Click “Groups”.

Review members of any of the following privileged groups:

Administrators
Backup Operators
Certificate Services (of any designation)
Distributed COM Users
Event Log Readers
Network Configuration Operators
Performance Log Users
Performance Monitor Users
Power Users
Print Operators
Remote Desktop Users
Replicator

Double-click each group and review its members.

If the IUSR account or any account noted above used for anonymous access is a member of any group with privileged access, this is a finding.

Check Content Reference

M

Target Key

4001

Comments