STIGQter: STIG Summary: Microsoft IIS 10.0 Server Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

Access to web administration tools must be restricted to the web manager and the web managers designees.

DISA Rule

SV-218816r561041_rule

Vulnerability Number

V-218816

Group Title

SRG-APP-000380-WSR-000072

Rule Version

IIST-SV-000147

Severity

CAT II

CCI(s)

• CCI-001813 - The information system enforces access restrictions.
• CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.
• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Restrict access to the web administration tool to only the web manager and the web manager’s designees.

Check Contents

Right-click "InetMgr.exe", then click "Properties" from the "Context" menu.

Select the "Security" tab.

Review the groups and user names.

The following accounts may have Full control privileges:

TrustedInstaller
Web Managers
Web Manager designees
CREATOR OWNER: Full Control, Subfolders and files only

The following accounts may have read and execute, or read permissions:

Non Web Manager Administrators
ALL APPLICATION PACKAGES (built-in security group)
ALL RESTRICTED APPLICATION PACKAGES (built-in security group)
SYSTEM
Users

Specific users may be granted read and execute and read permissions.

Compare the local documentation authorizing specific users, against the users observed when reviewing the groups and users.

If any other access is observed, this is a finding.

Vulnerability Number

V-218816

Documentable

False

Rule Version

IIST-SV-000147

Severity Override Guidance

Right-click "InetMgr.exe", then click "Properties" from the "Context" menu.

Select the "Security" tab.

Review the groups and user names.

The following accounts may have Full control privileges:

TrustedInstaller
Web Managers
Web Manager designees
CREATOR OWNER: Full Control, Subfolders and files only

The following accounts may have read and execute, or read permissions:

Non Web Manager Administrators
ALL APPLICATION PACKAGES (built-in security group)
ALL RESTRICTED APPLICATION PACKAGES (built-in security group)
SYSTEM
Users

Specific users may be granted read and execute and read permissions.

Compare the local documentation authorizing specific users, against the users observed when reviewing the groups and users.

If any other access is observed, this is a finding.

Check Content Reference

M

Target Key

4052

Comments